I. The Significance of the Existence of Document Authority
One of the lowest security settings in the system is to ensure that files can be manipulated by available users.
2. Reading of File Permissions
ls -l file ls -l dir ll file ##(ll = ls -l) ll -d dir
3. Reading of File Permissions
- | rw-rw-r-- | 1 | kiosk | kiosk | 0 | Sat Jul 21 09:20:18 CST 2018 | file
[1] [2] [3] [4] [5] [6] [7] [8]
[1]
Type of file
-## Empty files, or text d directory l # Soft Connection (Shortcut) s# socket socket (interface with the outside world) b # block device (generated when U disk is inserted) c # Character Device (Display Characters, Accept Input and Output)
[2] Permissions of files
rw-|rw-|r--
1 2 31.[u]What can the file owner do with the file
2.[g]What can all groups of files do with files
3.[o]What other people can do with files
For files: number of hard links to files (number of times the contents of files have been recorded)
On Catalogues: Number of Neutron Catalogues in Catalogues
[4] Owner of the document
[5] All groups of files
[6]. For files: file size
Catalog: Size of the catalog's sub-file metadata (matedate can be understood as file attributes)
[7] The time when the contents of the document were modified
[8]. File name
IV. How to change the owner and all groups of documents
chown | chgrp
chown Change the owner of the file
chgrp Change all groups of filesWhen making changes to all the contents of the document, you must use the-R Recursion
chown username file|dir chown user.group file|dir chown -R user.group dir chgrp group file|dir chgrp -R group dir
5. How to Change the Permissions of Documents
1. Understanding of authority
r) For files: Can you view the contents of files? - -> cat file
For directories: Can you see what subfiles or subdirectories are in the directory?
w) For files: Can you change the characters recorded in files?
Directory: Can you change metadata of directory neutron directory or subfile?
x. For files: Can the program recorded in the file be invoked by the name of the file?
For Catalogs: Can I Enter Catalogues
2. Modification
chmod <u|g|o><+|-|+><r|w|x> file|dir chmod u+x /mnt/file1 chmod g-x /mnt/file2 chmod ug-r /mnt/file3 chmod u-r,g+x /mnt/file4 chmod -r /mnt/file5 chmod o=r-x /mnt/file6
Digital method:
rwx
210
r=4
w=2
x=1
eg:
r-x|r--|--x
5 4 1
chmod 541 /mnt/file1
Attachment: 7 = R W x, 6 = R W - 5=r-x, 4=r - 3=-wx, 2=-w - - 1 = - X - 0 = -
Six.umask
The default reserved power at system establishment
umask 077 Temporarily sets the reserved system permissions to 077
Permanent change umask
vim /etc/profilr ##configuration system file if [ $UID -gt 199] && [ "'id -gn'" = "'id -un'"];then umask 002 ##umask for ordinary users else umask 077 ##umask of superuser fi vim /etc/dashrc ##shell configuration file if [ $UID -gt 199] && [ "'id -gn'" = "'id -un'"];then umask 002 else umask 077 fi
The above two documents need to be amended in accordance with each other.
Source/etc/profile # Makes the change take effect immediately
source /etc/bashrc
VII. Special Authority
1.sticky # sticky position
Function: It works for directories, where files can only be deleted by file owners when a directory has sticky privileges.
Setting mode: chmod o+d dir
chmod 1XXX
2.sgid # mandatory location
Effect:
For files: only for binary executable files,
When there is sgid on the file, the process generated by anyone executing the file belongs to the file group
For directories: When a directory has sgid privileges, any file created in that directory belongs to all groups of directories
Settings: chmod g+s file|dir
chmod 2XXX file|dir
3.suid \ Adventure Bit
For binary executable files only, when there is a suid on the file, the process generated by anyone executing the program recorded in the file belongs to the owner of the file.
(2-digit executable file:)
Setting mode
chmod u+s file
chmod 4XXX file
eg:
chown username /bin/rm Chmod 4755/bin/rm # Restrict RM Function
8. acl privilege list
1. role
Allow specific users to have specific permissions on specific files
2.acl List View
-rw-rwxr--+ 1 root root 0 Jul 21 15:45 file
^
acl open (here+If the number is inaccurate, it must be used. grtfacl View)getfacl file ###Permission to view files opened by acl #file:file ##File name #owner: root ##Documents are in possession #group: root ##File Ownership Group user::rw- ##Document Owner's Power user:kiosk:rwx ##Designated user group::r-- ##Document Ownership Group Power mask::rwx ##Maximum Power Value Given to Users other::r-- ##The authority of others
3.acl List Management
setfacl -m u:username: rwx file ##Setting username to have rwx rights over file s setfacl -m g:group:rwx file ##Setting group members to have rwx power over file s setfacl -x u:username file ##Delete username from the acl list setfacl -b file ##Close the list of ACLS on file
4.mask value
mask in the permission list indicates the power value that can be validated
mask values change when using chmod to reduce file permissions to open acl
chmod g-w westos
5.acl default permission settings
acl Default permissions are set for directories only
acl Permissions only take effect for newly created files or directories after the settings have been completed, while existing files do not inherit default permissions.setfacl -m d:u:student:rwx /mnt/westos
Restrict Super Users
lsattr file ##Display File Hidden Properties chattr +i file ##Changing file attributes, +i prevents root from manipulating files
The seven-eight comprehensive exercises are as follows:
Reference Answer Down:
groupadd shengchan ##Establishment of Production Group
groupadd caiwu ##Establishment of the Finance Section
groupadd jishu ##Establishment of Technical Group
useradd -G shengchan tom ##Attach tom to production group
useradd -G caiwu harry ##Attach harry to the Finance Group
useradd -G jishu leo ##Adding leo to the technical team
useradd admin ##Establish user admin
chgrp shengchan /sc ##Take the production group as all groups of / sc
chgrp caiwu /cw ##Make the Finance Group All Groups in / cw
chmod 1777 /pub ##Set the / pub directory to be writable by all users (777).
##Users can only delete files they have created (1XXX)
chmod 2770 /sc ##Only the production group can operate, and all documents belong to the production group after they are generated.
chmod 2770 /cw ##Only the financial group can operate, and all documents belong to the financial group after they are produced.
setfacl -m u:admin:rwx /sc ##Set read and write execution rights for admin users to / sc directory
setfacl -m u:admin:rwx /cw ##Set read and write execution rights for admin users to / cw directories