[Linux] A detailed description of permissions in the Linux system
Our Linux server has a strict permission level. If the permission level is too high, misoperations will increase the risk of the server. So it is very important to understand the various permissions in the Linux system and to assign reasonable permissions to users, services and so on.
Basic file permissions
To start with file permissions in Linux, you can use the ll command or the ls command with -L (long list option).
The file list includes file type, permission, number of links, owning user, owning user group, file size, last modified time, and file name.
There are seven file types in Linux. They are as follows:
– : indicates a common file
D: directory file
L: Soft links (similar to Windows shortcuts)
(The following four are special files)
B: Block device file (such as hard disk, CD/DVD-ROM drive, etc.)
P: pipeline file
C: Character device file (for example, a serial device such as a cat)
S: socket file/data interface file (for example, when starting a MySql server, a mysql.sock file is generated)
Mapping between file permissions
Let’s look at the first file permission information in the screenshot above
rwxr-xr-x 5 root root 94 Jun 27 2017 xdg
** RWX: ** indicates the permission of the file owner (u indicates). In this case, root has read, write, and execute permissions on the file.
R-x: indicates the permission of the owning group (g indicates). The owning group has the permission to read and execute the file.
R-x: represents the permissions of others (o represents), the same permissions as above.
Of course, we can also change the file permissions.
In Linux, the chmod command can be used to change permissions on a file or directory.
Syntax: chmod (option) mode file name
The usage is as follows:
Create a file a.txt where the owner does not have the execute permission (x) and u is the owner.
If you want to assign the execute permission to the user group of A. TB and other users, you can add more than one.
Since you can add permissions and you can subtract permissions, you can just change the plus sign to the minus sign.
There is an even simpler way to use the equal sign to grant permissions
Or it could be given as a=, where a stands for all.
It is also possible to grant permissions to multiple files. We are creating a file b.tb
To summarize, permissions on files and directories
For files:
R: Can read file contents (for example, run cat more head tail).
W: You can edit files (such as vim echo), but you can’t delete files because the file name is not in your own file space, but in the directory space above it.
X: Yes.
For directories:
R: You can run the ls ll command to query files in the directory.
W: Has the permission to modify the directory structure, such as creating a file or directory, deleting a file or directory, renaming a file or directory, cutting or copying a file or directory (for example, running cp mv touch rm).
X: Directory Has the execute permission but cannot run. You can access the directory (CD command).
For files, the highest permission is x, for directories, the highest permission is w. Generally, it makes no sense to give directories 0, 5 (rx), 7 (RXW), 4, 1, 6. To determine whether a file can be deleted, you must have the execute permission on both the directory and the file.
Using the chown command, you can change the owner and user group of a file or directory.
The CHGRP command is used to change the owning user group of a file or directory.
Example:
[root@localhost test123]# ll total usage 0 drwxr-x-- 2 root root 20 5月 5 11:38 ABC [root@localhost test123]# chown Test123 :test123 ABC change both user group ABC and owner to test123 Split [root@localhost test123]# ll total amount 0 drwxr-x-- 2 test123 test123 20 May 5 11:38abcCopy the code
Default permissions
When we create a new file or directory on Linux, the file or directory will have one permission, which is the default permission. This permission is defined by the value of the umask. So what is a umask?
The umask (permission mask) specifies the default permission of the current user when creating a file or directory. When a new file is created, its initial permissions are determined by the file creation mask. Each time a user logs in to the system, the umask command is executed and the mask mode is automatically set to restrict permissions for new files. The user can change the default value by executing the umask command again. The new permission overwrites the old one.
We can run the umask command to view the default file permissions in the system.
[root@localhost local]# umask
0022
Copy the codeExplain 0022
The first digit 0: indicates a special file permission.
022: default file permission.
Let’s create a file and a directory.
[root@localhost TMP]# touch a.txt [root@localhost TMP]# mkdir dir [root@localhost TMP]# ll 54768-rw-r --r-- 1 root Root 0 May 5 14:31 A.txt drwxr-xr-x 2 root root 6 May 5 14:31 dirCopy the code
The default file permission is 644, and the default directory permission is 755. How do you use umask to set permissions?
Let’s first look at the characteristics of the default file permissions:
1. The file cannot be set to execute by default. You must manually assign the execute permission to the file. Therefore, the default file permission is 666 at most. This will protect the system.
2. Default permissions should be converted to correspond to letters, not numbers.
3. The default permission for a file or directory is 666 minus the umask value.
The calculation method is as follows:
1. The default maximum permission for files is 666, umask=022
-rw-rw-rw—— w–w — is equal to -rw-r–r– (644).
2. The default maximum permission is 666, umask=033
-rw-rw-rw—— wx-wx is equal to -rw-r–r– (644)
It’s a logical and.
Default permissions for directories:
****1. The default permission for a directory is 777.
2. Default directory permissions are converted to characters in subtraction.
3. After the directory is created, the default permission is 777 minus umask.
Change the value of umask:
**** uses the umask + value, such as umask 0000;
If you want to make a permanent change, you need to change the /etc/profile environment variable
Access Control List (ACL) permissions
In Linux, a file has only one owning group and one owner. The ACL permission is used to solve the problem that the user has insufficient permission on the file, that is, the user identity is insufficient. You want a user to have access to this file, regardless of which group or other user that user is. Assign permissions to this user using an ACL. ACL permission is to solve the problem of insufficient identity of the user to the file (the user does not belong to other people in the owner’s group). Whether the system supports ACLs depends on the file system.
To check whether the ACL permission is enabled in the system zone, run the following command:
[root@localhost TMP]# df file system 1K- Block used available used % mount point /dev/mapper/centos-root 39134548 29770328 9364220 77% / devtmpfs 923152 0 923152 0% /dev tmpfs 933636 80 933556 1% /dev/shm tmpfs 933636 9128 924508 1% /run tmpfs 933636 0 933636 0% /sys/fs/cgroup /dev/mapper/centos-home 19105792 33080 19072712 1% /home /dev/sda1 508588 177692 330896 35% /boot .host:/ 127927292 118371212 9556080 93% /mnt/hgfs tmpfs 186728 12 186716 1% /run/user/42 tmpfs 186728 0 186728 0% If the file system is ext2, ext3, or ext4, you can run the dumpe2fs command to view the detailed file system information of the specified partition. [root@localhost tmp]# xfs_growfs /dev/sda1 meta-data=/dev/sda1 isize=256 agcount=4, agsize=32000 blks = sectsz=512 attr=2, projid32bit=1 = crc=0 finobt=0 spinodes=0 data = bsize=4096 blocks=128000, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0 ftype=0 log =internal bsize=4096 blocks=853, version=2 = sectsz=512 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0Copy the code
To check whether the SYSTEM supports ACLs, run the dmesg command (to help you learn about the system startup information and view ACL information) to check whether the XFS file system supports ACLs by default.
View ACL permissions:
Setting ACL permissions:
Setfacl Option file name
Options:
-m: sets the ACL permission.
-x: deletes the specified ACL permission.
-b: deletes all ACL permissions.
-d: sets the default ACL permission.
-k: deletes the default ACL permission.
-r: sets ACL permissions recursively.
4. Sudo permissions
Sudo is a Linux system management command that operates on system commands. A tool that allows a common user to execute some or all of the commands that can only be executed by a system administrator. It restricts a common user to a limited number of commands (such as restart, backup, add user, ifconfig command, etc.). You do not need to know the password of the super administrator to execute sudo.
Sudo is a superuser granted privileges to ordinary users. Sudo provides the system administrator with a configuration file that can be opened using the Visudo command (which prevents two users from modifying it at the same time and allows limited syntax checking) :
[root@localhost ~]# visudo allows you to open the /etc/sudoers file # sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ... .Copy the code
Here’s an example on line 98
Format: the user name (given authority to which user, here is the root) managed the host address (the first ALL) = (can use identity (ALL) the second, this can be omitted directly with command) authorization authorization command (to write an absolute path, command to write simple, the more the greater the permissions, the smaller the more detailed the ordinary users access)
Run the man 5 sudoers command to view the detailed description of the configuration fileCopy the code
A common user does not have the permission to disable the system.
[song@localhost ~]$ shutdown -r now ==== AUTHENTICATING FOR org.freedesktop.login1.reboot === Authentication is required for rebooting the system. Authenticating as: root Password: Failed to execute operation: Connection timeout Must be root. Polkit-agent-helper-1: pam_authenticate failed: Authentication failureCopy the code
Add shutdown permission to user song in the last line of the configuration file and save the Settings
Log in with the song account and use the sudo -l command to display your permissions.
[song@localhost ~]$sudo -l [sudo] password for song: match song's default entry: requiretty,! visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", Secure_path = / sbin: / bin: / usr/sbin, / usr/bin user song can run the following command on the host: (ALL)/sbin/shutdown -r now song identity by the switch to ALL hereCopy the code
Sudo = sudo = sudo = sudo = sudo = sudo = sudo = sudo = sudo = sudo
[song@localhost ~]$sudo /sbin/shutdown -h now User song is not authorized to run /sbin/shutdown -h now on localhost.localdomain as user root.Copy the codeSo it can be executed in the same way as in the configuration file
[song@localhost ~]$ sudo /sbin/shutdown -r now
Copy the codeIf more than one can be separated by commas
Look at the
[song@localhost ~]$sudo -l Matches song's default entry on this host: requiretty,! visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", Secure_path = / sbin: / bin: / usr/sbin, / usr/bin user song can run the following command on the host: (ALL)/sbin/shutdown -r now, (ALL)/sbin/lsCopy the code
The example above is to assign permissions to one user, but we can also assign permissions to a group of users. Also in the configuration file
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
Copy the code“Wheel” is the group name, preceded by a % sign, and the other Settings are the same as the user.
The parameters of the sudo command are as follows:
| parameter | meaning |
| -V | Display the version number and setting information, as shown in the following figure. |
| -l | Show the permissions of yourself (the user performing sudo). |
| -u | If username is not specified, the command needs to be executed as root; otherwise, the command needs to be executed as username. |
| -v | ` ` ` |
| Extend the password validity period. | |
| ` ` ` |
5. Special permissions for files SetUid & SetGid & Sticky BIT
In Addition to the read (r), write (w), and execute (x) permissions in Linux system files, there are two special permissions: s and T. When the s flag appears on the x permission of the file owner, it is called SetUid (SUID for short), SetGid when s appears on the user group (G), and Sticky Bit (SBIT for short) when s appears on the other user (O).
SetUid functions:
- SUID permissions can only be set for executable binary programs, which can only be set if the file can be executed, otherwise it will not work.
- The command executor has x (execute) permission on the program.
- For example, user1 does not have access to the passwd file. If user1 wants to see the contents of the passwd file, he must add his identity to the user group to which the passwd file belongs, or log in as the root user. Or change the file permission of passwd, namely the special file permission of setuid.
- The SetUid permission is valid only for the duration of the program execution, that is, the identity change is valid only for the duration of the program execution.
Assign SUID permission:
Number assignment method: chmod 4755 File name.
Chmod u-s = chmod u-s = chmod u-s = chmod u-s = chmod u-s = chmod u-s
Common users cannot set SUID permission. Execute as the root user.
[song@localhost ~]$chmod 4755 /bin/vi chmod: Changes the permission of /bin/vi. This operation is not allowedCopy the codeWe have a file aaa, and the user has execute permission on the file, let’s add SUID to the file.
The red arrow there is x changed to S, which means that the AAA file has the s permission, and the AAA file is also changed to red, which means that the AAA file is unsafe.
What if the user doesn’t have execution rights on AAA. We create a new file, BBB, and change its permissions to not include execute permission. Then give the SUID.
So this becomes big S, where big S means something that can’t be used correctly.
We know that the user password is saved in the /etc/shadow file, so let’s take a look at the permissions for this file
[root@localhost tmp]# ll /etc/shadow
---------- 1 root root 1696 5月 27 18:58 /etc/shadow
Copy the codeIt is found that the permission of this file is 000 and the owner of the user is root, so in addition to the root user can change the password, the user can also change the password. Why do you not have the permission to write this file to change the password? It is because of the SUID function. Take a look at the passwd command to see why.
[root@localhost tmp]# which passwd /usr/bin/passwd [root@localhost tmp]# ll /usr/bin/passwd -rwsr-xr-x. 1 root root 27832 June 10 2014 /usr/bin/passwdCopy the codeFirst, the passwd command is executable. By default, the passwd command has SUID permission, and any user has the permission to execute the command (x). After the command is executed the identity disappears and becomes normal user again.
There are other commands that also have SUID permissions, such as the su command.
The SUID permission is flexible, so do not set it arbitrarily, otherwise it will cause potential damage to the system. For example, with the vi command, if the SUID permission is added, then the common user can obtain the root identity and modify all files.
So the SUID (also SGID) permission principle:
- Strictly control the write permission of key directories, such as the root directory/and /usr.
- The password must be set in strict accordance with the three password principles (complexity, easy to remember, and timeliness).
- List the files that should have SUID and SGID permissions by default. Check whether any other files have SUID and SGID permissions. You can run the find command.
[root@localhost tmp]# find / -type f ( -perm -04000 -o -perm -02000 ) -exec ls -lg {} ; 04000 indicates SUID or find the meaning of 02000 indicates SGID -o said: 'the/proc / 26739 / task / 26739 / fdinfo / 6:' did not find the file or directory: '/ proc / 26739 / fdinfo / 6: -rwsr-xr-x 1 root 0 May 28 14:19 /root/tmp/aaa -rwsr --r-- 1 root 0 May 28 14:30 /root/tmp/bbb -rwsr-xr-x. 1 root 32584 June 10 2014 /usr/bin/fusermount -r-xr-sr-x. 1 tty 15344 June 10 2014 /usr/bin/wall -rwsr-xr-x. 1 root 64200 March 6 2015 /usr/bin/chage -rws--x--x. 1 root 23960 March 6 2015 /usr/bin/chfn -rws--x-- X. 1 root 23856 March 6 2015 /usr/bin/chsh 1 root 44232 March 6 2015 /usr/bin/mount -rsr -xr-x. 1 root 32064 March 6 2015 /usr/bin/su-rwxr-sr-x. 1 tty 19536 March 6 2015 /usr/bin/write -rwsr-xr-x. 1 root 78168 March 6 2015 /usr/bin/gpasswd -rwsr-xr-x. 1 root 41752 March 6 2015 /usr/bin/newgrpCopy the code
We create a new file system and assign permissions to the new file based on the umask setting, so the umask value is four bits, as follows:
[root@localhost ~]# umask
0022
Copy the codeHowever, when we use the chmod command to grant permissions to files, usually three digits, such as 755,644, etc., then the last three digits of the umask, 022, are the basic default permissions, and the first digit, 0, is the special permissions.
6. Chattr permissions (unchangeable bit permissions)
The chattr command is used to change file attributes only for the root user.
Format: chattr [+ – =] [Options] File or directory, where [+ – =] is the property that controls the file.
+ : adds permission.
– : deletes the permission.
= : Grant/equal to a certain permission.
Common options:
I: insert, do not change files or directories.
If you set the I attribute on a file, you are not allowed to delete, rename, add or modify data on the file, which is equivalent to locking the file. If the I attribute is set for a directory, only file data in the directory can be modified (file data is stored in the data block of the file), and files cannot be created or deleted.
A: Append, which makes a file or directory available for additional purposes only.
If you set a to a file, you can only add data to the file (because vi is disabled, so echo >> output redirection), not delete or modify data. If the a attribute is set for the directory, only new and modified files are allowed in the directory, but files are not allowed to be deleted. This parameter applies to all log files.
Case study:
Add the I attribute to the file
[root@localhost TMP]# chattr + I aa. TXT [root@localhost TMP]# lsattr aa. TXT Run the lsattr command to view ---- I ----------- aa.txtCopy the codeNot allowed to delete
[root@localhost TMP]# rm -rf aa. TXT rm: cannot delete "aa. TXT ": the operation is not allowedCopy the codeAdd the I attribute to the directory
[root@localhost tmp]# chattr +i dir [root@localhost tmp]# lsattr -d dir ----i----------- dir [root@localhost tmp]# cd Dir [root@localhost dir]# touch a.tb touch: cannot create "A.tb ": permissions are insufficientCopy the code
Linux common permissions
1.600 (rw——) : Only the root user has read and write permissions.
2.644 (rw-r–r–) : Only root has read and write permissions. User group and user other have only read permissions.
3.755 (rwxr-xr-x) : root has read, write, and execute permissions. User group and user other have only read and execute permissions.