Home PC Games Linux Windows Database Network Programming Server Mobile  
           
  Home \ Linux \ Linux rights management     - Debian (Wheezy) Install Redmine 2.6 (Programming)

- Python is not C (Programming)

- Approach the next Linux shared interrupts (Linux)

- Linux novice common commands (Linux)

- 10 really interesting Linux command (Linux)

- Linux, Apache Web site security settings (Linux)

- Ubuntu 14.04 forget solution root password (Linux)

- Netfilter / Iptables Comments (Linux)

- Linux Detailed instructions alias settings (Linux)

- PXE install CentOS 6.4 (Linux)

- MySQL migration tool used in the production environment (Database)

- Fedora 23 How to install LAMP server (Server)

- Android Custom View step (Programming)

- CentOS 6.6 installation certification system based on the ftp service (Server)

- NET Developers need to know some Linux commands (Linux)

- Docker + OpenvSwitch build experimental environment VxLAN (Server)

- Oracle Duplicate build DataGuard (Database)

- Linux5.8 installed phpMyAdmin was unable to issue related php-mcrypt (Database)

- Oracle view object space usage show_space (Database)

- Android Studio and Git Git configuration file status (Linux)

 
         
  Linux rights management
     
  Add Date : 2018-11-21      
         
         
         
  1, The basic permissions

File permission bits, 10: -rwxr-xr-- the first to represent the file type, the latter three groups is the authority, the first group is the owner of u, g belongs to the second group, third group is o r others read, w write, x executed

Modify permissions: chmod [options] mode file name

Options -R recursively represents all the permissions assigned to the specified command

For example: chmod u + x abc.avi executable permission to the current user

chmod g + w, o + w abc.avi

Less permissions: chmod u-x, g-w abc.avi

Do not consider before, given directly correspond to the corresponding set of permissions: chmod u = rwx, g = rw abc.avi

Assign permissions to all users: chmod a = rwx abc.avi three sets of permissions are the same, generally not used

Common digital way: chmod 755 abc.avi

chmod 644 abc.avi use more flexible, r = 4, w = 2, x = 1, the binary index, to avoid ambiguity and duplication

Read permission r: For ordinary files, there r privileges to view the file contents, if you have read access to the directory, you can view a list of files in a directory

Write permission w: For ordinary files, there w privileges to edit the file with vi vim echo the contents, but you can not delete the file

Permission of the data file itself is a control file itself, the file names are stored in the directory data

If you have w access to a directory, you can change the name or delete files, as well as modify the directory name in the directory below any operation

Execute permission x: For files can run executable scripts; if x access to the directory, you can enter the directory, cd into

For a file is to perform the highest authority, the highest authority is the directory for writing

Directory only in terms of 057 makes sense

These permissions limit user root is of no use, root user can manipulate the directory and file permissions of any

chown change file owner

chown user1 abc then authority remains: 755 so user1 user rights 7, it can be a normal visit

Owning group chgrp group abc is modified files

chown user1: group1 abc can also modify user and group, the user is in front of the colon, followed by group

Also add -R is recursive modification, -v view the revision process details

For web servers and other server platforms, the core principles of the actual development process to assign permissions are: at least privilege to be able to meet the requirements, in line with the principle of least privilege

See umask default permissions: root users: ordinary users 0022: 0002 (the default file permissions for newly established when, according to this analysis can default permissions for files and directories)

The first 0 represents the special privileges

The default file permissions are not enforceable, so the maximum authority is 666, so the default file permissions are 666 letters in terms of subtracted value umask subtraction is converted into letters rw-rw-rw- minus --- -w- -w - = rw-r - r-- = 644

If umask is 033, the rw-rw-rw- minus --- -wx -wx = (x minus empty still empty, so it remains at 644) rw-r - r-- = 644

Temporarily modifies the umask value: umask 0033

ACCESS directory is 777, so still: rwxrwxrwx minus --- -w- -w- = 755

umask value of the minimum, maximum authority, umask value of the maximum, minimum permissions

Permanent changes umask value, configuration files and environment variables in the same file: / etc / profile

This is inside the if statement is used to determine the normal user or root user to modify this file permanently modify the umask value

2, special privileges

ACL Permissions: Any directory can have only one user and one group, ACL permissions require some special requirements, ACL permissions in order to solve the user's identity is not enough

The original ACL is used to mount the partition

dumpe2fs -h / dev / sda5 lists the superblock information, you can view the presence status acl rights

Temporary partition to impart acl permission to remount, such as the root partition: mount -o remount, acl /

If the partition is no default acl permission to set the default mount need to modify the configuration file: / etc / fstab

That is modified to add back defaults defaults, acl

acl permissions to view the files: getfacl filename is not the default view displays only the general authority

Set permissions: setfacl options file name

Add ACL permissions: setfacl -m u: lw: rx av av is set to the user lw file rx permissions, so then use ls -l to view the last one from the previous becomes +.

Then you can see a line of multi-user by getfacl av: lw: r-x This is acl permissions, if it is to a group set up to use g

There is a line mask :: rwx This is the highest control user permissions, needs and actual permissions and is obtained by calculating the real user permissions

r && r = r r && - = - - && r = - - && - = -, so the actual permissions: r-x && rwx = r-x is still the same

Modify the mask values: setfacl -m m: rx av

This time even setting: setfacl -m u: lw: rwx av user privileges last lw still r-x

You can set up multiple user permissions

Delete the specified user permissions: setfacl -x u: lw av also delete a group with g: group name

Acl delete files all right, it will all users and groups are deleted: setfacl -b av

All files recursive directory has a corresponding set of users acl permissions: setfacl -m u: lw: rx -R av

However, the above methods result in all files under av x have executable permissions, so the file permissions is too high, leading to the inevitable overflow authority

By default, the directory is the default mask rwx, files are r-x

Acl permission to set the default directory, the directory after all new files or directories will inherit the permissions acl

Acl command to set the default permissions: setfacl -m d: u: lw: rw -R / home / av

After use to view the configuration settings getfacl have become the default, set the default acl only after the document produced by imparting acl permissions, some files are not previously been set permissions

Recursive file permission settings that currently exist, after the default directory permissions set to go into a new document

And recursive permissions are the default permissions for the directory is of no significance to ordinary file

sudo permissions a user command, the focus is on the command, while others are for all users operating authority files

Superuser privileges should be given, ordinary users can use

Visudo command to configure permissions, equivalent to modify the configuration file / etc / sudoers

user ALL = (ALL) ALL

user to grant privileges to which user, ALL is the address of the management host, (ALL) is the identity that can be used, ALL is authorized to use the absolute path command (it must be an absolute path)

If it is a local host, ALL local IP role as

% Group ALL = (ALL) ALL

Here it is to modify the group name

Command can take parameters, more detailed written more stringent restrictions, just write commands can be executed on behalf of all the parameters

For example, to locate open files execute visudo last thing to add: user1 ALL = (ALL) sbin / shutdown -r now

This gives the user user1 given permission to restart the computer

Ordinary users through the command: sudo -l press Enter after prompted for a password can see what commands they can execute, otherwise there is no default sudo privileges

Ordinary users to run commands must be strictly enforced (must write absolute path): sudo / sbin / shutdown -r now so that it can be executed correctly

Add visudo also be written: user1 ALL = / usr / sbin / useradd effect is the same

For example, change the password to add: user1 ALL = / usr / bin / passwd so certain is not possible! Once such a normal user privileges, it is possible to change the root user's password, you should use regular expressions to match

user1 ALL = / usr / bin / passwd [A-Za-z] *,! / usr / bin / passwd "",! / usr / bin / passwd root

This will change the general user password, but can not change the root user password, you must pay attention to the back of a space above the comma,

Thus when the user performs a command set above, as the root user, must pay attention to this relationship

Some special permission was used within the system, generally less common, such as SetUID, SetGID etc., strongly recommended not to modify, a great impact on the server

umask The first one is the definition of special privileges

Only executable files can set SUID permissions, if the file is not executable has no meaning

Executable files can be written given SUID: chmod 4775 abc first added a 4, so that the file permissions on the set rwsrwxr-x, s on behalf of SUID permissions, the file change color to red, a warning, if not r permissions, permissions file permissions becomes S, capital S on behalf of mistakes, so s = r + S can perform correctly

Command must have x executable file execute permission can execute s permission,

There s passwd command system privileges, so the average user can indirectly through s permission passwd enhance the owner is root of the / etc / shadow password file is modified, the modification is completed, permission to return (only in ordinary souls process Run with user's effective permissions s), if the file is not SUID permissions, normal user privileges will not improve

Set SUID permissions command: chmod 4775 filename or chmod u + s filename

Cancel SUID permissions command: chmod 0775 file name or file name chmod u-s

Set SGID permissions command: chmod g + s consistent file name or file name chmod 2775, and the role of the front elevation of privilege user group

Under normal circumstances, strict control file, do not manually set SetUID permissions system periodically check for unusual SUID file permissions, if the server is likely to be injected into the back door, as soon as possible to clear

Removal as follows:

Under normal circumstances, the system first set the template file system to save all files with SUID permissions:

find / -perm -4000 -o -perm -2000> /root/suid.log

Then write a script (note: shello script blanks strict distinction, note the space between the keyword interval):

#! / Bin / bash
 find / -perm -4000 -o -perm -2000> /tmp/setuid.check
 for i in $ (cat /tmp/setuid.check)
 do
 grep $ i /root/suid.log> / dev / null
 if [ "$?"! = "0"]
 then
 echo "i is not in listfile!" >> / root / suid_log_ (date +% F)
 fi
 done
 rm -rf /tmp/setuid.check

Then execute the script:

chmod 755 suid_check.sh

./suid_check.sh

When the script is finished, there will be the current date suid_log_ such a file in the root directory, this time to open the file, which is all in addition to the file has SUID permissions system than the default, just put a list of files can be deleted

SGID permissions can either be set on a directory executable file settings,

If the file SGID and SUID similar, only the executable file permissions can set SGID permissions,

chmod g + s abc or chmod 2777 abc, setting group permissions have a s, only ordinary users to run with elevated privileges for the group permissions, the same permissions completed return

For example, ordinary users can perform locate command to enhance the group slocate database file is searched /var/lib/mlocate/mlocate.db

If the directory given privileges, ordinary users must directory r and x permissions. If the directory also has SUID permissions, if ordinary users enter the directory, users in this directory group permissions that belongs to the group of the directory, the user if the directory has w permission, a user in the directory newly created file or directory to your user group is the owning group, instead of the user group itself belongs

SGID permissions SUID permissions slightly safer than some of the same is not recommended for casual use

SBIT permission is only valid for the directory, if the users and groups outside other users rwx directory permissions, or 7 privilege that you can view and create files in the directory,

First, create a directory, set the permissions to chmod 777 abc

By default, other users root though not modify abc directory user content files and groups established, but because of the directory have write access, so you can delete abc following documents, when set SBIT sticky bit, then other users even have the directory rwx permissions, but you can not delete this file root directory created by the user, while only delete files

SBIT set permissions, chmod o + t abc, set up after the third set of permissions to other users into rwt, t represents SBIT

/ Tmp directory is owned SBIT permissions for all users by default have permissions new files by default for the specified file does not have write permission, it can not be deleted nor have any operations on other users' files, so you play a temporary directory role

In the web server directory, do not set the directory permissions to 777, although this convenience, the best way is to adjust the user a more reasonable distribution in line with the principle of least privilege, can be enough

Before you set up to follow the directory permissions set SBIT, although catalog files can not be deleted, but you can modify content, can not be changed with permission bits can solve this problem

Immutable bit is set:

For files and directories are to take effect: chattr + i abc

By lsattr abc can view this file specific permissions, you can see the permissions + i after e except inside out more than a i

By lsattr -d abc immutable bit can view directory permissions

After setting i to the general file permissions, all users, including root can not modify the contents of the file or delete the file, but the root user can give themselves permission or cancel the setting, also has control over the

If i is set to directory permissions, can only modify the contents of files within the directory, you can not create and delete the following files can not rename the file

Cancel i permissions: chattr -i abc

a permission to set up a file or directory permissions: chattr + a abc

Give the file a given property, the property will be one more a, which can only append the file contents, but you can not delete the file contents can not be reduced with vi / vim additional invalid, the system is disabled, but you can use echo abcd > > abc such a way that the correct additional

If you set a property for the directory, you can only build a new file in the directory, but can not modify or delete the old file name, but you can modify the contents of the file, but there will be a warning, the new document has been created can not be deleted

Cancel a privilege: chattr -a abc

I do not recommend the same privileges and a casual use, it is recommended to use a flexible system and basic permissions default permissions, and then if necessary, use special privileges, improve the stability and security of the system.
     
         
         
         
  More:      
 
- Ubuntu / openSUSE users to install Veusz 1.21.1 (Linux)
- Linux Getting Started tutorial: Ubuntu 14.04 in the installation Sogou Pinyin (Linux)
- Some safety precautions of Linux servers (Linux)
- Java semaphores (Programming)
- RedHat Linux 6.4 install Oracle 10g error (Database)
- Use the dd command to the hard disk I / O performance test (Linux)
- Openfire achieve load balancing cluster by Nginx (Server)
- Linux VMware virtual machine after the cloning of the card can not start to solve (Linux)
- Installation and Configuration Munin monitoring server on Linux (Server)
- How to use the Linux kill command to kill the process / program is not responding (Linux)
- Android design patterns - state mode (Programming)
- Android Studio 1.0.2 set the memory size (Linux)
- Setting Wetty do not need an account login command line operations (Linux)
- ogg start being given libnnz11.so: can not open shared object file (Database)
- Using RAID in Linux: Create a RAID 5 (Linux)
- Linux firewall settings instance (Linux)
- CentOS7 installation configuration (Server)
- Revised OpenJDK Java Memory Model (Programming)
- Ubuntu 15.10 installation and deployment Swift development environment (Linux)
- Linux --- file descriptors and redirection (Linux)
     
           
     
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.