Permission management under Linux

Permission management under Linux

1. How to view and read permission information

[1]ls

This part has also appeared in linux command line operation and file management. To master more commands and their functions, please see the previous blog linux command line operation and file management
L l will be used below, so I inquired the following information: ll will list all file information under the file, including hidden files, while ls -l will only list display files, and the information listed by ll command is more detailed, with time, whether it is readable or writable, etc

[2] View file properties

//How to view file properties
[root@workstation Desktop]# ls -l /etc/shadow    
----------. 1 root root 1338 Jan 10 02:48 /etc/shadow

//How to view catalog properties
[root@workstation Desktop]# ls -ld /etc/
drwxr-xr-x. 139 root root 8192 Jan 10 04:08 /etc/

Note that we need to remember the function of ls parameters in [1]

[3] Understanding of each field of property

• Understand the fields of file properties
  

• Understand the fields of catalog properties

• Field 1 is a special case.
  -Represents directory or link file, etc., d represents directory, such as drwx ------. l indicates the linked file, such as lrwxrwxrwx; if it is indicated by a "-" column, it indicates that it is a file.

• Field 2, representing the properties of the file.
  Linux files are basically divided into three attributes: readable (r), writable (w), and executable (x). The grid of this part is one unit for every three grids. Because Linux is a multi-user and multi task system, a file may be used by many people at the same time, so we must set the permissions of each file. The order of the permissions of the file is (take - rwxrxrxrxrx as an example): rwx(Owner)r-x(Group)r-x(Other)
  – this example shows the permissions: users can read, write, and execute; users in the same group can read, write, and execute; other users can read, write, and execute.
  – in addition, the execution part of some program attributes is not X, but S, which means that the user executing the program can temporarily have the same authority as the owner to execute the program. Generally appear in the system management and other instructions or programs, so that the user has root identity when executing.

• Field 4 indicates the number of files.
  - if it's a file, the number is 1. If it's a directory, the number is the number of files in the directory. For example, the code in the following section explains the number of directories.
  (Note: in the following example, you can see that we did not create new files and subdirectories under the directory "westos", but the number is 2 at this time, because it contains the hidden directories "." and " ", so it's 2.)

[root@workstation Desktop]# mkdir westos
[root@workstation Desktop]# ls -l /mnt/
total 0
drwx------. 2 1001 linux 6 Jan 10 01:26 westos

• Field 5, indicating the owner of the file or directory.
  – if the user is currently in his / her own Home, this column is probably his / her account name.

• Field 6, indicating the group to which it belongs.
  – each user can have more than one group, but most users should belong to only one group. Only when the system administrator wants to give a user special permission, can another group be given to him.

• Field 7, representing the file size.
  – the file size is expressed in bytes, while the empty directory is generally 1024byte. You can use other parameters to make the file display in different units, such as ls
  - k is to display the size unit of a file in kb, but generally we still use byte as the main unit.
  Note: for example, the code in the following section explains the size of the file installed when it is a directory. Create a new directory "westos". At this time, no new files or directories are created in "westos", but the number represented by field 3 is already 6. The reasons are as follows: the original is 6, because it contains [". [3] and" "[3]] there are 6 in total, so 6 represents the original ownership and (3+3)]

[root@workstation Desktop]# mkdir westos
[root@workstation Desktop]# ls -l /mnt/
total 0
drwx------. 2 1001 linux 6 Jan 10 01:26 westos

• Field 8, representing the creation date.
  – in the format of "month, day, time", for example, Jan 10 01:26 means 1:26 a.m. on January 10.

• Field 9 for the file name.
  – we can use ls – a to show hidden filenames.

[3] Practice
Why 63 (for example)
[root@workstation mnt]# ls -Rl /mnt/
/mnt/:
total 0
drwxr-xr-x. 2 root root 63 Jan 8 22:41 westos

/mnt/westos:
total 0
-rw-r–r--. 1 root root 0 Jan 8 22:41 file
-rw-r–r--. 1 root root 0 Jan 8 22:11 redhat1
-rw-r–r--. 1 root root 0 Jan 8 22:11 redhat2
-rw-r–r--. 1 root root 0 Jan 8 22:11 redhat3

63 = 8 (8 bits before the name) * 4 lines + 4 (file) + 21 (redhat{1) 3} ) + 6 (. And...)

2. Set the owner and ownership group of the file

[1] Division of identity

• Because Linux is a multi-user and multi task system, a file may be used by many people at the same time. In order to consider everyone's privacy and everyone's favorite working environment, users are classified. (take - rwxrxrxrx as an example): rwx(Owner)r-x(Group)r-x(Other)
  This example shows permissions: users can read, write, and execute; users in the same group can read, write, and execute; other users can read, write, and execute.
• File owner and ownership group can only be modified by root

[2] Change method
Practice

[root@workstation ~]# chown haha /mnt/file1 [user]
[root@workstation ~]# chown student:haha /mnt/file2 [user]
[root@workstation ~]# chown haha.student /mnt/file3 [user]
[root@workstation ~]# chgrp student /mnt/westos [group]
[root@workstation ~]# Chown. Student / MNT / file1 [group]
[root@workstation ~]# Chown: student / MNT / File2 [group]

/mnt:
total 0
-rw-r--r--. 1 haha    student  0 Jan  8 20:40 file1
-rw-r--r--. 1 student student  0 Jan  8 20:40 file2
-rw-r--r--. 1 haha    student  0 Jan  8 20:40 file3
drwxr-xr-x. 2 root    student 51 Jan  8 20:40 westos    [2 Because there are hidden directories  .  and..]

3. Understand the impact of various permission types on files

[1] File permission read

• Linux files are basically divided into three attributes: readable (r), writable (w), and executable (x). The grid of this part is one unit for every three grids. Because Linux is a multi-user and multi task system, a file may be used by many people at the same time, so we must set the permissions of each file. The order of the permissions of the files is (take - rwxrxrxrx-x as an example):
  rwx(Owner)r-x(Group)r-x(Other)　　
  – this example shows the permissions: users can read, write, and execute; users in the same group can read, write, and execute; other users can read, write, and execute.
• – in addition, the execution part of some program attributes is not X, but S, which means that the user executing the program can temporarily have the same authority as the owner to execute the program. Generally appear in the system management and other instructions or programs, so that the user has root identity when executing.

Permission type

• "-" permission closed: this bit of permission is not opened
• "r" (read view permission):
  For files, you can view the contents of the files;
  For a directory, list the file names in the directory.
• "w" (writeable permission):
  For the document, the contents of the document record can be changed;
  Create a new file or directory in the new directory, delete the existing files and directories (regardless of the permissions of the sub files or sub directories), modify the name of the existing files or directories, and move the location of the files and directories in this directory.
• "x" (execute permission):
  Indicates that the user can switch paths to the current directory

4. Skillfully set authority

[1] Setting file permissions in character mode
Chmod < U / g / O / a > < R / w / x > target
Practice

chmod u+x /mnt/file
chmod g-w /mnt/file1
chmod uo-x /mnt/file2
chmod g-x,o-w /mnt/file3
chmod o=rw- /mnt/file4

[2] Set file permissions in digital mode

Practice

chmod 777 /mnt/file
 chmod 645 /mnt/file1 [at this time, the permission is rw-r--r-x]

[3] Permission copy

chmod --reference=Property source file  TAG
chmod --reference=/mnt/file westos

Compared with the command CP learned before, it can be found that cp-p will copy the permissions and the contents of the source file, and overwrite the contents of the target file. chmod --reference only copies the permissions

5. Permission reservation threshold umask

[1] Temporary changes

• Use umask to reserve permission in the system
• In the shell, you can use umask to view and set the reserved permission threshold [that is, umask reserved threshold]
• sudo delegation of power (it can be simply understood that it gives certain power to ordinary users, such as the example "haha workstation.lab.example.com = (root) NOPASSWD: / user/sbin/useradd" in the user management section, which means that in terms of creating new users, the power of root is given to ordinary users. But what umask modifies is permissions, that is, the permissions of file owners, file organizers and others.
  In short: sudo is what we can do after devolution. umask is what ugo can do to files or directories after modifying permissions.

Practice

[root@workstation Desktop]# umask [View reserved permission threshold]
0022
[root@workstation Desktop]# umask 077 [set reserved permission threshold]
[root@workstation Desktop]# umask
0077

[2] Permanent change

• shell configuration file / etc/bashrc
  
• System environment configuration file / etc/profile
  
• Modification steps

[root@workstation Desktop]# vim /etc/bashrc [after entering the environment shown in Figure 1, / umask, change 022 to 077]
[root@workstation Desktop]# vim /etc/profile	
[root@workstation Desktop]# source /etc/profile. ]
[root@workstation Desktop]# umask
0077

6. Special permissions in the system

[1] . sticky

• Effect
  Only valid for directory. When a directory has sticky permission, files in this directory can only be deleted by the owner of the file
• Setting method (special permission o+t effect is equivalent to 1 original file)
  chmod o+t dir
  chmod 1xxx dir

[Command]
watch -n 1 ls -l /mnt/  [Monitoring command]

[root@workstation mnt]# cd /mnt/
[root@workstation mnt]# ls
westos
[root@workstation mnt]# chmod 777 /mnt/westos
[root@workstation mnt]# chmod 1777 /mnt/westos / [o+t limit permission, operation verification user A can't delete files created by user B]
[root@workstation mnt]# su student

(process:20759): dconf-CRITICAL **: 00:48:36.215: unable to create directory '/run/user/0/dconf': Permission denied.  dconf will not work properly.

(process:20759): dconf-CRITICAL **: 00:48:36.215: unable to create directory '/run/user/0/dconf': Permission denied.  dconf will not work properly.

(process:20759): dconf-WARNING **: 00:48:36.221: failed to commit changes to dconf: Could not connect: Permission denied		
[student@workstation Desktop]$ exit
exit
[root@workstation mnt]# su - student [switch to student user]
[student@workstation mnt]$ cd westos		
[student@workstation westos]$ touch studentfile		[student User created a file]
[student@workstation westos]$ exit
exit
[root@workstation mnt]# su - westos [switch to the user of weatos, which does not exist at this time]
su: user westos does not exist
[root@workstation mnt]# User add westos
[root@workstation mnt]# su - westos [switch to westos user]
[westos@workstation ~]$ cd /mnt/westos
[westos@workstation westos]$ touch westosfile		[Set up documents]
[westos@workstation westos]$ rm -fr westosfile		[Delete self created documents]
[westos@workstation westos]$ rm -fr studentfile		
rm: cannot remove 'studentfile': Operation not permitted [westos Users can delete their own files, but in the chmod 1777 westos Can't delete student User created documents]>>>[Verify that under the set permission, A User cannot delete B User created files. Files in this directory can only be deleted by the owner of the file]

[2] sgid (mandatory bit)

• Effect
  For files: only for binary executable files, when there is sgid on the file, the process generated by anyone executing the file belongs to the file group
  For a directory: when there is sgid permission on the directory, the files created by anyone in the directory belong to all groups of the directory
  In short: what I have made should belong to Xiaomi company. When I create a file or directory, the owner of the file and the owning group are all me. But at this time, the identity of the group must be changed to the company to meet the reality. Therefore, it needs to be set to change the group of newly created files into the group of the original directory
• Setting mode (g+s has the same effect as 2777)
  chmod g+s file|dir
  chmod 2xxx file|dir
  g+s is the same as 2777

[Command]
[root@workstation mnt]# chmod 2777 westos
[root@workstation mnt]# su - student
Last login: Thu Jan  9 01:38:01 EST 2020 on pts/2
[student@workstation ~]$ cd /mnt/westos
[student@workstation westos]$ touch file1
[student@workstation westos]$ cd ..
[student@workstation mnt]$ mkdir haha
[student@workstation mnt]$ cd haha
[student@workstation haha]$ touch redhat1
[student@workstation haha]$ chmod 2777 /mnt/haha
[student@workstation haha]$ exit
logout
[root@workstation mnt]# touch redhat5 /mnt/haha
[root@workstation mnt]# rm -f redhat5
[root@workstation mnt]# su - westos
Last login: Thu Jan  9 00:51:44 EST 2020 on pts/2
[westos@workstation ~]$ cd /mnt/haha
[westos@workstation haha]$ touch file5

[Monitoring command]
watch -n 1 ls -Rl /mnt

/mnt:
total 0
drwxrwsrwx. 2 student student 34 Jan  9 01:48 haha
drwxrwsrwx. 2 root    root    50 Jan  9 01:40 westos

/mnt/haha:
total 0
-rw-rw-r--. 1 westos  student 0 Jan  9 01:48 file5		[Another one, student Set permissions under westos Created users belong to haha Original group of catalog student]
-rw-rw-r--. 1 student student 0 Jan  9 01:46 redhat1

/mnt/westos:
total 0
-rw-rw-r--. 1 student student 0 Jan  9 01:38 file
-rw-rw-r--. 1 student root    0 Jan  9 01:40 file1   [student Created, but inherited under special permission settings root Group]
-rw-rw-r--. 1 student student 0 Jan  9 00:49 studentfile

[3] suid (Adventure bit)

• Effect
  For and binary executables only. When there is a suid on the file, the process generated by anyone executing the program recorded in the file belongs to the owner of the file

• Setting mode
  chmod u+s file
  chmod 4xxx file

[Command]
[root@workstation mnt]# ls -l /bin/cat
-rwxr-xr-x. 1 root root 51856 Jan 11  2019 /bin/cat
[root@workstation mnt]# cat
^C
[root@workstation mnt]# chmod 2777 /bin/cat
[root@workstation mnt]# su - student
Last login: Thu Jan  9 01:39:24 EST 2020 on pts/2
[student@workstation ~]$ cat
^C
[student@workstation ~]$ exit
logout
[root@workstation mnt]# chmod u+s /bin/cat
[root@workstation mnt]# su - student
Last login: Thu Jan  9 02:05:19 EST 2020 on pts/1
[student@workstation ~]$ cat
^C
[student@workstation ~]$ exit
logout
[root@workstation mnt]# chmod 777 /bin/cat
[root@workstation mnt]# su - student
Last login: Thu Jan  9 02:06:23 EST 2020 on pts/1
[student@workstation ~]$ cat

7.ACL permission list

[1] Overview and notes of facel

• There are only three identities (owner, group, othe r) with three permissions (r,w,x),
  There is no way to set specific permission requirements only for a user or a group. At this time, ACL (file Access control list, Access) must be used
  Control List).
• ==Note: = = so ACL has been added to all common Linux file system mount parameters by default, such as ext2/ext3/ext4/xfs, etc.), but RHEL 6.0 and earlier versions do not support ACL by default.

[2] acl list view

[3] Management of acl list
getfacl file