14. Users, groups, and permissions (14)

Special permissions for the file system

linux There are three common permissions in , There are also three special permissions ：suid,sgid,sticky

Special privileges suid

Premise ： Processes have owners and groups , The file has the owner and the group  （ occupy user The execution permission bit of ,  The numerical method is 4）

1、 Whether an executable program file of any process can be started as a process , It depends on whether the initiator has Execution Authority on the program file

2、 After starting as a process , The process belongs to the main initiator , The process group is the initiator Group

3、 Permissions for a process to access a file , It depends on the initiator of the process

  a、 The originator of the process , The owner of the same document ： Then the application file belongs to the primary authority

  b、 The originator of the process , Belongs to the file group ： Then the file belongs to group permission is applied

  c、 Apply file other permissions

Binary executable suid Authority function

    Can any executable file be started as a process ： It depends on whether the initiator has execution permission for the program file

    After starting as a process , The owner of the process is the owner of the original program file

   suid Valid only for binary executables

   suid Setting on the directory makes no sense

suid Permission setting

  chmod u+s file...   chmod 6xxx file chmod u-s file ...

Get rid of s After permission , There is an error in changing the password

To endow with suid The permission can be updated successfully （ Conclusion ： have suid Authority ;lgw The user calls passwd On command , Temporarily available /usr/bin/passwd The authority of the owner of and then on shadows updated ）

Special privileges sgid

On the binary executable sgid Authority function （ occupy group The execution permission bit of ,  The numerical method is 2）

  Can any executable program file be driven as a process ： It depends on whether the initiator has execution permission for the program file

  After starting as a process , The process group is the owner of the source program file

sgid Permission setting   chmod g+s file...  chmod 2xxx file  chmod g-s file...

In the catalogue sgid Authority function ： By default , When a user creates a file , Its group is the primary group to which the user belongs , Once a directory is set to sgid, The group to which the files created in this directory by users with write permission belong is the group to which this directory belongs , Usually used to create a collaboration Directory .

Special privileges sticky

A directory with write permission. Usually, the user can delete any file in the directory , No matter the permission or ownership of the file is set by Ma Yanling sticky position , Only the owner of the document or root You can delete the file .（ occupy other The execution permission bit of ,  The numerical method is 1）

sticky Permission setting   chmod o+t dir  chmod 1xxx dir   chmod o-t dir

other Yes /tmp Directory has write permission , Theoretically, you can delete any file in this directory , But join sticky After permission , You can't

Set the special properties of the file

Set the special properties of the file , You can visit root Users misoperate or modify files

Can't delete , Change of name , change   chattr  +i

Can only add content , Can't delete , Change of name chattr  +a

List specific attributes   lsattr

Access control list (ACL)

acl：access control list  Realize flexible permission management

Except for the owner of the document 、 Group and other, You can set permissions for more users

centos7 Created by default xfs and ext4 The file system has acl function

tune2fs -o acl /dev/sdb1   mount -o acl /dev/sdb1 /mnt

acl The order of entry into force ： owner 、 Custom user 、 Subordinate to the group | Custom groups , others

Relevant command setfacl、getfacl

​setfacl  Set up acl jurisdiction

getfacl  Check the settings acl jurisdiction

mask jurisdiction

mask Only affect owners and other Maximum permissions for people and groups other than

mask After logic and operation with the user's front line , To become effective permissions （effectice permission）

User or group settings must exist in mask It will take effect only when the permission is set

setfacl -m mask::rx file

other Set up acl Permission is rwx, Lead to mask Also for the rmx

setfacl --set u::rw,u:wang:rw,g::r,o::- file1   --setfacl Option will change the original acl Delete all items , Replace... With a new one , It should be noted that we must treasure the line ugo Set up , Can not be like -m Just add acl Can

Backup restore acl

The main file operation commands are cp and mv All support acl, as long as cp The order needs to add -p Parameters , however tar And other common backup tools don't keep directories and files acl Information

Backup acl   getfacl -R /tmp/dir > acl.txt

eliminate acl   setfacl -R -b /tmp/dir

Restore acl    setfacl -R  --set-file=acl.txt    /tmp/dir

see acl   getfacl -R /tmp/dir