编程知识 cdmana.com

Privilege management operation of Linux

Linux Permission management operation of


One 、 Summary of permissions


1、 introduction


Linux                  Generally, the system can save the document / Take the identity of the access into 3                   Categories : user( The creator or owner of the document )、group( Users in the group to which the file belongs )、other( Other users ) 3 Each has its own identity read( read )、write( Write )、execute( perform ) Such as permissions

2、 What are permissions




wps5

wps6 In the management of multi-user computer systems , Permission means that a specific user has a specific right to use system resources . stay Linux There are two kinds of reading 、 Write 、 Executive authority :

wps7 notes : Generally, the right to read the directory is limited , It will also be given executive authority , Belong to “ package ” Combine

3、 Identity is introduced


U(the user who owns it)

user, File owner , The default is the creator of the document

G(other users in the file's group)

group, In the group the file belongs to ( The default is the primary group of the user who created the file ) Users in

O(other user not in the file's group)

other, Not the creator of the file , Users who are not in the file group , Call it someone else

wps9 Be careful : except ugo outside , There is also a letter a(all users), Represents all users , contain ugo

root user ( Super administrator )

stay Linux in , There's also a god like user , This is it. root user , Because it has the most privileges of any user , Can manage ordinary users . So in the future, when setting the permissions of documents, you don't need to consider root user .

Take a chestnut :



wps10

Suppose there's a family , There are only three brothers in the family , They are Wang Damao 、 Wang Er Mao and Wang San Mao are three people , And this family is registered with Wang Damao Under the name of ! therefore ,『 There are three people in Wang Damao's family , They are Wang Damao 、 Wang Er Mao and Wang San Mao 』, And all three have their own room , And share a living room !

send The meaning of the user : Because the three Wangs have their own rooms , therefore , Although Wang Er Mao can enter Wang Sanmao's room , But two

Mao can't turn the drawer of Sanmao ! That's going to get three hairs K Of ! Because there may be some personal things in the drawer , Love letters, for example , Diary, etc , This is a 「 Private space 」, So of course we can't let Er Mao take it !

Group The concept of group : Because of the shared living room , So the three Wangs can turn on the TV in the living room 、 Read the newspaper 、 Sitting on the sofa

Facial hair insurance, etc ! Anyway , As long as it's in the living room , All three brothers can use it ! Because everyone is family !

In this way, I should know a little bit ! that 「 Wang Damao's family 』 It's called 『 group 」 Luo , As for the three brothers, there are three

『 Users 」, And these three users are in the same group ! While three users are in the same group , But we can To set permissions 」, So that the personal information of some users will not be inquired by the owners of the group , To keep the individual 『 Private space 」 La ! And set up Group sharing , We can share it with you !

Its The concept of others : Okay , So there's another person today , It's called Zhang Xiaozhu , He is from the family of Zhang Xiaozhu , It has nothing to do with the Wangs ! This

When , Unless the Wangs know Zhang Xiaozhu , Then open the door and let Zhang Xiaozhu come into Wang's house , Otherwise, Zhang Xiaozhu will never be able to enter the Wang family , Not to mention Said to enter Wang Sanmao's room ! however , If Zhang Xiaozhu knew Sanmao through his relationship , And become good friends with Wang Sanmao , So Zhang Xiao Pigs can enter Wang's house through Sanmao ! ha-ha ! you 're right ! That little pig is called 『 others ,Others』 Luo !

super The concept of a level administrator : however , Here's a special character to introduce , That's it 『 The Almighty God 」! This God has nothing

Limited power , So he can go anywhere he wants , But ! The man is Linx The ID code in the system is 『root』 La ! So be careful ! that root But 『 The Almighty God 』 oh !

Two 、 General jurisdiction


1、 Use ls View file permissions


To set permissions , You need to know some basic attributes of the file and the allocation rules of permissions . stay Linux in ,ls Commands are often used to view the properties of a document , Used to display the file name and associated properties of the file .

wps13



wps14

wps15 notes : The red part is just Linux Document permission attribute information .

2、 Details of document authority


L inux There are owners in (owner)、 User group (group) And other users (others) Concept , Each has different permissions , For a document , The permissions are assigned as follows :



wps17


wps18

3、 Set file permissions


wps20 grammar :# chmod  [ Options ] Access mode file

Common options :-R: Recursively set permissions ( When the document type is a folder )

power Limited mode : Is the permission information that the document needs to set

writing files : It could be a file , It could be a folder , It could be a relative path or it could be an absolute path .

wps21 Be careful : If you want to set permissions for a document , The operator is either root user , Or the owner of the document .

① The letter form


wps22

The related parameters are explained in detail :

Letter

Options

effect

u( who )

user

File owner

g( who )

group

Users in the same group as the owner

o( who )

other

Other users

a( who )

all

All the people ( contain ugo)

+( effect )

Add

Increasing effect

-( effect )

reduce

Remove the effect

=( effect )

be equal to

Assignment function

r( jurisdiction )

read

Read permission

w( jurisdiction )

write

Write permission

x( jurisdiction )

execute

Executable rights

-( jurisdiction )

-

There are no permissions

wps23 notes :

1) If you do not specify to whom when setting permissions , Defaults to all users

2) If you set permissions for multiple identities at the same time , Each identity needs to be separated by commas . Sample code 1: by word.txt File set permissions (u=rwx,g=rw,o=r)

wps24

wps25 notes : When the document has execution permission ( Any part ), The color is green in the terminal . Sample code 2: establish 1.sh file , And add x Executable rights

wps26



wps27

wps28chmod a+x 1.sh

in Example code 3: Set permissions for the folder ( Delete o Of x jurisdiction )



wps29
② Digital form

You'll often see something like this on technical web pages # chmod 777 a.txt  Such a permission , This form is called a digital-form permission .

read=>4 write=>2 execute=>1

Numbers

jurisdiction

effect

0

-

Cannot read , Can't write , Cannot perform

1

execute

Cannot read , Can't write , Executable

2

write

Cannot read , Can write , Cannot perform

3

2+1

Cannot read , Can write , Executable

4

read

Can be read , Can't write , Cannot perform

5

4+1

Can be read , Can't write , Executable

6

4+2

Can be read , Can write , Cannot perform

7

4+2+1

Can be read , Can write , Executable

in Example code 1: to install.log Set the permissions , The owner has full authority , Users in the same group have readable and executable permissions , Other users read only .



wps30


wps31

in Example code 2: An interview question

problem : The permission command to set a document with the super administrator is # chmod -R 731 shop, Is there anything unreasonable about this order ?

analysis :



wps32
③ Exercises

1) Use root User settings folder /root/shop The authority of is : All rights of the owner , Users in the same group have read and execute permissions , Other users don't have permission , Please use the form of digital permission to set :750

2) Please use root The user writes out the settings file /root/readme.txt File permissions , The authority requirement is : The owner has full authority , Users in the same group are required to be able to read and write , Other users read only , Digital form is required ;764

3) Zhang Sanfan (root) Received some MM The love letter of , Please set up Zhang Sanfan's in digital form Email The permission file of love letter is /root/email.doc, Permissions require that only the owner can read and write , No one else has authority ;600

4、 In particular


stay Linux  in , If you want to delete a file , It's not to see if the file has the corresponding permissions , It depends on whether the directory where the file is located has write permission , If you have the ability to delete ( At the same time, you must have executive authority ).

3、 ... and 、 Special privileges ( Expand )


1、 Set bit S


wps36 effect : In order to make the general user have the owner of the file temporarily / Execution rights of group .

for example :/usr/bin/passwd It needs to be modified when it is executed /etc/passwd and /etc/shadow Wait for the documents , These documents are in addition to

root Outside , No other user has write permission , But in order to allow ordinary users to change their passwords , What to do ?

wps37 answer : They can be temporarily given root Authority , And this s Authority is used to accomplish this special task .s Permissions can only be applied to two

Into the On the executable file .



wps38

Sample code : Don't want ordinary users to change their passwords



wps39


wps40

wps41 notes :which The command can be used to view the location of binary executable files and remove s jurisdiction , Basic grammar :

Test the average user :

wps42

notes :0755 The front of 0 Indicates that no special permissions are used , The number in this bit can be 0,1,2,3,4,5,6,7

Numbers

jurisdiction

effect

0

---

No authority

1

--t

stick bit, For public directory , Only root And the creator of the file can delete the file , Others can only manage themselves . Setting mode :o+t or o-t or 1xxx

2

-s-

setgid Mandatory bit , For catalog , Any member group of any file created in the directory inherits the directory The genus group of . Setting mode :g+s or g-s or 2xxx

3

-st


4

s--

setuid Adventure bit , For binary files , The user has temporary access to the file owner . Setting mode :u+s

or u-s or 4xxx

5

s-t


6

ss-


7

sst


2、 Attached position T


Only for directories , It means that only the owner and root You can delete ( rename / Move ) Files in this directory . such as /tmp Catalog Any user can read and write , If someone else can delete ( rename / Move ) Our own documents , Isn't that dangerous ,  So this t Authority is to solve this problem .

Let's take an example to understand this t Usage of permissions :

① stay /tmp Create under directory test Folder

wps44

② Set special permission bit T



wps45

③ Switch ordinary users cndws, establish test/readme.txt file

wps46



wps47

④ Switch to a second user itcast, Try to delete cndws User created files readme.txt

⑤  Switch back to root user , Execute delete permission bit t operation

wps48



wps49

⑥  Switch back to itcast Re delete test/readme.txt

Four 、ACL Access control


1、 Basic commands


getfacl command : Look at the file ACL Policy and authority

setfacl command : Add a file to a user or group ACL Strategy

2getfacl command




wps53

3setfacl command


-m : modify acl Strategy

-x : Remove the permissions of a user or group

-b : Delete all acl Strategy

-R : recursive

mask:mask Define the division of other And everyone ( The owner ) The maximum authority of the



wps55


wps56

in Example code 1: to cndws Alone in file1 Add... To the document rw jurisdiction

verification file1 Whether the document has rw jurisdiction :



wps57

in Example code 2: to itcast Group in file2 Add... To the document rw jurisdiction

wps58

5、 ... and 、umask( Expand )


1、 What is? umask


umask Represents the default permissions when creating a file ( That is to say, when creating a file, you don't need to set the inherent permissions )

for example :

root Under the user ,touch a , file a The default permissions for are 644 Ordinary users ,touch b , file b The default permissions for are 664

644 and 664 We didn't set up , The key factor is umask

2umask value




wps62

wps63 You can use commands umask Check it out. umask Value : Basic grammar :# umask

notes :0022 No.1 in 0 Represents a special permission bit , You can leave it blank . analysis :


Catalog

file

Highest authority

777 rwxrwxrwx

666 rw-rw-rw-

command umask You can view the current user's umask value ( see umask Just look at the last three , The total is 4 position )


Over pipe root

Ordinary users

umask

022

002

Combined with the above examples, we know that :



wps64

however :

wps65 When umask by 011, The default permissions for creating files should be 655, But in actual operation, the default permissions are 666



wps66


wps67

wps68wps69 And then you get :



wps70

wps71 notes : This special case only appears in documents , Because of the file [ Except for binary files ] No, x Executive authority ), therefore , Look at the file umask We should pay special attention to whether there are odd digits (x Express 1)

3、 modify umask value


wps73umask + The value changes the current user's umask Such as : # umask 044

But it's set in this way umask The original value will be restored when the user logs in again , We can modify the umask Save in

wps74~/.bashrc

Operation steps :

wps75



wps76

Sample code :

6、 ... and 、 Belong to (zhu) And genus group (zu) Set up


1、 What are genera and groups ?


Belong to : Owned user ( Owner of file ), The document owner belongs to the group : groups belonged to ( Group name of users in the same group )

wps79 Basic grammar : # ls -l View the document owner and group



wps80

These two information will use the creator's information when the document is created ( user name 、 The name of the primary group to which the user belongs ).

And the reason why I need to set this : If you sometimes delete a user , Then the owner and group information of the document corresponding to the user needs to be modified Change ( Similar to a handover before leaving ).

2、 The owner of the modified document


wps82 Basic grammar : # chown [-R] New document owner name Document path

do use : Change the user to whom the document belongs (change owner)

Options :-R Represents the owner of the recursively modified file

Sample code 1: take readme.txt Document owner changed to cndws



wps83

Sample code 2: take shop The owner of the folder is changed to cndws



wps84

3、 Modify the file's group


wps86 Basic grammar : # chgrp [-R] New document group name Path to document

do use : Change the user group of the document (change group)



wps87

Sample code 1: take readme.txt The group to which the document belongs is modified to itcast

Sample code 2: take shop The group to which the document belongs is modified to itcast



wps88

4、 At the same time, modify the genus owner and genus group


problem : How to change the user through a command , You can also modify the user group ? answer : Use chown command

wps90 Basic grammar : language Law :# chown [-R] username:groupname Document path

Sample code : take readme.txt The owner and group of the file are changed to root

wps91



wps92

版权声明
本文为[osc_ qnf5stcu]所创,转载请带上原文链接,感谢

Scroll to Top