File rights management I

File rights management

##1, Linux user permission analysis

Our linux server has strict permission levels. If the permission is too high, misoperation will increase the risk of the server. Therefore, it is very important to understand various permissions in linux system and allocate reasonable permissions to users and services

1. Basic authority UGO

=====================================================

File permission setting: a user or group can be given access to a file in what way

[the external chain picture transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-8ajHFG5T-1625629339931)(assets/image-20191101152351943.png)]

Permission object:
Owner------->u
 Genus group------->g
 someone else------>o

Basic permission type:
read(read): r   ---->4
 write(write): w  ---->2
 implement: x(exec) ----->1

Case:

1.1. Set permissions

chown:Change the home and group of the file or directory
chmod:Set access permissions for files or directories

Change the owner (owner) and group (Group) of the file

chown: the directory can only be modified recursively because there are many files in it.

[root@linux-server ~]# chown alice.hr file1.txt / / modify the owner and group
[root@linux-server ~]# chown tom  file1.txt / / modify owner
[root@linux-server ~]# chown .it file1.txt / / change to group only
[root@linux-server ~]# chown -R alice.hr dir1 / / recursive modification - for directories

1.2 change permissions

a. Use symbols

[the external chain picture transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-0z8Lr0ur-1625629339933)(assets/image-20191101170709941.png)]

[root@linux-server ~]# chmod u+x file1.txt / / owner add execution
[root@linux-server ~]# chmod a=rwx file1.txt / / everyone is equal to read / write execution
[root@linux-server ~]# chmod a=- file1.txt / / no one has permission
[root@linux-server ~]# chmod ug=rw,o=r file1.txt / / the primary group is read-write, and others are read-only
[root@linux-server ~]# ll
-rw-rw-r--. 1 tom   it      0 Nov  1 15:30 file1.txt

b. Use numbers

[root@linux-server ~]# chmod 644 file1.txt 
[root@linux-server ~]# ll file1.txt 
-rw-r--r--. 1 tom it 0 Nov  1 15:30 file1.txt

[root@linux-server ~]# chmod 755 file1.txt
[root@linux-server ~]# ll
-rwxr-xr-x  1 root root    0 Jul 23 22:40 file1.txt

[root@linux-server ~]# chmod 521 file1.txt
[root@linux-server ~]# ll
-r-x-w---x  1 root root    0 Jul 23 22:40 file1.txt

2 . Permission case UGO

2.1. Setting permission cases

Set permissions for HRDepartment's access directory / home/hr. The requirements are as follows:

1. The root user and hr group employees can read, write, and execute

2. Other users do not have any permissions

[root@linux-server ~]# groupadd hr / / create a user group
[root@linux-server ~]# useradd hr01 -G hr / / create hr01 user and add it to hr group
[root@linux-server ~]# useradd hr02 -G hr / / create hr02 user and add it to HR group
[root@linux-server ~]# mkdir /home/hr / / create an hr directory in / home
[root@linux-server ~]# chown .hr /home/hr / / set the group of the / home/hr directory to hr
[root@linux-server ~]# chmod 770 /home/hr / / set the permission of / home/hr directory to 770
[root@linux-server ~]# ll -d /home/hr / / view the permissions of the / home/hr directory itself
drwxrwx---. 2 root hr 6 Nov  1 17:11 /home/hr

2.2. Impact of RWX on files

Practical case 1: the impact of rwx on documents

For files, to view files, you must have r jurisdiction
 To edit a file, you must have w jurisdiction
 If you want to execute the file, you must have x jurisdiction

[root@linux-server ~]# vim /home/file1
date
[root@linux-server ~]# ll /home/file1 
-rw-r--r--. 1 root root 5 Nov  3 15:19 /home/file1

[root@linux-server ~]# su - alice  #Switch ordinary users
[alice@linux-server ~]$ cat /home/file1 
date
[alice@linux-server ~]$ /home/file1   #Executive document
-bash: /home/file1: Permission denied
[alice@linux-server ~]$ exit
logout
[root@linux-server ~]# chmod o+x /home/file1
[alice@linux-server ~]$ /home/file1 
Sun Nov  3 15:26:21 CST 2019

[root@linux-server ~]# chmod o+w /home/file1 
[alice@linux-server ~]$ vim /home/file1
date
123
ls

2.3. The impact of RWX on directories

For a directory, write permissions correspond to the creation and deletion of files in the directory
 For files, write permission is the addition, deletion and modification of file content

Actual case 2: no w for directory, rwx for file

[root@linux-server ~]# mkdir /dir10
[root@linux-server ~]# touch /dir10/file1
[root@linux-server ~]# chmod 777 /dir10/file1 
[root@linux-server ~]# ll -d /dir10/
drwxr-xr-x. 2 root root 19 Nov  3 15:37 /dir10/
[root@linux-server ~]# ll /dir10/file1 
-rwxrwxrwx. 1 root root 0 Nov  3 15:37 /dir10/file1
[root@linux-server ~]# vim /dir10/file1
jack
[root@linux-server ~]# su - alice
Last login: Sun Nov  3 15:28:06 CST 2019 on pts/0
[alice@linux-server ~]$ cat /dir10/file1 
jack
[alice@linux-server ~]$ rm -rf /dir10/file1   #insufficient privilege
rm: cannot remove '/dir10/file1': Permission denied
[alice@linux-server ~]$ touch /dir10/file2   #insufficient privilege
touch: cannot touch '/dir10/file2': Permission denied

Actual case 3: w for directory, no permission for file

[root@linux-server ~]# chmod 777 /dir10/
[root@linux-server ~]# chmod 000 /dir10/file1 
[root@linux-server ~]# ll -d /dir10/
drwxrwxrwx. 2 root root 19 Nov  3 15:38 /dir10/
[root@linux-server ~]# ll /dir10/file1 
----------. 1 root root 5 Nov  3 15:38 /dir10/file1
[root@linux-server ~]# su - alice   #Switch ordinary users
Last login: Sun Nov  3 15:38:53 CST 2019 on pts/0
[alice@linux-server ~]$ cat /dir10/file1 
cat: /dir10/file1: Permission denied    #No permission
[alice@linux-server ~]$ rm -rf /dir10/file1 
[alice@linux-server ~]$ touch /dir10/file2

r. The significance of w and x permissions to files and directories

[the external chain picture transfer fails. The source station may have an anti-theft chain mechanism. It is recommended to save the picture and upload it directly (img-qE4E5N8H-1625629339934)(assets/image-20191103151911043.png)]

For files:
r ----cat
w ----vi,vim
x ----bash /dir/file

For directory:
r ----ls
w ----touch,rm
x ---- cd 

Summary
 Yes to the directory w Permission, you can create new files in the directory and delete files in the directory (independent of file permission)
matters needing attention
 File: x Give authority carefully
 catalog: w Give authority carefully

3. Permission mask

umask user mask

Controls the default permissions for users to create files and directories

umask It is obtained through the difference calculation of digital permission. It can be used umask Command to specify.

#View umask
[root@qfedu.com ~]#umask
0022 root Account default
0002 Common user default

#Default maximum permissions for root users
 Directory 777 file 666

#Through calculation, the root user's permission to create directories and files is:
Also now root Default permissions for users after creating directories and files:
catalogue:755
 file:644

#Modify umask
[root@qfedu.com ~]#umask 0111

4. Advanced permissions

suid 	u+s
	Authorization is given to the command. The authorized command has advanced permission. No matter what user calls it, he can obtain the highest permission of the command.
	
sgid	g+s
	Give permission to the directory. The group with permission has genetic nature. The new file created under the directory will inherit the group of the directory.
	
stick	o+t
	Authorization for directory: after authorization, all users can create files in this directory, but there are restrictions on deletion. Only the creator and root The user has delete permission.

Advanced permissions suid,sgid,sticky

Question 1: Why did it fail!

[root@linux-server ~]# chown root.root /root/file1.txt
[root@linux-server ~]# vim /root/file1.txt
123
[root@linux-server ~]# ll /root/file1.txt 
-rw-r--r--. 1 root root 0 Nov  1 15:30 /root/file1.txt

[root@linux-server ~]# su - alice
Last login: Sun Nov  3 15:57:41 CST 2019 on pts/0
[alice@linux-server ~]$ cat /root/file1.txt
cat: /root/file1.txt: Permission denied

4.1. Types of advanced permissions

#Suid = = = = = 4 right lifting (only valid for binary command files, others don't work),
	It's giving authority to orders.
#sgid ==== 2 group inheritance (can only be set for directory)
	After giving permission to the directory, the created directory sub files will inherit the group of the directory
#sticky == 1 (t permission) permission control

4.2. Set special permissions

Two syntax:
a,character---Syntax:
chmod u+s file
chmod g+s dir 
chmod o+t dir
(which rm
whoami)
b,number
chmod 4777 file 
chmod 2770 dir 
chmod 1770 dir

Case 1

suid   Ordinary users through suid Right raising     <For file>
Add on the process file (binary, executable command file) suid jurisdiction
[root@linux-server ~]# chmod u+s /usr/bin/cat
[root@linux-server ~]# chmod u+s /usr/bin/rm
[root@linux-server ~]# su - alice
Last login: Wed Nov  6 17:40:40 CST 2019 on pts/0
[alice@linux-server ~]$ cat /root/file1.txt
123
[alice@linux-server ~]$ rm -rf /root/file1.txt

Set UID

So what is the role of the particularity of this special permission?
1,SUID Permissions apply only to command files(Binary file)Effective;
2,The performer will have the program owner(owner)Permissions.

Cancellation of right raising

[root@linux-server ~]# ll /usr/bin/rm
-rwsr-xr-x. 1 root root 62864 Nov  6  2016 /usr/bin/rm
 At this time, once given rm add suid After permission, ordinary users are equivalent to root User.(Immediate right)

[root@linux-server ~]# chmod u-s /usr/bin/rm  #Cancellation of right raising

Case 2

First, create a user group, and two users perform the three case operations

Set GID

hold s The name of the user group to which the file belongs x In position, it is SGID. that SGID What is the function of? and SUID Same, just SGID Is to obtain the permission of the user group to which the program belongs.
SGID Mainly used in directories-----If the user has w If the user creates a new file in this directory, the group of the created file is the same as that of this directory.

case

[root@linux-server ~]# mkdir /opt/dir1  #Create directory
[root@linux-server ~]# groupadd hr  #Create a group
[root@linux-server ~]# chmod 775 /opt/dir1/  #Set permissions
[root@linux-server ~]# ll -d /opt/dir1/
drwxrwxr-x. 2 root root 6 Nov  6 21:26 /opt/dir1/
[root@linux-server ~]# chown .hr /opt/dir1/  #Set membership group
[root@linux-server ~]# chmod g+s /opt/dir1/  #Set sgid
[root@linux-server ~]# ll -d /opt/dir1/
drwxrwsr-x. 2 root hr 6 Nov  6 21:26 /opt/dir1/
[root@linux-server ~]# touch /opt/dir1/a.txt
[root@linux-server ~]# ll /opt/dir1/a.txt
-rw-r--r--. 1 root hr 0 Nov  6 21:33 /opt/dir1/a.txt

[root@linux-server ~]# chmod o+w /opt/dir1/ -R 
[root@linux-server ~]# su - alice
Last login: Wed Nov  6 21:34:59 CST 2019 on pts/2
[alice@linux-server ~]$ touch /opt/dir1/b.txt
[alice@linux-server ~]$ ll /opt/dir1/b.txt
-rw-rw-r--. 1 alice hr 0 Nov  6 21:35 /opt/dir1/b.txt

Sticky Bit

This is for others It's the same as the above two, but with different functions.
SBIT(Sticky Bit)At present, it is only valid for the directory. The function of the directory is: when users create files or directories under the directory, they can only communicate with themselves root To have the right to delete.

case

[root@linux-server ~]# cd /home/
[root@linux-server home]# mkdir dir2
[root@linux-server home]# chmod 757 dir2/
[root@linux-server home]# chmod o+t dir2/
[root@linux-server home]# ll -d dir2/
drwxr-xrwt. 2 root root 52 Oct 31 16:49 dir2/
[root@linux-server home]# useradd jack  #Create user
[root@linux-server home]# su - alice 
Last login: Wed Nov  6 21:48:12 CST 2019 on pts/2
[alice@linux-server ~]$ touch /home/dir2/alice.txt  #User alice creates a file
[alice@linux-server ~]$ exit
logout
[root@linux-server home]# su - jack 
Last login: Wed Nov  6 21:48:36 CST 2019 on pts/2
[jack@linux-server ~]$ touch /home/dir2/jack.txt   #User jack creates file
[jack@linux-server ~]$ rm -rf /home/dir2/alice.txt 
rm: cannot remove '/home/dir2/alice.txt': Operation not permitted
 test jack delete alice The created file cannot be deleted

4.3. At present, there are two ways to raise rights for ordinary users:**

sudo: Targeted, for example, for a user to be able to root Execute some commands as.
suid: Basically for all users, any user has suid When a program with permissions (e.g/usr/bin/rm)，All with root Identity is executing.

case

Release all commands

Configuration explanation:
root Represents the user name
 first ALL Indicates that access is allowed from any terminal or machine sudo
 the second (ALL) instructions sudo The command is allowed to execute as any user
 Third ALL Indicates that all commands can be used as root implement

[root@linux-server ~]# visudo    #Open profile
90 ##
91 ## Allow root to run any commands anywhere
92 root    ALL=(ALL)       ALL
93 jack    ALL=(ALL)       NOPASSWD: ALL   #Add content
94 ## Allows members of the 'sys' group to run networking, software,
test
[root@linux-server ~]# su - jack
Last login: Wed Nov  6 22:04:46 CST 2019 on pts/2
[jack@linux-server ~]$ sudo mkdir /test1

Release the right to use individual commands

[root@linux-server ~]# visudo
     91 ## Allow root to run any commands anywhere
     92 root    ALL=(ALL)       ALL
     93 jack    ALL=(ALL)       NOPASSWD:ALL
     94 alice   ALL=(ALL)       NOPASSWD:/usr/bin/mkdir, /usr/bin/rm, /usr/bin/touch
     95 
     96 ## Allows members of the 'sys' group to run networking, software,
Test:
[root@linux-server ~]# su - alice
Last login: Fri Jul 24 00:52:13 CST 2020 on pts/1
[alice@linux-server ~]$ touch /file
touch: cannot touch '/file': Permission denied
[alice@linux-server ~]$ sudo touch /file