当前位置:网站首页>14. Users, groups, and permissions (14)
14. Users, groups, and permissions (14)
2022-07-05 19:51:00 【51CTO】
Special permissions for the file system
linux There are three common permissions in , There are also three special permissions :suid,sgid,sticky
Special privileges suid
Premise : Processes have owners and groups , The file has the owner and the group ( occupy user The execution permission bit of , The numerical method is 4)
1、 Whether an executable program file of any process can be started as a process , It depends on whether the initiator has Execution Authority on the program file
2、 After starting as a process , The process belongs to the main initiator , The process group is the initiator Group
3、 Permissions for a process to access a file , It depends on the initiator of the process
a、 The originator of the process , The owner of the same document : Then the application file belongs to the primary authority
b、 The originator of the process , Belongs to the file group : Then the file belongs to group permission is applied
c、 Apply file other permissions
Binary executable suid Authority function
Can any executable file be started as a process : It depends on whether the initiator has execution permission for the program file
After starting as a process , The owner of the process is the owner of the original program file
suid Valid only for binary executables
suid Setting on the directory makes no sense
suid Permission setting
chmod u+s file... chmod 6xxx file chmod u-s file ...
Get rid of s After permission , There is an error in changing the password
To endow with suid The permission can be updated successfully ( Conclusion : have suid Authority ;lgw The user calls passwd On command , Temporarily available /usr/bin/passwd The authority of the owner of and then on shadows updated )
Special privileges sgid
On the binary executable sgid Authority function ( occupy group The execution permission bit of , The numerical method is 2)
Can any executable program file be driven as a process : It depends on whether the initiator has execution permission for the program file
After starting as a process , The process group is the owner of the source program file
sgid Permission setting chmod g+s file... chmod 2xxx file chmod g-s file...
In the catalogue sgid Authority function : By default , When a user creates a file , Its group is the primary group to which the user belongs , Once a directory is set to sgid, The group to which the files created in this directory by users with write permission belong is the group to which this directory belongs , Usually used to create a collaboration Directory .
Special privileges sticky
A directory with write permission. Usually, the user can delete any file in the directory , No matter the permission or ownership of the file is set by Ma Yanling sticky position , Only the owner of the document or root You can delete the file .( occupy other The execution permission bit of , The numerical method is 1)
sticky Permission setting chmod o+t dir chmod 1xxx dir chmod o-t dir
other Yes /tmp Directory has write permission , Theoretically, you can delete any file in this directory , But join sticky After permission , You can't
Set the special properties of the file
Set the special properties of the file , You can visit root Users misoperate or modify files
Can't delete , Change of name , change chattr +i
Can only add content , Can't delete , Change of name chattr +a
List specific attributes lsattr
Access control list (ACL)
acl:access control list Realize flexible permission management
Except for the owner of the document 、 Group and other, You can set permissions for more users
centos7 Created by default xfs and ext4 The file system has acl function
tune2fs -o acl /dev/sdb1 mount -o acl /dev/sdb1 /mnt
acl The order of entry into force : owner 、 Custom user 、 Subordinate to the group | Custom groups , others
Relevant command setfacl、getfacl
setfacl Set up acl jurisdiction
getfacl Check the settings acl jurisdiction
mask jurisdiction
mask Only affect owners and other Maximum permissions for people and groups other than
mask After logic and operation with the user's front line , To become effective permissions (effectice permission)
User or group settings must exist in mask It will take effect only when the permission is set
setfacl -m mask::rx file
other Set up acl Permission is rwx, Lead to mask Also for the rmx
setfacl --set u::rw,u:wang:rw,g::r,o::- file1 --setfacl Option will change the original acl Delete all items , Replace... With a new one , It should be noted that we must treasure the line ugo Set up , Can not be like -m Just add acl Can
Backup restore acl
The main file operation commands are cp and mv All support acl, as long as cp The order needs to add -p Parameters , however tar And other common backup tools don't keep directories and files acl Information
Backup acl getfacl -R /tmp/dir > acl.txt
eliminate acl setfacl -R -b /tmp/dir
Restore acl setfacl -R --set-file=acl.txt /tmp/dir
see acl getfacl -R /tmp/dir
边栏推荐
- How about testing outsourcing companies?
- Reptile exercises (II)
- Common operators and operator priority
- 安信证券在网上开户安全吗?
- Float. The specific meaning of the return value of floattorawintbits is to convert float into byte array
- 【合集- 行业解决方案】如何搭建高性能的数据加速与数据编排平台
- 完爆面试官,一线互联网企业高级Android工程师面试题大全
- 建议收藏,我的腾讯Android面试经历分享
- 【FAQ】华为帐号服务报错 907135701的常见原因总结和解决方法
- JVMRandom不可设置种子|问题追溯|源码追溯
猜你喜欢
力扣 1200. 最小绝对差
40000 word Wenshuo operator new & operator delete
ACM getting started Day1
Xaas trap: all things serve (possible) is not what it really needs
Parler de threadlocal insecurerandom
Interviewer: what is the internal implementation of set data types in redis?
Zhongang Mining: analysis of the current market supply situation of the global fluorite industry in 2022
That's awesome. It's enough to read this article
【合集- 行业解决方案】如何搭建高性能的数据加速与数据编排平台
深度学习 卷积神经网络(CNN)基础
随机推荐
The binary string mode is displayed after the value with the field type of longtext in MySQL is exported
Base du réseau neuronal de convolution d'apprentissage profond (CNN)
Worthy of being a boss, byte Daniel spent eight months on another masterpiece
What do software test engineers do? How about the prospect of treatment?
Debezium series: parsing the default value character set
函数的概念及语法
Android interview, Android audio and video development
常用运算符与运算符优先级
淺淺的談一下ThreadLocalInsecureRandom
Hiengine: comparable to the local cloud native memory database engine
建议收藏,我的腾讯Android面试经历分享
MMO項目學習一:預熱
再忙不能忘安全
【硬核干货】数据分析哪家强?选Pandas还是选SQL
C - sequential structure
Is the education of caiqiantang reliable and safe?
Successful entry into Baidu, 35K monthly salary, 2022 Android development interview answer
Is it safe for Anxin securities to open an account online?
No matter how busy you are, you can't forget safety
Bitcoinwin (BCW)受邀参加Hanoi Traders Fair 2022