Linux_ Authority management

Authority management

Permission viewing and reading

  • Permission view
ls -l file 	#View file permissions
ls -ld dir 	#View directory permissions

  • | rw-r–r-- | . | 1 | root | root | 0 | Apr 12 10:57 | westos
    [1] [2] [3] [4] [5] [6] [7] [8] [9]

[1] # file type
#-Ordinary file
#d directory
#l soft connection
#b. fast equipment
#c character device
#s socket
#p pipe|
[2] ## user permissions
##rw-|r–|r–
[3] selinux ## system startup
[4] ## for files: the number of times the file content is recorded by the system (number of hard links)
##For directory: the number of subdirectories in the directory
[5] ## file owner
[6] ## file owning group
[7] ## for files: file content size
##For directory: the metadata size of the sub file in the directory
[8] ## document content modified time
[9] ## file name

Types and functions of common permissions

  • User identity to file

u: The owner of the #user file, the fifth column of information seen by ls -l
g: The #group file has groups, and ls -l sees the sixth column of information
o: #other is a generic name for other users who are neither owners nor group members

  • Permission bit

rwx|r–|r–
u g o

  • Permission type

-Permission not opened

r readable
#For files: you can read the contents of the file
#For directories: you can ls list the files in the directory

w writable
For files: you can change the contents of the file
For directory: you can create or delete files in the directory

x executable
For files: the program recorded in the file can be called with the file name
For directory: you can enter the directory

Method of setting normal permissions

  • chmod

Set file permissions

#Copy permissions
chmod -R --reference=/tmp /mnt/westosdir #Copy the permission of / tmp directory to / mnt/westosdir and the sub files in the directory- R recursive replication

#Character mode setting permission
chmod <a|u|g|o><+|-|=><r|w|x> file
chmod a+x /mnt/file1
chmod u+x,g-x /mnt/file1
chmod u=rx /mnt/file1

#Setting authority in digital mode
r = 4; w = 2; x = 1
chmod 644 /mnt/file1

System default permission settings

  • umask

Temporary modification

umask #View reserved rights
umask Permission value #Temporarily set the reserved power of the system
 File default permissions = 777-umask-111
 Directory default permissions = 777-umask
umask The higher the value, the higher the system security

Permanent modification

vim /etc/bashrc #shell system configuration file
vim /etc/profile #System environment profile
source /etc/bashrc #When source is used, the content we change is immediately recognized by the system
source /etc/profile


File user group management

  • chown chgrp
chown username file 	#Change file owner
chgrp groupname file 	#Change file ownership group
chown username:groupname file 	#Change the owner and ownership group of the file at the same time
chown -R user dir 		#Change the owner of the directory itself and the contents in the directory



special competencies

  • Sticky position

For directory: if a directory stickyid is enabled, the files in this directory can only be deleted by the file owner

chmod 1777 /mnt/pub/
chmod o+t /mnt/pub/ 	#Both commands add this permission

Any user can add or delete files in the public directory
Only the creator of the file can delete it

  • sgid mandatory bit

For directory: the newly created files in the directory automatically belong to the group to which the directory belongs

chmod 2777 /mnt/pub/
chmod g+s /mnt/pub/		#Both commands add this permission

For binary executable files (c program): when running binary executable files, they are run as file ownership group
The process belongs to whoever starts it, regardless of the owner of the program

#Monitor the process
watch -n 1 'ps ax -o user,group,comm | grep cat'


  • suid adventure bit

For binary executable files (c program): when running binary executable files, they are run as the file owner, which has nothing to do with the executor

chmod 4777 file
chmod u+s  file

acl permission list

  • function

In the list, special users can be set to have special permissions for special files

  • acl list opening ID

A "+" indicates that the acl list is enabled

  • acl list permission reading
getfacl westosfile
  • acl list permission control
setfacl -m u:westos:0 westosfile #set up
setfacl -m g:westos:rw westosfile
setfacl -m u::rwx westosfile
setfacl -m g::0 westosfile
setfacl -x u:westos westosfile #Delete westos from the list
setfacl -b westosfile 		#close


  • acl permission priority

Owners > specially designated users > groups with more permissions > groups with less permissions > others

  • mask

The maximum threshold that can be granted to a specified user

Recovery:
setfacl -m m:westos:rwx /mnt/pub

  • Default permissions for acl lists
setfacl -m u:lee:rwx /mnt/westosdir #Only valid for the / mnt/westosdir directory itself
setfacl -Rm u:lee:rwx /mnt/westosdir #It takes effect for the / mnt/westosdir directory and the contents that already exist in the directory
  • New file permission takes effect
setfacl -m d:u:lee:rwx /mnt/westosdir/ ##Effective for new files in the / mnt/westosdir directory

attr permissions

i 				#No changes can be made
a			 	#Can you add or delete
lsattr dir|file				#View attr permissions
chattr +i|+a|-i|-a dir|file #Set attr permissions


  • test2

Establish a directory to complete the following requirements
* new directory / sc / cw / js / pub
/sc directory is the data storage directory in the production department, which can only be read and written by personnel in the production department
/cw directory is the data storage directory of the financial department, which can only be read and written by the personnel of the financial department
/js directory is the data storage directory in the technology department, which can only be read and written by personnel in the technology department
/pub is the public directory of the company's personnel, which can be read and written by any employee of the company

  • test3

Establish a directory to complete the following requirements
* new directory / sc / cw / js / pub
/sc directory is the data storage directory in the production department, which can only be read and written by personnel in the production department, and the files created in sc belong to the production department
/cw directory is the data storage directory of the financial department, which can only be read and written by the personnel of the financial department, and the files created in cw belong to the financial department
/js directory is the data storage directory in the technology department, which can only be read and written by the personnel in the technology department, and the files created in js belong to the technology department
/pub is the public directory of the company's personnel, which can be read and written by any employee of the company, but only their own files can be deleted

Keywords: Linux Operation & Maintenance bash

Added by []InTeR[] on Fri, 28 Jan 2022 17:30:21 +0200

Popular Keywords

©2024 Programming VIP