2019-12-23
注意父目录及其子目录、文件的权限设置,可能会导致无法查看文件内容的(难点),已掌握
系统用户权限管理知识概述
1)操作系统权限概念说明
2)操作系统默认权限设置(调整权限)
3)操作系统读取数据原理
4)操作系统特殊权限说明(setuid setgid 粘滞位)
5)操作系统用户提权配置(sudo)
6)操作系统用户相关命令
7)操作系统用户相关文件(普通文件/目录文件)
一操作系统文件权限概念
操作系统基本权限:rwx
操作系统权限划分:属主 属组 其他用户
对于一个普通文件:
r:是否可以查看文件内容(是否可以查看block)
w:是否可以编辑文件内容(是否可以改写block)
需要r权限配合,vim打开时,要强制保存内容(x!),会导致源文件内容清空
x:是否可以运行文件里面的命令或者脚本
情形一:文件权限为r,只有读取权限
[root@centos71 test]# cat /test/test.sh
whoami
[root@centos71 test]# ll /test/test.sh
-rw-r--r--. 1 root root 7 Dec 23 19:51 /test/test.sh
[root@centos71 test]# pwd
/test
进入到普通用户进行测试
[root@centos71 ~]# su - wang
Last login: Mon Dec 23 12:21:24 CST 2019 on pts/3
[wang@centos71 ~]$ ll -d /test/test.sh
-rw-r--r--. 1 root root 7 Dec 23 19:51 /test/test.sh
[wang@centos71 ~]$ ll /test/test.sh
-rw-r--r--. 1 root root 7 Dec 23 19:51 /test/test.sh
[wang@centos71 ~]$ cat /test/test.sh
whoami
[wang@centos71 ~]$ echo 'hostname' >> /test/test.sh
-bash: /test/test.sh: Permission denied
[wang@centos71 ~]$ /test/test.sh
-bash: /test/test.sh: Permission denied
[wang@centos71 ~]$ pwd
/home/wang
[wang@centos71 ~]$ whoami
wang
情形二:文件权限为rw,有读取和写入权限
[root@centos71 test]# chmod o+w /test/test.sh
[root@centos71 test]# ll /test/test.sh
-rw-r--rw-. 1 root root 7 Dec 23 19:51 /test/test.sh
[wang@centos71 ~]$ pwd
/home/wang
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ ll /test/test.sh
-rw-r--rw-. 1 root root 7 Dec 23 19:51 /test/test.sh
[wang@centos71 ~]$ cat /test/test.sh
whoami
[wang@centos71 ~]$ echo 'hostname' >> /test/test.sh
[wang@centos71 ~]$ cat /test/test.sh
whoami
hostname
[wang@centos71 ~]$ /test/test.sh
-bash: /test/test.sh: Permission denied
情形三:文件权限为rx,有读取和执行权限
[root@centos71 test]# chmod o-w /test/test.sh
[root@centos71 test]# chmod o+x /test/test.sh
[root@centos71 test]# ll /test/test.sh
-rw-r--r-x. 1 root root 16 Dec 23 19:59 /test/test.sh
[wang@centos71 ~]$ ll /test/test.sh
-rw-r--r-x. 1 root root 16 Dec 23 19:59 /test/test.sh
[wang@centos71 ~]$ echo 'pwd' >> /test/test.sh
-bash: /test/test.sh: Permission denied
[wang@centos71 ~]$ /test/test.sh
wang
centos71.com
情形四:文件权限为w,只有写入权限
[root@centos71 test]# chmod 642 /test/test.sh
[root@centos71 test]# ll /test/test.sh
-rw-r---w-. 1 root root 16 Dec 23 19:59 /test/test.sh
[wang@centos71 ~]$ ll /test/test.sh
-rw-r---w-. 1 root root 16 Dec 23 19:59 /test/test.sh
[wang@centos71 ~]$ cat /test/test.sh
cat: /test/test.sh: Permission denied
[wang@centos71 ~]$ echo 'hostname' > /test/test.sh
[wang@centos71 ~]$ ll /test/test.sh
-rw-r---w-. 1 root root 9 Dec 23 20:21 /test/test.sh
[wang@centos71 ~]$ /test/test.sh
-bash: /test/test.sh: Permission denied
[wang@centos71 ~]$
注意虽然之前输入了内容,但是使用vim编辑,无内容显示
可以看出之前文件是有内容的
[wang@centos71 ~]$ ll /test/test.sh
-rw-r---w-. 1 root root 9 Dec 23 20:18 /test/test.sh
情形五:文件权限为rw,有写入和读取权限
[root@centos71 test]# ll /test/test.sh
-rw-r---w-. 1 root root 9 Dec 23 20:21 /test/test.sh
[root@centos71 test]# chmod 646 /test/test.sh
[root@centos71 test]# ll /test/test.sh
-rw-r--rw-. 1 root root 9 Dec 23 20:21 /test/test.sh
[wang@centos71 ~]$ ll /test/test.sh
-rw-r--rw-. 1 root root 13 Dec 23 20:25 /test/test.sh
[wang@centos71 ~]$ cat /test/test.sh
hostname
pwd
[wang@centos71 ~]$ echo 'pwd' >> /test/test.sh
[wang@centos71 ~]$ cat /test/test.sh
hostname
pwd
pwd
[wang@centos71 ~]$ ll /test/test.sh
-rw-r--rw-. 1 root root 17 Dec 23 20:26 /test/test.sh
[wang@centos71 ~]$ /test/test.sh
-bash: /test/test.sh: Permission denied
注意此时正常打开文件,文件内容没有被覆盖
情形六:文件权限为wx,只有写权限
[wang@centos71 ~]$ ll /test/test.sh
-rw-r---wx. 1 root root 17 Dec 23 20:26 /test/test.sh
[wang@centos71 ~]$ cat /test/test.sh
cat: /test/test.sh: Permission denied
[wang@centos71 ~]$ echo 'hostname' > /test/test.sh
[wang@centos71 ~]$ /test/test.sh
bash: /test/test.sh: Permission denied
打开文件,文件内容被覆盖
但是文件原来确实有内容
[wang@centos71 ~]$ ll /test/test.sh
-rw-r---wx. 1 root root 9 Dec 23 20:29 /test/test.sh
[wang@centos71 ~]$
情形七:文件权限为x,无任何权限
[wang@centos71 ~]$ ll /test/test.sh
-rw-r----x. 1 root root 9 Dec 23 20:29 /test/test.sh
[wang@centos71 ~]$ cat /test/test.sh
cat: /test/test.sh: Permission denied
[wang@centos71 ~]$ echo 'hostname' > /test/test.sh
-bash: /test/test.sh: Permission denied
[wang@centos71 ~]$ /test/test.sh
bash: /test/test.sh: Permission denied
打开文件,文件内容被覆盖
文件权限总结
1)文件没有任何权限
root用户:可写可编辑,但是不能执行
属主用户:可写但会覆盖原有内容
其他用户:没有任何权限
2)文件只是拥有读权限
root用户和属主用户:可以编辑和查看文件信息
其他用户:只能查看信息,不能编辑
root用户可以随意查看和编辑任意文件信息,不受到权限限制
文件的权限中,读权限是最重要,rw配合正常编写文件;rx配合正常执行文件。
属主权限:6(rw) 属组权限4(r) 其他用户(r)---默认文件权限644
注意把文件写成脚本变成可执行文件,这样可以对应权限的执行权限。
二操作系统目录权限概念
r:是否可以查看目录下面数据信息(子目录或者文件)
w:是否可以在目录下删除/添加/重命名文件信息(子目录或者文件)
x:目录是否可以进行切换(cd切换到子目录下)
情形一:目录只有r权限
[root@centos71 ~]# mkdir /test3/teststy -pv
mkdir: created directory ‘/test3’
mkdir: created directory ‘/test3/teststy’
[root@centos71 ~]# touch /test3/teststy/happy{01..5}.txt
[root@centos71 ~]# ls /test3/teststy
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 ~]# tree /test3/teststy
/test3/teststy
├── happy01.txt
├── happy02.txt
├── happy03.txt
├── happy04.txt
└── happy05.txt
0 directories, 5 files
[root@centos71 ~]# tree /test3/
/test3/
└── teststy
├── happy01.txt
├── happy02.txt
├── happy03.txt
├── happy04.txt
└── happy05.txt
1 directory, 5 files
[root@centos71 ~]# ll -d /test3/teststy
drwxr-xr-x. 2 root root 101 Dec 23 20:52 /test3/teststy
[root@centos71 ~]# id wang
uid=1020(wang) gid=1020(wang) groups=1020(wang)
[root@centos71 ~]# chown wang.wang /test3/teststy
[root@centos71 ~]# ll -d /test3/teststy
drwxr-xr-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
[root@centos71 ~]#
[root@centos71 ~]# ll -d /test3/teststy
drwxr-xr-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
[root@centos71 ~]# chmod 445 /test3/teststy
[root@centos71 ~]# ll -d /test3/teststy
dr--r--r-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
[root@centos71 ~]#
不能进入到目录里面,所有更不能修改、删除、、创建目录里面的文件
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ pwd
/home/wang
[wang@centos71 ~]$ ll -d /test3/teststy
dr--r--r-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
[wang@centos71 ~]$ cd /test3/teststy
-bash: cd: /test3/teststy: Permission denied
[wang@centos71 ~]$ ls /test3/teststy
ls: cannot access /test3/teststy/happy01.txt: Permission denied
ls: cannot access /test3/teststy/happy02.txt: Permission denied
ls: cannot access /test3/teststy/happy03.txt: Permission denied
ls: cannot access /test3/teststy/happy04.txt: Permission denied
ls: cannot access /test3/teststy/happy05.txt: Permission denied
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[wang@centos71 ~]$ ls /test3/teststy -l
ls: cannot access /test3/teststy/happy01.txt: Permission denied
ls: cannot access /test3/teststy/happy02.txt: Permission denied
ls: cannot access /test3/teststy/happy03.txt: Permission denied
ls: cannot access /test3/teststy/happy04.txt: Permission denied
ls: cannot access /test3/teststy/happy05.txt: Permission denied
total 0
-????????? ? ? ? ? ? happy01.txt
-????????? ? ? ? ? ? happy02.txt
-????????? ? ? ? ? ? happy03.txt
-????????? ? ? ? ? ? happy04.txt
-????????? ? ? ? ? ? happy05.txt
情形二:目录只有w权限
[root@centos71 ~]# chmod 245 /test3/teststy
[root@centos71 ~]# ll -d /test3/teststy
d-w-r--r-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
[wang@centos71 ~]$ ls /test3/teststy -ld
d-w-r--r-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
[wang@centos71 ~]$ cd /test3/teststy
-bash: cd: /test3/teststy: Permission denied
[wang@centos71 ~]$ rm -rf /test3/teststy/*
rm: cannot remove ‘/test3/teststy/*’: Permission denied
[wang@centos71 ~]$ touch /test3/teststy/happy.txt
touch: cannot touch ‘/test3/teststy/happy.txt’: Permission denied
情形三:目录只有x权限
可以进入到目录里面,但是不能修改、删除、创建目录里面的文件
[wang@centos71 ~]$ ls /test3/teststy -ld
d--xr--r-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
[wang@centos71 ~]$ ll /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[wang@centos71 ~]$ ls /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[wang@centos71 ~]$ echo 'hostname' > /test3/teststy/happy01.txt
-bash: /test3/teststy/happy01.txt: Permission denied
[wang@centos71 ~]$ rm -rf /test3/teststy/happy01.txt
rm: cannot remove ‘/test3/teststy/happy01.txt’: Permission denied
[wang@centos71 ~]$ ll -lih
total 0
[wang@centos71 ~]$ ll -lih /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[wang@centos71 ~]$ cd /test3/teststy
[wang@centos71 teststy]$ ls
ls: cannot open directory .: Permission denied
[wang@centos71 teststy]$ ll
ls: cannot open directory .: Permission denied
划分成三个用户详细分析权限
目录没有权限 拥有读权限 拥有写权限 拥有执行权限
root用户: 可读 可写 可执行 可读 可写 可执行 可读 可写 可执行 可读 可写 可执行
属主用户: 没有任何能力 只能看数据名称 没有任何能力 可以切换到目录中
其他用户: 没有任何能力 只能看数据名称 没有任何能力 可以切换到目录中
一目录没有任何权限
root用户: 可读 可写 可执行
[root@centos71 ~]# chmod 000 /test3/teststy
[root@centos71 ~]# ll -d /test3/teststy
d---------. 2 wang wang 101 Dec 23 20:52 /test3/teststy
[root@centos71 ~]# cd /test3/teststy
[root@centos71 teststy]# ls
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 teststy]# ll
total 0
-rw-r--r--. 1 root root 0 Dec 23 20:52 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 20:52 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 20:52 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 20:52 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 20:52 happy05.txt
[root@centos71 teststy]# rm -f happy0*
[root@centos71 teststy]# ls
[root@centos71 teststy]# ll
total 0
[root@centos71 teststy]# ll -d
d---------. 2 wang wang 6 Dec 23 21:18 .
[root@centos71 teststy]# touch happy{01..5}.txt
[root@centos71 teststy]# ll
total 0
-rw-r--r--. 1 root root 0 Dec 23 21:19 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 21:19 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 21:19 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 21:19 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 21:19 happy05.txt
[root@centos71 teststy]# whoami
root
属主用户: 没有任何能力
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ pwd
/home/wang
[wang@centos71 ~]$ cd /test3/teststy
-bash: cd: /test3/teststy: Permission denied
[wang@centos71 ~]$ ls /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[wang@centos71 ~]$ ll /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[wang@centos71 ~]$ rm -rf /test3/teststy/*
rm: cannot remove ‘/test3/teststy/*’: Permission denied
其他用户: 没有任何能力
[root@centos71 ~]# id zhao
uid=1040(zhao) gid=1040(zhao) groups=1040(zhao)
[root@centos71 ~]# su - zhao
Last login: Mon Dec 23 09:08:16 CST 2019 on pts/2
[zhao@centos71 ~]$ whoami
zhao
[zhao@centos71 ~]$ pwd
/home/zhao
[zhao@centos71 ~]$ ll -d /test3/teststy
d---------. 2 wang wang 101 Dec 23 21:19 /test3/teststy
[zhao@centos71 ~]$ ls /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[zhao@centos71 ~]$ ll /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[zhao@centos71 ~]$ cd /test3/teststy
-bash: cd: /test3/teststy: Permission denied
[zhao@centos71 ~]$ rm -rf /test3/teststy/*
rm: cannot remove ‘/test3/teststy/*’: Permission denied
[zhao@centos71 ~]$
二目录只有读取权限
root用户: 可读 可写 可执行
[root@centos71 ~]# chmod 444 /test3/teststy
[root@centos71 ~]# ll -d /test3/teststy
dr--r--r--. 2 wang wang 101 Dec 23 21:19 /test3/teststy
[root@centos71 ~]# ls /test3/teststy
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 ~]# ll /test3/teststy
total 0
-rw-r--r--. 1 root root 0 Dec 23 21:19 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 21:19 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 21:19 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 21:19 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 21:19 happy05.txt
[root@centos71 ~]# cd /test3/teststy
[root@centos71 teststy]# ls
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 teststy]# rm -rf *
[root@centos71 teststy]# touch happy{01..5}.txt
[root@centos71 teststy]# ls
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 teststy]# ll
total 0
-rw-r--r--. 1 root root 0 Dec 23 21:25 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 21:25 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 21:25 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 21:25 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 21:25 happy05.txt
[root@centos71 teststy]#
属主只能看目录下的文件名称
[wang@centos71 ~]$ ll -d /test3/teststy
dr--r--r--. 2 wang wang 101 Dec 23 21:25 /test3/teststy
[wang@centos71 ~]$ ls /test3/teststy
ls: cannot access /test3/teststy/happy01.txt: Permission denied
ls: cannot access /test3/teststy/happy02.txt: Permission denied
ls: cannot access /test3/teststy/happy03.txt: Permission denied
ls: cannot access /test3/teststy/happy04.txt: Permission denied
ls: cannot access /test3/teststy/happy05.txt: Permission denied
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[wang@centos71 ~]$ ll /test3/teststy
ls: cannot access /test3/teststy/happy01.txt: Permission denied
ls: cannot access /test3/teststy/happy02.txt: Permission denied
ls: cannot access /test3/teststy/happy03.txt: Permission denied
ls: cannot access /test3/teststy/happy04.txt: Permission denied
ls: cannot access /test3/teststy/happy05.txt: Permission denied
total 0
-????????? ? ? ? ? ? happy01.txt
-????????? ? ? ? ? ? happy02.txt
-????????? ? ? ? ? ? happy03.txt
-????????? ? ? ? ? ? happy04.txt
-????????? ? ? ? ? ? happy05.txt
[wang@centos71 ~]$ cd /test3/teststy
-bash: cd: /test3/teststy: Permission denied
[wang@centos71 ~]$ rm -rf /test3/teststy/*
rm: cannot remove ‘/test3/teststy/happy01.txt’: Permission denied
rm: cannot remove ‘/test3/teststy/happy02.txt’: Permission denied
rm: cannot remove ‘/test3/teststy/happy03.txt’: Permission denied
rm: cannot remove ‘/test3/teststy/happy04.txt’: Permission denied
rm: cannot remove ‘/test3/teststy/happy05.txt’: Permission denied
其他用户只能看目录下的文件名称
[zhao@centos71 ~]$ ll -d /test3/teststy
dr--r--r--. 2 wang wang 101 Dec 23 21:25 /test3/teststy
[zhao@centos71 ~]$ ls /test3/teststy
ls: cannot access /test3/teststy/happy01.txt: Permission denied
ls: cannot access /test3/teststy/happy02.txt: Permission denied
ls: cannot access /test3/teststy/happy03.txt: Permission denied
ls: cannot access /test3/teststy/happy04.txt: Permission denied
ls: cannot access /test3/teststy/happy05.txt: Permission denied
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[zhao@centos71 ~]$ ll /test3/teststy
ls: cannot access /test3/teststy/happy01.txt: Permission denied
ls: cannot access /test3/teststy/happy02.txt: Permission denied
ls: cannot access /test3/teststy/happy03.txt: Permission denied
ls: cannot access /test3/teststy/happy04.txt: Permission denied
ls: cannot access /test3/teststy/happy05.txt: Permission denied
total 0
-????????? ? ? ? ? ? happy01.txt
-????????? ? ? ? ? ? happy02.txt
-????????? ? ? ? ? ? happy03.txt
-????????? ? ? ? ? ? happy04.txt
-????????? ? ? ? ? ? happy05.txt
[zhao@centos71 ~]$ cd /test3/teststy
-bash: cd: /test3/teststy: Permission denied
[zhao@centos71 ~]$ rm -rf /test3/teststy/*
rm: cannot remove ‘/test3/teststy/happy01.txt’: Permission denied
rm: cannot remove ‘/test3/teststy/happy02.txt’: Permission denied
rm: cannot remove ‘/test3/teststy/happy03.txt’: Permission denied
rm: cannot remove ‘/test3/teststy/happy04.txt’: Permission denied
rm: cannot remove ‘/test3/teststy/happy05.txt’: Permission denied
三目录只有写入权限
root用户: 可读 可写 可执行
[root@centos71 ~]# chmod 222 /test3/teststy
[root@centos71 ~]# ll -d /test3/teststy
d-w--w--w-. 2 wang wang 101 Dec 23 21:25 /test3/teststy
[root@centos71 ~]# ls /test3/teststy
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 ~]# ll /test3/teststy
total 0
-rw-r--r--. 1 root root 0 Dec 23 21:25 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 21:25 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 21:25 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 21:25 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 21:25 happy05.txt
[root@centos71 ~]# cd /test3/teststy
[root@centos71 teststy]# ls
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 teststy]# rm -rf *
[root@centos71 teststy]# touch happy{01..5}.txt
[root@centos71 teststy]# ls
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 teststy]# ll
total 0
-rw-r--r--. 1 root root 0 Dec 23 21:31 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 21:31 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 21:31 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 21:31 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 21:31 happy05.txt
[root@centos71 teststy]# whoami
root
属主用户: 没有任何能力
[wang@centos71 ~]$ ll -d /test3/teststy
d-w--w--w-. 2 wang wang 101 Dec 23 21:31 /test3/teststy
[wang@centos71 ~]$ ls /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[wang@centos71 ~]$ ll /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[wang@centos71 ~]$ cd /test3/teststy
-bash: cd: /test3/teststy: Permission denied
[wang@centos71 ~]$ rm -rf /test3/teststy/*
rm: cannot remove ‘/test3/teststy/*’: Permission denied
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ pwd
/home/wang
其他用户: 没有任何能力
[zhao@centos71 ~]$ ll -d /test3/teststy
d-w--w--w-. 2 wang wang 101 Dec 23 21:31 /test3/teststy
[zhao@centos71 ~]$ ls /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[zhao@centos71 ~]$ ll /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[zhao@centos71 ~]$ cd /test3/teststy
-bash: cd: /test3/teststy: Permission denied
[zhao@centos71 ~]$ rm -rf /test3/teststy/*
rm: cannot remove ‘/test3/teststy/*’: Permission denied
[zhao@centos71 ~]$ whoami
zhao
[zhao@centos71 ~]$ pwd
/home/zhao
[zhao@centos71 ~]$
四目录只有执行权限
root用户:可读 可写 可执行
[root@centos71 ~]# chmod 111 /test3/teststy
[root@centos71 ~]# ll -d /test3/teststy
d--x--x--x. 2 wang wang 101 Dec 23 21:31 /test3/teststy
[root@centos71 ~]# ls /test3/teststy
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 ~]# ll /test3/teststy
total 0
-rw-r--r--. 1 root root 0 Dec 23 21:31 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 21:31 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 21:31 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 21:31 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 21:31 happy05.txt
[root@centos71 ~]# cd /test3/teststy
[root@centos71 teststy]# ls
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 teststy]# rm -rf *
[root@centos71 teststy]# touch happy{01..5}.txt
[root@centos71 teststy]# ls
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[root@centos71 teststy]# ll
total 0
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy05.txt
[root@centos71 teststy]# cd
[root@centos71 ~]# whoami
root
[root@centos71 ~]# pwd
/root
属主用户:可以切换到目录里面,不能删除文件
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ pwd
/home/wang
[wang@centos71 ~]$ ll -d /test3/teststy
d--x--x--x. 2 wang wang 101 Dec 23 21:36 /test3/teststy
[wang@centos71 ~]$ ls /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[wang@centos71 ~]$ ll /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[wang@centos71 ~]$ cd /test3/teststy
[wang@centos71 teststy]$ ls
ls: cannot open directory .: Permission denied
[wang@centos71 teststy]$ ll
ls: cannot open directory .: Permission denied
[wang@centos71 teststy]$ rm -rf /test3/teststy/*
[wang@centos71 teststy]$ ls
ls: cannot open directory .: Permission denied
[wang@centos71 teststy]$ ll
ls: cannot open directory .: Permission denied
其他用户:可以切换到目录里面,不能删除文件
[zhao@centos71 ~]$ whoami
zhao
[zhao@centos71 ~]$ pwd
/home/zhao
[zhao@centos71 ~]$ ll -d /test3/teststy
d--x--x--x. 2 wang wang 101 Dec 23 21:36 /test3/teststy
[zhao@centos71 ~]$ ls /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[zhao@centos71 ~]$ ll /test3/teststy
ls: cannot open directory /test3/teststy: Permission denied
[zhao@centos71 ~]$ cd /test3/teststy
[zhao@centos71 teststy]$ ls
ls: cannot open directory .: Permission denied
[zhao@centos71 teststy]$ rm -rf /test3/teststy/*
[zhao@centos71 teststy]$ ls
ls: cannot open directory .: Permission denied
[root@centos71 ~]# ll /test3/teststy
total 0
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy05.txt
目录文件权限总结:
1) 目录没有任何权限:
root用户: 属于无敌存在,想干什么干什么
属主用户: 什么都做不了
其他用户: 什么都做不了
2) 目录只是拥有读权限:
root用户: 属于无敌存在,想干什么干什么
属主用户: 只能查看文件名称, 不能查看文件属性??? (上一级目录没有执行权限)
其他用户: 只能查看文件名称, 不能查看文件属性??? (上一级目录没有执行权限)
最终总结:
1) root用户可以随意查看和编辑任意目录信息, 不受到权限限制
2) 目录的执行权限是最重要,rx配合能正常查看目录下面的子目录和文件信息,wx配合能正常在目录中创建/删除/重命名数据信息
属主权限: 7 (rwx) 属组权限5(rx) 其他用户5(rx) --- 默认目录权限755
三操作系统读取数据原理(inode block)
对于文件
inode是存储文件的属性和指针信息,block: 存储文件数据内容
文件读权限: 可以查看文件内容信息(获取指针信息)
文件写权限: 可以编辑文件内容信息 --> rw权限
对于文件,打开文件就是看文件的block的内容了,也就是文件内容
对于目录
inode: 存储目录属性信息/指针信息
block: 目录下面数据名称信息
目录执行权限: 可以进入到目录中,获取目录指针信息
目录读权限: 可以查看目录中数据信息,也就是查看目录下的文件名称信息,包括目录的block信息
对于目录,查看其block,使用vim就可以查看
[root@centos71 teststy]# vim ./
[root@centos71 teststy]# cd ..
[root@centos71 test3]# pwd
/test3
[root@centos71 test3]# vim ./
对文件的处理是有过程的,就像到亲戚家做客,中间会经过很多路,如果正在修路会受影响
要关注起点过程和终点
以/test3/teststy/happy01.txt 文件为例
[root@centos71 ~]# tree /test3/teststy/
/test3/teststy/
├── happy01.txt
├── happy02.txt
├── happy03.txt
├── happy04.txt
└── happy05.txt
0 directories, 5 files
[root@centos71 ~]# ls /test3/teststy/happy01.txt
/test3/teststy/happy01.txt
对文件关注应该从/开始,/有inode信息,存储的是其属性信息
最重要的是权限信息
权限是555,最核心的是x执行权限,这样就保证了属组和其他人可以进入到此目录
要看目录里面的文件信息,包括子目录和文件,就需要读的权限
读取和执行权限都有了,就会获取到指针信息
指针信息的作用就是指引我们去找/目录的block信息
没有读就无法获取属性信息,指针信息才可以看block,就可以看到目录的数据
[root@centos71 ~]# ll -d /
dr-xr-xr-x. 28 root root 4096 Dec 23 20:52 /
通过block看到/下面有子目录/test3就可以继续往下面走
否则就会报错,没有此文件或者目录
通过下面方式查看到有test目录,路就可以往下面走了
[root@centos71 ~]# vim ./
进入到test3目录,和/目录一样,要关注其inode,也就是关注其属性信息
注意属主是root,其他人也有读取和执行权限,可以看到指针信息和block,也就可以看到/test目录里面的文件和子目录信息了
[root@centos71 ~]# cd /test3
[root@centos71 test3]# pwd
/test3
[root@centos71 test3]# vim ./
[root@centos71 test3]# ls
teststy
[root@centos71 test3]# ll -d
drwxr-xr-x. 3 root root 21 Dec 24 09:22 .
[root@centos71 test3]# ll
total 0
d--x--x--x. 2 wang wang 101 Dec 23 21:51 teststy
按照前面的方法进入到下一级目录,这时候要关注文件的权限信息
[root@centos71 test3]# cd teststy/
[root@centos71 teststy]# ll -d
d--x--x--x. 2 wang wang 101 Dec 23 21:51 .
[root@centos71 teststy]# vim ./
" ============================================================================
" Netrw Directory Listing (netrw v149)
" /test3/teststy
" Sorted by name
" Sort sequence: [/]$,<core\%(.d+)=>,.h$,.c$,.cpp$,~=*$,*,.o$,.obj$,.info$,.swp$,.b
" Quick Help: <F1>:help -:go up dir D:delete R:rename s:sort-by x:exec
" ============================================================================
../
./
happy01.txt
happy02.txt
happy03.txt
happy04.txt
happy05.txt
.swp
[root@centos71 teststy]# ll
total 4
-rw-r--r--. 1 root root 7 Dec 24 09:27 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy05.txt
[root@centos71 teststy]# pwd
/test3/teststy
wang用户作为其他人,只能进入到目录/test3/teststy/里面,但是无法查看文件的内容
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ pwd
/home/wang
[wang@centos71 ~]$ ll /test3/teststy/ -d
d--x--x--x. 2 wang wang 101 Dec 24 09:27 /test3/teststy/
[wang@centos71 ~]$ cd /test3/teststy/
[wang@centos71 teststy]$ ls
ls: cannot open directory .: Permission denied
[wang@centos71 teststy]$ ll
ls: cannot open directory .: Permission denied
[wang@centos71 teststy]$
文件只有读权限,只能查看文件名称,不能查看文件属性的原因分析
root用户:属于无敌存在,想干什么干什么
属主用户:只能查看文件名称不能查看文件属性???
其他用户:只能查看文件名称,不能查看文件属性???
[root@centos71 teststy]# chmod 444 /test3/teststy
[root@centos71 teststy]# ll /test3/teststy -d
dr--r--r--. 2 wang wang 101 Dec 24 09:27 /test3/teststy
[root@centos71 teststy]# ll /test3/teststy
total 4
-rw-r--r--. 1 root root 7 Dec 24 09:27 happy01.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy02.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy03.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy04.txt
-rw-r--r--. 1 root root 0 Dec 23 21:36 happy05.txt
r可以读取到指针信息以及block信息,那么就可以看到此目录里面的数据信息
文件的属性信息为???说明没有读取到,因为其存储到文件的inode里面
但是wang没有x执行权限进入到/test3/teststy/目录里面,也就无法查看到此目录里面的文件的inode信息了
那么就无法查看到目录下面文件的属性信息,得不到指针信息和block信息
[wang@centos71 ~]$ ls /test3/teststy/
ls: cannot access /test3/teststy/happy02.txt: Permission denied
ls: cannot access /test3/teststy/happy03.txt: Permission denied
ls: cannot access /test3/teststy/happy04.txt: Permission denied
ls: cannot access /test3/teststy/happy05.txt: Permission denied
ls: cannot access /test3/teststy/happy01.txt: Permission denied
happy01.txt happy02.txt happy03.txt happy04.txt happy05.txt
[wang@centos71 ~]$ ll /test3/teststy/
ls: cannot access /test3/teststy/happy02.txt: Permission denied
ls: cannot access /test3/teststy/happy03.txt: Permission denied
ls: cannot access /test3/teststy/happy04.txt: Permission denied
ls: cannot access /test3/teststy/happy05.txt: Permission denied
ls: cannot access /test3/teststy/happy01.txt: Permission denied
total 0
-????????? ? ? ? ? ? happy01.txt
-????????? ? ? ? ? ? happy02.txt
-????????? ? ? ? ? ? happy03.txt
-????????? ? ? ? ? ? happy04.txt
-????????? ? ? ? ? ? happy05.txt
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ pwd
/home/wang
四操作系统权限设置方法
(一)系统数据默认权限
创建一个文件: 默认权限644
创建一个目录: 默认权限755
umask 查看默认权限运算数值/改变默认权限
默认文件权限: 666 - umask = 666 - 022 = 644
666 - 044 = 622 umask偶数正常运算
666 - 033 = 644 umask奇数正常运算之后+1
默认目录权限: 777 - umask = 777 - 022 = 755
777 - 044 = 733
777 - 033 = 744
注意对于文件的权限,umask是偶数,正常运算;奇数,正常运算之后+1
[root@centos71 ~]# whoami
root
[root@centos71 ~]# pwd
/root
[root@centos71 ~]# umask
0022
[wang@centos71 test]$ whoami
wang
[wang@centos71 test]$ umask
0002
上面的设置由此文件决定
[root@centos71 ~]# vim /etc/profile
# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
umask 002
else
umask 022
fi
$UID -gt 199
判断当前登录用户UID是否大于199
[root@centos71 ~]# id root
uid=0(root) gid=0(root) groups=0(root)
[root@centos71 ~]# id wang
uid=1020(wang) gid=1020(wang) groups=1020(wang)
/usr/bin/id -gn
判断登录用户名称和组名称是否一致
[root@centos71 ~]# id -g
0
[root@centos71 ~]# id -gn
root
[root@centos71 ~]# id -n
id: cannot print only names or real IDs in default format
[root@centos71 ~]# id -u
0
[root@centos71 ~]# id -n
id: cannot print only names or real IDs in default format
[root@centos71 ~]# id -un
root
五操作系统数据权限设置
(一)直接修改数据权限
注意权限不能过宽,否则可能会被黑客攻击,保证数据的安全性
chmod u/g/o+/-/=---针对不同用户设置权限
chmod a+/-/----针对所有用户统一设置权限
chmod 755---针对所有用户设置权限
chmod-Rxxx--递归设置权限(慎用)
(二)修改数据属主用户
chown属主信息 数据信息
chown属组信息 数据信息
chown属主信息 属组信息数据信息
chown -R 属主信息.属组信息 目录信息 --递归修改目录属主和属组信息(比如网站权限调整)
文件无法保存并且root用户无法编写文件
确认数据信息是否上锁
[root@centos71 ~]# lsattr /etc/hosts
---------------- /etc/hosts
[root@centos71 ~]# chattr +i /etc/hosts
[root@centos71 ~]# lsattr /etc/hosts
----i----------- /etc/hosts
解锁
[root@centos71 ~]# chattr -i /etc/hosts
[root@centos71 ~]# lsattr /etc/hosts
---------------- /etc/hosts
六操作系统特殊权限
(一)setuid: 让普通用户可以拥有属主用户能力
setuid: 让普通用户可以拥有属主的能力,是对命令文件进行权限调整
没有setuid权限时,只能root用户查看shadow文件
拥有setuid权限时,所有普通用户查看shadow文件
[root@centos71 ~]# whoami
root
[root@centos71 ~]# pwd
/root
[root@centos71 ~]# ll /etc/shadow
----------. 1 root root 4620 Dec 23 12:18 /etc/shadow
[root@centos71 ~]# cat /etc/shadow | head
root:$6$74iiqdl8$U926ZrOy38rx8tapqOrdwJDcSAUbZjkQVGKNCaaX.5RdWW6J4nPRhiy5mq9xazTIPIlm7CzkdRWbTqWZMTHMS.:18250:0:99999:7:::
bin:*:17834:0:99999:7:::
daemon:*:17834:0:99999:7:::
adm:*:17834:0:99999:7:::
lp:*:17834:0:99999:7:::
sync:*:17834:0:99999:7:::
shutdown:*:17834:0:99999:7:::
halt:*:17834:0:99999:7:::
mail:*:17834:0:99999:7:::
operator:*:17834:0:99999:7:::
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ pwd
/home/wang
[wang@centos71 ~]$ ll /etc/shadow
----------. 1 root root 4620 Dec 23 12:18 /etc/shadow
[wang@centos71 ~]$ cat /etc/shadow | head
cat: /etc/shadow: Permission denied
setgid:让普通用户可以拥有属组用户能力
对操作文件命令进行权限调整,不常用
chmod g+s/chmod 2644---设置setgid权限
(二)粘滞位:只有文件属主对该目录数据进行调整
粘滞位:创建一个共享目录,只能文件属主用户对自己数据进行调整,其他用户只能查看
chmod o+t/chmod 1755---设置粘滞位权限
共享目录的权限只能自己可以修改,其他用户只能看
临时共享数据目录/tmp/
注意此目录权限不能修改,否则mysqu5.5--无法启动
[root@centos71 ~]# ll -d /tmp/
drwxrwxrwt. 13 root root 4096 Dec 23 11:35 /tmp
对于其他人wang用户来说,没有执行权限,w无法起作用,也就是无法删除目录里面的文件和子目录了
[wang@centos71 ~]$ ll -d /tmp/
drwxrwxrwt. 15 root root 4096 Dec 24 10:44 /tmp/
[wang@centos71 ~]$ ll /tmp/
total 20
-rw-r--r--. 1 root root 18281 Dec 19 21:31 functions
drwx------. 3 root root 17 Dec 24 08:28 systemd-private-ea4129b5d18c4ee580dd07a2c8154e77-chronyd.service-Nb09BH
drwx------. 2 root root 6 Dec 20 08:32 vmware-root_6183-1983194517
drwx------. 2 root root 6 Dec 22 23:43 vmware-root_6219-1690047046
drwx------. 2 root root 6 Dec 21 14:37 vmware-root_6223-1681855427
drwx------. 2 root root 6 Dec 23 08:24 vmware-root_6224-734038020
drwx------. 2 root root 6 Dec 24 08:28 vmware-root_6230-734169091
drwx------. 2 root root 6 Dec 23 23:22 vmware-root_6233-1714755028
drwx------. 2 root root 6 Dec 20 08:44 vmware-root_6234-692293512
[wang@centos71 ~]$ rm -f /tmp/*
rm: cannot remove ‘/tmp/functions’: Operation not permitted
rm: cannot remove ‘/tmp/systemd-private-ea4129b5d18c4ee580dd07a2c8154e77-chronyd.service-Nb09BH’: Is a directory
rm: cannot remove ‘/tmp/vmware-root_6183-1983194517’: Is a directory
rm: cannot remove ‘/tmp/vmware-root_6219-1690047046’: Is a directory
rm: cannot remove ‘/tmp/vmware-root_6223-1681855427’: Is a directory
rm: cannot remove ‘/tmp/vmware-root_6224-734038020’: Is a directory
rm: cannot remove ‘/tmp/vmware-root_6230-734169091’: Is a directory
rm: cannot remove ‘/tmp/vmware-root_6233-1714755028’: Is a directory
rm: cannot remove ‘/tmp/vmware-root_6234-692293512’: Is a directory
[wang@centos71 ~]$ rm -rf /tmp/*
rm: cannot remove ‘/tmp/functions’: Operation not permitted
rm: cannot remove ‘/tmp/systemd-private-ea4129b5d18c4ee580dd07a2c8154e77-chronyd.service-Nb09BH’: Operation not permitted
rm: cannot remove ‘/tmp/vmware-root_6183-1983194517’: Operation not permitted
rm: cannot remove ‘/tmp/vmware-root_6219-1690047046’: Operation not permitted
rm: cannot remove ‘/tmp/vmware-root_6223-1681855427’: Operation not permitted
rm: cannot remove ‘/tmp/vmware-root_6224-734038020’: Operation not permitted
rm: cannot remove ‘/tmp/vmware-root_6230-734169091’: Operation not permitted
rm: cannot remove ‘/tmp/vmware-root_6233-1714755028’: Operation not permitted
rm: cannot remove ‘/tmp/vmware-root_6234-692293512’: Operation not permitted
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ mkdir /home/wang/share
[wang@centos71 ~]$ ls /home/wang/share
[wang@centos71 ~]$ ll -d /home/wang/share
drwxrwxr-x. 2 wang wang 6 Dec 24 10:38 /home/wang/share
[wang@centos71 ~]$ chmod o+t /home/wang/share
[wang@centos71 ~]$ ll -d /home/wang/share
drwxrwxr-t. 2 wang wang 6 Dec 24 10:38 /home/wang/share
[wang@centos71 ~]$ cd /home/wang/share
[wang@centos71 share]$ touch hahaha{01..06}.txt
[wang@centos71 share]$ ll
total 0
-rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha01.txt
-rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha02.txt
-rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha03.txt
-rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha04.txt
-rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha05.txt
-rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha06.txt
[root@centos71 ~]# id zhao
uid=1040(zhao) gid=1040(zhao) groups=1040(zhao)
[root@centos71 ~]# su - zhao
Last login: Mon Dec 23 21:22:13 CST 2019 on pts/5
[zhao@centos71 ~]$ whoami
zhao
[zhao@centos71 ~]$ pwd
/home/zhao
[zhao@centos71 ~]$ ll -d /home/wang/share
ls: cannot access /home/wang/share: Permission denied
[zhao@centos71 ~]$ rm -rf /home/wang/share
rm: cannot remove ‘/home/wang/share’: Permission denied
[zhao@centos71 ~]$ ls /home/wang/share
ls: cannot access /home/wang/share: Permission denied
[zhao@centos71 ~]$ cd /home/wang/share
-bash: cd: /home/wang/share: Permission denied
[zhao@centos71 ~]$
往文件里面添加内容
[wang@centos71 ~]$ ll -d /home/wang/share/
drwxrwxr-t. 2 wang wang 126 Dec 24 10:41 /home/wang/share/
[wang@centos71 ~]$ cd /home/wang/share/
[wang@centos71 share]$ ls
hahaha01.txt hahaha02.txt hahaha03.txt hahaha04.txt hahaha05.txt hahaha06.txt
[wang@centos71 share]$ echo abcdefghijklmn >> hahaha01.txt
[wang@centos71 share]$ cat hahaha01.txt
abcdefghijklmn
其他人zhao无法查看
[zhao@centos71 ~]$ cat /home/wang/share/hahaha01.txt
cat: /home/wang/share/hahaha01.txt: Permission denied
七操作系统用户提权配置
集中管理用户权限,相当于windows的域控
之前使用的是LDAP服务,已经淘汰了,现在使用jumpserver跳板机
说明:指定相应普通用户可以拥有root用户能力
(一)修改提权配置文件——/etc/sudoers
打开文件,指定跳到100行,建议使用visudo 打开,这样可以检查语法错误
第一列:只能提权用户信息;第二列:权限集中管理配置;第三列:指定特权信息
[root@centos71 ~]# cat -n /etc/sudoers | grep "100"
100 root ALL=(ALL) ALL
(二)sudo提权文件书写规范
1)必须有三列信息,列与列之前要有空格分隔
2)提权命令必须写成绝对路径,否则会出现语法报错
3) 提权多个命令, 用逗号空格进行分隔
语法报错,因为/bin/cat 之前没有写绝对路径
[root@centos71 ~]# visudo
"/etc/sudoers.tmp" 121L, 4368C written
>>> /etc/sudoers: syntax error near line 101 <<<
What now?
Options are:
(e)dit sudoers file again
e(x)it without saving changes to sudoers file
(Q)uit and save changes to sudoers file (DANGER!)
[root@centos71 ~]# cat /etc/sudoers | grep wang
wang ALL=(ALL) /bin/cat /etc/shadow
[wang@centos71 ~]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ ll /etc/shadow
----------. 1 root root 4524 Dec 23 09:06 /etc/shadow
(三)测试提权效果
查看是否拥有特权信息
[root@centos71 ~]# su - wang
Last login: Tue Dec 24 09:30:23 CST 2019 on pts/1
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ sudo -l
Matching Defaults entries for wang on centos71:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User wang may run the following commands on centos71:
(ALL) NOPASSWD: /bin/cat /etc/shadow
查看文件要加sudo
[wang@centos71 ~]$ sudo cat /etc/shadow | head
root:$6$74iiqdl8$U926ZrOy38rx8tapqOrdwJDcSAUbZjkQVGKNCaaX.5RdWW6J4nPRhiy5mq9xazTIPIlm7CzkdRWbTqWZMTHMS.:18250:0:99999:7:::
bin:*:17834:0:99999:7:::
daemon:*:17834:0:99999:7:::
adm:*:17834:0:99999:7:::
lp:*:17834:0:99999:7:::
sync:*:17834:0:99999:7:::
shutdown:*:17834:0:99999:7:::
halt:*:17834:0:99999:7:::
mail:*:17834:0:99999:7:::
operator:*:17834:0:99999:7:::
[wang@centos71 ~]$
echo的时候,使用到>会有问题,系统会识别为字符信息,所以吧建议加到文件里面
使用vim,注意加入到文件里面的命令不能有别名
提权操作在命令信息前面加上NOPASSWD表示取消提权输入密码的过程
[root@centos71 ~]# cat -n /etc/sudoers | grep "101"
101 wang ALL=(ALL) NOPASSWD: /bin/cat /etc/shadow, /bin/cat /etc/hosts,/usr/bin/vim /etc/hosts
[root@centos71 ~]# cat -n /etc/sudoers | grep "wang"
101 wang ALL=(ALL) NOPASSWD: /bin/cat /etc/shadow, /bin/cat /etc/hosts,/usr/bin/vim /etc/hosts
[wang@centos71 ~]$ sudo -l
Matching Defaults entries for wang on centos71:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User wang may run the following commands on centos71:
(ALL) NOPASSWD: /bin/cat /etc/shadow, /bin/cat /etc/hosts, /usr/bin/vim /etc/hosts
[wang@centos71 ~]$ ll /etc/hosts
-rwxr-x--x. 1 root root 184 Dec 24 11:28 /etc/hosts
在尾行添加内容
[wang@centos71 ~]$ whoami
wang
[wang@centos71 ~]$ sudo vim /etc/hosts
[wang@centos71 ~]$ cat /etc/hosts
cat: /etc/hosts: Permission denied
[wang@centos71 ~]$ sudo cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.200 www.baidu.com
取反就不会删除指定目录
Linux setfacl没什么用的
[root@centos71 ~]# setfacl --help
setfacl 2.2.51 -- set file access control lists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
-m, --modify=acl modify the current ACL(s) of file(s)
-M, --modify-file=file read ACL entries to modify from file
-x, --remove=acl remove entries from the ACL(s) of file(s)
-X, --remove-file=file read ACL entries to remove from file
-b, --remove-all remove all extended ACL entries
-k, --remove-default remove the default ACL
--set=acl set the ACL of file(s), replacing the current ACL
--set-file=file read ACL entries to set from file
--mask do recalculate the effective rights mask
-n, --no-mask don't recalculate the effective rights mask
-d, --default operations apply to the default ACL
-R, --recursive recurse into subdirectories
-L, --logical logical walk, follow symbolic links
-P, --physical physical walk, do not follow symbolic links
--restore=file restore ACLs (inverse of `getfacl -R')
--test test mode (ACLs are not modified)
-v, --version print version and exit
-h, --help this help text
系统用户权限问题及调整方法总结
1)直接修改文件数据权限信息(rwx)chmod
2)直接修改文件数据属主信息chown
3)修改文件数据特殊权限信息setuid/粘滞位
4)修改系统普通提权信息sudo
5)确认文件数据是否上锁了chattr +i/-i lsattr
6)将用户切换为root用户su-root,比如出现报警情况