• 操作系统权限


     2019-12-23


    操作系统权限概述


    1)操作系统权限概念说明
    2)操作系统默认权限设置(调整权限)
    3)操作系统读取数据原理
    4)操作系统特殊权限说明(setuid setgid 粘滞位)
    5)操作系统用户提权配置(sudo)
    6)操作系统用户相关命令
    7)操作系统用户相关文件(普通文件/目录文件)

    一操作系统文件权限概念

    操作系统基本权限:rwx
    操作系统权限划分:属主   属组     其他用户


    对于一个普通文件:
    r:是否可以查看文件内容(是否可以查看block)
    w:是否可以编辑文件内容(是否可以改写block)

    需要r权限配合,vim打开时,要强制保存内容(x!),会导致源文件内容清空
    x:是否可以运行文件里面的命令或者脚本

    情形一:文件权限为r,只有读取权限

    [root@centos71 test]# cat  /test/test.sh
    whoami
    [root@centos71 test]# ll  /test/test.sh
    -rw-r--r--. 1 root root 7 Dec 23 19:51 /test/test.sh
    [root@centos71 test]# pwd
    /test

    进入到普通用户进行测试

    [root@centos71 ~]# su  - wang
    Last login: Mon Dec 23 12:21:24 CST 2019 on pts/3
    [wang@centos71 ~]$ ll -d  /test/test.sh 
    -rw-r--r--. 1 root root 7 Dec 23 19:51 /test/test.sh
    [wang@centos71 ~]$ ll   /test/test.sh 
    -rw-r--r--. 1 root root 7 Dec 23 19:51 /test/test.sh
    [wang@centos71 ~]$ cat  /test/test.sh
    whoami
    [wang@centos71 ~]$ echo  'hostname'  >>  /test/test.sh
    -bash: /test/test.sh: Permission denied
    [wang@centos71 ~]$ /test/test.sh
    -bash: /test/test.sh: Permission denied
    [wang@centos71 ~]$ pwd
    /home/wang
    [wang@centos71 ~]$ whoami 
    wang

    情形二:文件权限为rw,有读取和写入权限

    
    [root@centos71 test]# chmod   o+w   /test/test.sh
    [root@centos71 test]# ll  /test/test.sh
    -rw-r--rw-. 1 root root 7 Dec 23 19:51 /test/test.sh
    [wang@centos71 ~]$ pwd
    /home/wang
    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ ll   /test/test.sh 
    -rw-r--rw-. 1 root root 7 Dec 23 19:51 /test/test.sh
    [wang@centos71 ~]$ cat /test/test.sh
    whoami
    [wang@centos71 ~]$ echo  'hostname'  >>  /test/test.sh
    [wang@centos71 ~]$ cat /test/test.sh
    whoami
    hostname
    [wang@centos71 ~]$ /test/test.sh
    -bash: /test/test.sh: Permission denied

    情形三:文件权限为rx,有读取和执行权限

    [root@centos71 test]# chmod   o-w   /test/test.sh
    [root@centos71 test]# chmod   o+x   /test/test.sh
    [root@centos71 test]# ll  /test/test.sh
    -rw-r--r-x. 1 root root 16 Dec 23 19:59 /test/test.sh
    [wang@centos71 ~]$ ll   /test/test.sh 
    -rw-r--r-x. 1 root root 16 Dec 23 19:59 /test/test.sh
    [wang@centos71 ~]$ echo  'pwd'  >>  /test/test.sh
    -bash: /test/test.sh: Permission denied
    [wang@centos71 ~]$ /test/test.sh
    wang
    centos71.com

    情形四:文件权限为w,只有写入权限

    [root@centos71 test]# chmod   642   /test/test.sh
    [root@centos71 test]# ll  /test/test.sh
    -rw-r---w-. 1 root root 16 Dec 23 19:59 /test/test.sh
    [wang@centos71 ~]$ ll   /test/test.sh 
    -rw-r---w-. 1 root root 16 Dec 23 19:59 /test/test.sh
    [wang@centos71 ~]$ cat  /test/test.sh
    cat: /test/test.sh: Permission denied
    [wang@centos71 ~]$ echo  'hostname'  >  /test/test.sh
    [wang@centos71 ~]$ ll  /test/test.sh
    -rw-r---w-. 1 root root 9 Dec 23 20:21 /test/test.sh
    [wang@centos71 ~]$ /test/test.sh
    -bash: /test/test.sh: Permission denied
    [wang@centos71 ~]$ 

    注意虽然之前输入了内容,但是使用vim编辑,无内容显示

     

    可以看出之前文件是有内容的

    [wang@centos71 ~]$ ll  /test/test.sh
    -rw-r---w-. 1 root root 9 Dec 23 20:18 /test/test.sh

    情形五:文件权限为rw,有写入和读取权限

    [root@centos71 test]# ll  /test/test.sh
    -rw-r---w-. 1 root root 9 Dec 23 20:21 /test/test.sh
    [root@centos71 test]# chmod   646  /test/test.sh
    [root@centos71 test]# ll  /test/test.sh
    -rw-r--rw-. 1 root root 9 Dec 23 20:21 /test/test.sh
    [wang@centos71 ~]$ ll  /test/test.sh
    -rw-r--rw-. 1 root root 13 Dec 23 20:25 /test/test.sh
    [wang@centos71 ~]$ cat  /test/test.sh
    hostname
    pwd
    [wang@centos71 ~]$ echo  'pwd'  >>  /test/test.sh
    [wang@centos71 ~]$ cat  /test/test.sh
    hostname
    pwd
    pwd
    [wang@centos71 ~]$ ll  /test/test.sh
    -rw-r--rw-. 1 root root 17 Dec 23 20:26 /test/test.sh
    [wang@centos71 ~]$ /test/test.sh
    -bash: /test/test.sh: Permission denied

    注意此时正常打开文件,文件内容没有被覆盖

    情形六:文件权限为wx,只有写权限

    [wang@centos71 ~]$ ll  /test/test.sh
    -rw-r---wx. 1 root root 17 Dec 23 20:26 /test/test.sh
    [wang@centos71 ~]$ cat  /test/test.sh
    cat: /test/test.sh: Permission denied
    [wang@centos71 ~]$ echo   'hostname'  >  /test/test.sh
    [wang@centos71 ~]$ /test/test.sh
    bash: /test/test.sh: Permission denied

    打开文件,文件内容被覆盖

    但是文件原来确实有内容

    [wang@centos71 ~]$ ll  /test/test.sh
    -rw-r---wx. 1 root root 9 Dec 23 20:29 /test/test.sh
    [wang@centos71 ~]$ 

    情形七:文件权限为x,无任何权限

    [wang@centos71 ~]$ ll  /test/test.sh
    -rw-r----x. 1 root root 9 Dec 23 20:29 /test/test.sh
    [wang@centos71 ~]$ cat  /test/test.sh
    cat: /test/test.sh: Permission denied
    [wang@centos71 ~]$ echo   'hostname'  >  /test/test.sh
    -bash: /test/test.sh: Permission denied
    [wang@centos71 ~]$ /test/test.sh
    bash: /test/test.sh: Permission denied

    打开文件,文件内容被覆盖

    文件权限总结

    1)文件没有任何权限
    root用户:可写可编辑,但是不能执行
    属主用户:可写但会覆盖原有内容
    其他用户:没有任何权限


    2)文件只是拥有读权限
    root用户和属主用户:可以编辑和查看文件信息
    其他用户:只能查看信息,不能编辑

    root用户可以随意查看和编辑任意文件信息,不受到权限限制

    文件的权限中,读权限是最重要,rw配合正常编写文件;rx配合正常执行文件。

    属主权限:6(rw)   属组权限4(r)     其他用户(r)---默认文件权限644

    注意把文件写成脚本变成可执行文件,这样可以对应权限的执行权限。

    二操作系统目录权限概念


    r:是否可以查看目录下面数据信息(子目录或者文件)
    w:是否可以在目录下删除/添加/重命名文件信息(子目录或者文件)
    x:目录是否可以进行切换(cd切换到子目录下)

    情形一:目录只有r权限

    [root@centos71 ~]# mkdir  /test3/teststy  -pv
    mkdir: created directory ‘/test3’
    mkdir: created directory ‘/test3/teststy’
    [root@centos71 ~]# touch   /test3/teststy/happy{01..5}.txt
    [root@centos71 ~]# ls  /test3/teststy
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 ~]# tree  /test3/teststy
    /test3/teststy
    ├── happy01.txt
    ├── happy02.txt
    ├── happy03.txt
    ├── happy04.txt
    └── happy05.txt
    
    0 directories, 5 files
    [root@centos71 ~]# tree  /test3/
    /test3/
    └── teststy
        ├── happy01.txt
        ├── happy02.txt
        ├── happy03.txt
        ├── happy04.txt
        └── happy05.txt
    
    1 directory, 5 files
    [root@centos71 ~]# ll -d   /test3/teststy
    drwxr-xr-x. 2 root root 101 Dec 23 20:52 /test3/teststy
    [root@centos71 ~]# id wang
    uid=1020(wang) gid=1020(wang) groups=1020(wang)
    [root@centos71 ~]# chown  wang.wang     /test3/teststy
    [root@centos71 ~]# ll -d   /test3/teststy
    drwxr-xr-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
    [root@centos71 ~]# 
    [root@centos71 ~]# ll -d   /test3/teststy
    drwxr-xr-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
    [root@centos71 ~]# chmod   445   /test3/teststy
    [root@centos71 ~]# ll -d   /test3/teststy
    dr--r--r-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
    [root@centos71 ~]# 

    不能进入到目录里面,所有更不能修改、删除、、创建目录里面的文件

    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ pwd
    /home/wang
    [wang@centos71 ~]$ ll -d   /test3/teststy
    dr--r--r-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
    [wang@centos71 ~]$ cd  /test3/teststy
    -bash: cd: /test3/teststy: Permission denied
    [wang@centos71 ~]$ ls  /test3/teststy
    ls: cannot access /test3/teststy/happy01.txt: Permission denied
    ls: cannot access /test3/teststy/happy02.txt: Permission denied
    ls: cannot access /test3/teststy/happy03.txt: Permission denied
    ls: cannot access /test3/teststy/happy04.txt: Permission denied
    ls: cannot access /test3/teststy/happy05.txt: Permission denied
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [wang@centos71 ~]$ ls  /test3/teststy  -l
    ls: cannot access /test3/teststy/happy01.txt: Permission denied
    ls: cannot access /test3/teststy/happy02.txt: Permission denied
    ls: cannot access /test3/teststy/happy03.txt: Permission denied
    ls: cannot access /test3/teststy/happy04.txt: Permission denied
    ls: cannot access /test3/teststy/happy05.txt: Permission denied
    total 0
    -????????? ? ? ? ?            ? happy01.txt
    -????????? ? ? ? ?            ? happy02.txt
    -????????? ? ? ? ?            ? happy03.txt
    -????????? ? ? ? ?            ? happy04.txt
    -????????? ? ? ? ?            ? happy05.txt

    情形二:目录只有w权限

    [root@centos71 ~]# chmod   245   /test3/teststy
    [root@centos71 ~]# ll -d   /test3/teststy
    d-w-r--r-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
    [wang@centos71 ~]$ ls  /test3/teststy  -ld
    d-w-r--r-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
    [wang@centos71 ~]$ cd   /test3/teststy 
    -bash: cd: /test3/teststy: Permission denied
    [wang@centos71 ~]$ rm  -rf  /test3/teststy/*
    rm: cannot remove ‘/test3/teststy/*’: Permission denied
    [wang@centos71 ~]$ touch   /test3/teststy/happy.txt
    touch: cannot touch ‘/test3/teststy/happy.txt’: Permission denied

    情形三:目录只有x权限

    可以进入到目录里面,但是不能修改、删除、创建目录里面的文件

    [wang@centos71 ~]$ ls  /test3/teststy  -ld
    d--xr--r-x. 2 wang wang 101 Dec 23 20:52 /test3/teststy
    [wang@centos71 ~]$ ll    /test3/teststy 
    ls: cannot open directory /test3/teststy: Permission denied
    [wang@centos71 ~]$ ls    /test3/teststy 
    ls: cannot open directory /test3/teststy: Permission denied
    [wang@centos71 ~]$ echo   'hostname'  >  /test3/teststy/happy01.txt
    -bash: /test3/teststy/happy01.txt: Permission denied
    [wang@centos71 ~]$ rm  -rf  /test3/teststy/happy01.txt
    rm: cannot remove ‘/test3/teststy/happy01.txt’: Permission denied
    [wang@centos71 ~]$ ll  -lih
    total 0
    [wang@centos71 ~]$ ll  -lih    /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [wang@centos71 ~]$ cd  /test3/teststy
    [wang@centos71 teststy]$ ls
    ls: cannot open directory .: Permission denied
    [wang@centos71 teststy]$ ll
    ls: cannot open directory .: Permission denied

    划分成三个用户详细分析权限

                          目录没有权限          拥有读权限          拥有写权限                拥有执行权限
        root用户:  可读 可写 可执行      可读 可写 可执行    可读 可写 可执行          可读 可写 可执行
        属主用户:  没有任何能力          只能看数据名称      没有任何能力              可以切换到目录中
        其他用户:  没有任何能力          只能看数据名称      没有任何能力              可以切换到目录中

    一目录没有任何权限

     root用户:  可读 可写 可执行

    [root@centos71 ~]# chmod  000   /test3/teststy
    [root@centos71 ~]# ll -d   /test3/teststy
    d---------. 2 wang wang 101 Dec 23 20:52 /test3/teststy
    [root@centos71 ~]# cd  /test3/teststy
    [root@centos71 teststy]# ls
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 teststy]# ll
    total 0
    -rw-r--r--. 1 root root 0 Dec 23 20:52 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 20:52 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 20:52 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 20:52 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 20:52 happy05.txt
    [root@centos71 teststy]# rm  -f  happy0*
    [root@centos71 teststy]# ls
    [root@centos71 teststy]# ll
    total 0
    [root@centos71 teststy]# ll -d
    d---------. 2 wang wang 6 Dec 23 21:18 .
    [root@centos71 teststy]# touch   happy{01..5}.txt
    [root@centos71 teststy]# ll
    total 0
    -rw-r--r--. 1 root root 0 Dec 23 21:19 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:19 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:19 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:19 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:19 happy05.txt
    [root@centos71 teststy]# whoami 
    root

    属主用户:  没有任何能力   

    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ pwd
    /home/wang
    [wang@centos71 ~]$ cd  /test3/teststy
    -bash: cd: /test3/teststy: Permission denied
    [wang@centos71 ~]$ ls  /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [wang@centos71 ~]$ ll  /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [wang@centos71 ~]$ rm  -rf  /test3/teststy/*
    rm: cannot remove ‘/test3/teststy/*’: Permission denied

    其他用户:  没有任何能力

    [root@centos71 ~]# id  zhao
    uid=1040(zhao) gid=1040(zhao) groups=1040(zhao)
    [root@centos71 ~]# su  -  zhao
    Last login: Mon Dec 23 09:08:16 CST 2019 on pts/2
    [zhao@centos71 ~]$ whoami 
    zhao
    [zhao@centos71 ~]$ pwd
    /home/zhao
    [zhao@centos71 ~]$ ll  -d  /test3/teststy
    d---------. 2 wang wang 101 Dec 23 21:19 /test3/teststy
    [zhao@centos71 ~]$ ls  /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [zhao@centos71 ~]$ ll  /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [zhao@centos71 ~]$ cd  /test3/teststy
    -bash: cd: /test3/teststy: Permission denied
    [zhao@centos71 ~]$ rm  -rf  /test3/teststy/*
    rm: cannot remove ‘/test3/teststy/*’: Permission denied
    [zhao@centos71 ~]$ 

    二目录只有读取权限

    root用户:  可读 可写 可执行

    [root@centos71 ~]# chmod  444   /test3/teststy
    [root@centos71 ~]# ll  -d   /test3/teststy
    dr--r--r--. 2 wang wang 101 Dec 23 21:19 /test3/teststy
    [root@centos71 ~]# ls  /test3/teststy
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 ~]# ll  /test3/teststy
    total 0
    -rw-r--r--. 1 root root 0 Dec 23 21:19 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:19 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:19 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:19 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:19 happy05.txt
    [root@centos71 ~]# cd  /test3/teststy
    [root@centos71 teststy]# ls
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 teststy]# rm  -rf  *
    [root@centos71 teststy]# touch  happy{01..5}.txt
    [root@centos71 teststy]# ls
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 teststy]# ll
    total 0
    -rw-r--r--. 1 root root 0 Dec 23 21:25 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:25 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:25 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:25 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:25 happy05.txt
    [root@centos71 teststy]# 

    属主只能看目录下的文件名称

    [wang@centos71 ~]$ ll -d   /test3/teststy
    dr--r--r--. 2 wang wang 101 Dec 23 21:25 /test3/teststy
    [wang@centos71 ~]$ ls  /test3/teststy
    ls: cannot access /test3/teststy/happy01.txt: Permission denied
    ls: cannot access /test3/teststy/happy02.txt: Permission denied
    ls: cannot access /test3/teststy/happy03.txt: Permission denied
    ls: cannot access /test3/teststy/happy04.txt: Permission denied
    ls: cannot access /test3/teststy/happy05.txt: Permission denied
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [wang@centos71 ~]$ ll    /test3/teststy
    ls: cannot access /test3/teststy/happy01.txt: Permission denied
    ls: cannot access /test3/teststy/happy02.txt: Permission denied
    ls: cannot access /test3/teststy/happy03.txt: Permission denied
    ls: cannot access /test3/teststy/happy04.txt: Permission denied
    ls: cannot access /test3/teststy/happy05.txt: Permission denied
    total 0
    -????????? ? ? ? ?            ? happy01.txt
    -????????? ? ? ? ?            ? happy02.txt
    -????????? ? ? ? ?            ? happy03.txt
    -????????? ? ? ? ?            ? happy04.txt
    -????????? ? ? ? ?            ? happy05.txt
    [wang@centos71 ~]$ cd  /test3/teststy
    -bash: cd: /test3/teststy: Permission denied
    [wang@centos71 ~]$ rm  -rf  /test3/teststy/*
    rm: cannot remove ‘/test3/teststy/happy01.txt’: Permission denied
    rm: cannot remove ‘/test3/teststy/happy02.txt’: Permission denied
    rm: cannot remove ‘/test3/teststy/happy03.txt’: Permission denied
    rm: cannot remove ‘/test3/teststy/happy04.txt’: Permission denied
    rm: cannot remove ‘/test3/teststy/happy05.txt’: Permission denied

    其他用户只能看目录下的文件名称

    [zhao@centos71 ~]$ ll  -d  /test3/teststy
    dr--r--r--. 2 wang wang 101 Dec 23 21:25 /test3/teststy
    [zhao@centos71 ~]$ ls  /test3/teststy
    ls: cannot access /test3/teststy/happy01.txt: Permission denied
    ls: cannot access /test3/teststy/happy02.txt: Permission denied
    ls: cannot access /test3/teststy/happy03.txt: Permission denied
    ls: cannot access /test3/teststy/happy04.txt: Permission denied
    ls: cannot access /test3/teststy/happy05.txt: Permission denied
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [zhao@centos71 ~]$ ll  /test3/teststy
    ls: cannot access /test3/teststy/happy01.txt: Permission denied
    ls: cannot access /test3/teststy/happy02.txt: Permission denied
    ls: cannot access /test3/teststy/happy03.txt: Permission denied
    ls: cannot access /test3/teststy/happy04.txt: Permission denied
    ls: cannot access /test3/teststy/happy05.txt: Permission denied
    total 0
    -????????? ? ? ? ?            ? happy01.txt
    -????????? ? ? ? ?            ? happy02.txt
    -????????? ? ? ? ?            ? happy03.txt
    -????????? ? ? ? ?            ? happy04.txt
    -????????? ? ? ? ?            ? happy05.txt
    [zhao@centos71 ~]$ cd  /test3/teststy
    -bash: cd: /test3/teststy: Permission denied
    [zhao@centos71 ~]$ rm  -rf  /test3/teststy/*
    rm: cannot remove ‘/test3/teststy/happy01.txt’: Permission denied
    rm: cannot remove ‘/test3/teststy/happy02.txt’: Permission denied
    rm: cannot remove ‘/test3/teststy/happy03.txt’: Permission denied
    rm: cannot remove ‘/test3/teststy/happy04.txt’: Permission denied
    rm: cannot remove ‘/test3/teststy/happy05.txt’: Permission denied

    三目录只有写入权限

    root用户:   可读 可写 可执行

    [root@centos71 ~]# chmod  222   /test3/teststy
    [root@centos71 ~]# ll  -d   /test3/teststy
    d-w--w--w-. 2 wang wang 101 Dec 23 21:25 /test3/teststy
    [root@centos71 ~]# ls  /test3/teststy
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 ~]# ll  /test3/teststy
    total 0
    -rw-r--r--. 1 root root 0 Dec 23 21:25 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:25 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:25 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:25 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:25 happy05.txt
    [root@centos71 ~]# cd  /test3/teststy
    [root@centos71 teststy]# ls
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 teststy]# rm  -rf  *
    [root@centos71 teststy]# touch  happy{01..5}.txt
    [root@centos71 teststy]# ls
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 teststy]# ll
    total 0
    -rw-r--r--. 1 root root 0 Dec 23 21:31 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:31 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:31 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:31 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:31 happy05.txt
    [root@centos71 teststy]# whoami 
    root

    属主用户:  没有任何能力  

    [wang@centos71 ~]$ ll -d   /test3/teststy
    d-w--w--w-. 2 wang wang 101 Dec 23 21:31 /test3/teststy
    [wang@centos71 ~]$ ls  /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [wang@centos71 ~]$ ll   /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [wang@centos71 ~]$ cd  /test3/teststy
    -bash: cd: /test3/teststy: Permission denied
    [wang@centos71 ~]$ rm  -rf  /test3/teststy/*
    rm: cannot remove ‘/test3/teststy/*’: Permission denied
    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ pwd
    /home/wang

    其他用户: 没有任何能力 

    [zhao@centos71 ~]$ ll  -d  /test3/teststy
    d-w--w--w-. 2 wang wang 101 Dec 23 21:31 /test3/teststy
    [zhao@centos71 ~]$ ls  /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [zhao@centos71 ~]$ ll  /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [zhao@centos71 ~]$ cd  /test3/teststy
    -bash: cd: /test3/teststy: Permission denied
    [zhao@centos71 ~]$ rm  -rf  /test3/teststy/*
    rm: cannot remove ‘/test3/teststy/*’: Permission denied
    [zhao@centos71 ~]$ whoami 
    zhao
    [zhao@centos71 ~]$ pwd
    /home/zhao
    [zhao@centos71 ~]$ 

    四目录只有执行权限

    root用户:可读 可写 可执行

    [root@centos71 ~]# chmod   111  /test3/teststy
    [root@centos71 ~]# ll  -d   /test3/teststy
    d--x--x--x. 2 wang wang 101 Dec 23 21:31 /test3/teststy
    [root@centos71 ~]# ls  /test3/teststy
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 ~]# ll  /test3/teststy
    total 0
    -rw-r--r--. 1 root root 0 Dec 23 21:31 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:31 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:31 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:31 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:31 happy05.txt
    [root@centos71 ~]# cd  /test3/teststy
    [root@centos71 teststy]# ls
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 teststy]# rm  -rf  *
    [root@centos71 teststy]# touch  happy{01..5}.txt
    [root@centos71 teststy]# ls
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [root@centos71 teststy]# ll
    total 0
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy05.txt
    [root@centos71 teststy]# cd
    [root@centos71 ~]# whoami 
    root
    [root@centos71 ~]# pwd
    /root

    属主用户:可以切换到目录里面,不能删除文件

    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ pwd
    /home/wang
    [wang@centos71 ~]$ ll -d   /test3/teststy
    d--x--x--x. 2 wang wang 101 Dec 23 21:36 /test3/teststy
    [wang@centos71 ~]$ ls   /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [wang@centos71 ~]$ ll   /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [wang@centos71 ~]$ cd  /test3/teststy
    [wang@centos71 teststy]$ ls
    ls: cannot open directory .: Permission denied
    [wang@centos71 teststy]$ ll
    ls: cannot open directory .: Permission denied
    [wang@centos71 teststy]$ rm  -rf  /test3/teststy/*
    [wang@centos71 teststy]$ ls
    ls: cannot open directory .: Permission denied
    [wang@centos71 teststy]$ ll
    ls: cannot open directory .: Permission denied

    其他用户:可以切换到目录里面,不能删除文件

    [zhao@centos71 ~]$ whoami 
    zhao
    [zhao@centos71 ~]$ pwd
    /home/zhao
    [zhao@centos71 ~]$ ll  -d  /test3/teststy
    d--x--x--x. 2 wang wang 101 Dec 23 21:36 /test3/teststy
    [zhao@centos71 ~]$ ls  /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [zhao@centos71 ~]$ ll  /test3/teststy
    ls: cannot open directory /test3/teststy: Permission denied
    [zhao@centos71 ~]$ cd  /test3/teststy
    [zhao@centos71 teststy]$ ls
    ls: cannot open directory .: Permission denied
    [zhao@centos71 teststy]$ rm  -rf  /test3/teststy/*
    [zhao@centos71 teststy]$ ls
    ls: cannot open directory .: Permission denied
    
    
    
    [root@centos71 ~]# ll  /test3/teststy
    total 0
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy05.txt

    目录文件权限总结:


        1) 目录没有任何权限:
           root用户: 属于无敌存在,想干什么干什么
           属主用户: 什么都做不了
           其他用户: 什么都做不了


        2) 目录只是拥有读权限:
           root用户: 属于无敌存在,想干什么干什么
           属主用户: 只能查看文件名称, 不能查看文件属性???  (上一级目录没有执行权限)
           其他用户: 只能查看文件名称, 不能查看文件属性???  (上一级目录没有执行权限)
           


        最终总结:
        1) root用户可以随意查看和编辑任意目录信息, 不受到权限限制
        2) 目录的执行权限是最重要,rx配合能正常查看目录下面的子目录和文件信息,wx配合能正常在目录中创建/删除/重命名数据信息
          
     
        属主权限: 7 (rwx)  属组权限5(rx)  其他用户5(rx)  --- 默认目录权限755
        

    三操作系统读取数据原理(inode block)

    对于文件

    inode是存储文件的属性和指针信息,block: 存储文件数据内容

    文件读权限: 可以查看文件内容信息(获取指针信息)
    文件写权限: 可以编辑文件内容信息  --> rw权限
    对于文件,打开文件就是看文件的block的内容了,也就是文件内容

    对于目录


    inode: 存储目录属性信息/指针信息
    block: 目录下面数据名称信息
    目录执行权限: 可以进入到目录中,获取目录指针信息
    目录读权限:   可以查看目录中数据信息,也就是查看目录下的文件名称信息,包括目录的block信息

    对于目录,查看其block,使用vim就可以查看

    [root@centos71 teststy]# vim   ./

    [root@centos71 teststy]# cd ..
    [root@centos71 test3]# pwd
    /test3
    [root@centos71 test3]# vim  ./

    0610=10:07

    对文件的处理是有过程的,就像到亲戚家做客,中间会经过很多路,如果正在修路会受影响

    要关注起点过程和终点

    以/test3/teststy/happy01.txt 文件为例

    [root@centos71 ~]# tree /test3/teststy/
    /test3/teststy/
    ├── happy01.txt
    ├── happy02.txt
    ├── happy03.txt
    ├── happy04.txt
    └── happy05.txt
    
    0 directories, 5 files
    [root@centos71 ~]# ls  /test3/teststy/happy01.txt 
    /test3/teststy/happy01.txt

    0720

    对文件关注应该从/开始,/有inode信息,存储的是其属性信息

    最重要的是权限信息

    权限是555,最核心的是x执行权限,这样就保证了属组和其他人可以进入到此目录

    要看目录里面的文件信息,包括子目录和文件,就需要读的权限

    读取和执行权限都有了,就会获取到指针信息

    指针信息的作用就是指引我们去找/目录的block信息

    没有读就无法获取属性信息,指针信息才可以看block,就可以看到目录的数据

    [root@centos71 ~]# ll  -d  /
    dr-xr-xr-x. 28 root root 4096 Dec 23 20:52 /

    通过block看到/下面有子目录/test3就可以继续往下面走

    否则就会报错,没有此文件或者目录

    通过下面方式查看到有test目录,路就可以往下面走了

    [root@centos71 ~]# vim  ./

     

    进入到test3目录,和/目录一样,要关注其inode,也就是关注其属性信息

    注意属主是root,其他人也有读取和执行权限,可以看到指针信息和block,也就可以看到/test目录里面的文件和子目录信息了

    [root@centos71 ~]# cd  /test3
    [root@centos71 test3]# pwd
    /test3
    [root@centos71 test3]# vim  ./
    [root@centos71 test3]# ls
    teststy
    [root@centos71 test3]# ll  -d
    drwxr-xr-x. 3 root root 21 Dec 24 09:22 .
    [root@centos71 test3]# ll  
    total 0
    d--x--x--x. 2 wang wang 101 Dec 23 21:51 teststy

    按照前面的方法进入到下一级目录,这时候要关注文件的权限信息

    [root@centos71 test3]# cd  teststy/
    [root@centos71 teststy]# ll  -d
    d--x--x--x. 2 wang wang 101 Dec 23 21:51 .
    [root@centos71 teststy]# vim  ./
    " ============================================================================                          
    " Netrw Directory Listing                                        (netrw v149)
    "   /test3/teststy
    "   Sorted by      name
    "   Sort sequence: [/]$,<core\%(.d+)=>,.h$,.c$,.cpp$,~=*$,*,.o$,.obj$,.info$,.swp$,.b
    "   Quick Help: <F1>:help  -:go up dir  D:delete  R:rename  s:sort-by  x:exec
    " ============================================================================
    ../
    ./
    happy01.txt
    happy02.txt
    happy03.txt
    happy04.txt
    happy05.txt
    .swp

     

    [root@centos71 teststy]# ll  
    total 4
    -rw-r--r--. 1 root root 7 Dec 24 09:27 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy05.txt
    [root@centos71 teststy]# pwd
    /test3/teststy

    wang用户作为其他人,只能进入到目录/test3/teststy/里面,但是无法查看文件的内容

    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ pwd
    /home/wang
    [wang@centos71 ~]$ ll  /test3/teststy/  -d
    d--x--x--x. 2 wang wang 101 Dec 24 09:27 /test3/teststy/
    [wang@centos71 ~]$ cd   /test3/teststy/
    [wang@centos71 teststy]$ ls
    ls: cannot open directory .: Permission denied
    [wang@centos71 teststy]$ ll
    ls: cannot open directory .: Permission denied
    [wang@centos71 teststy]$ 

    文件只有读权限,只能查看文件名称,不能查看文件属性的原因分析


    root用户:属于无敌存在,想干什么干什么

    属主用户:只能查看文件名称不能查看文件属性???

    其他用户:只能查看文件名称,不能查看文件属性???

    [root@centos71 teststy]# chmod  444   /test3/teststy
    [root@centos71 teststy]# ll  /test3/teststy  -d
    dr--r--r--. 2 wang wang 101 Dec 24 09:27 /test3/teststy
    [root@centos71 teststy]# ll  /test3/teststy  
    total 4
    -rw-r--r--. 1 root root 7 Dec 24 09:27 happy01.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy02.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy03.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy04.txt
    -rw-r--r--. 1 root root 0 Dec 23 21:36 happy05.txt

    r可以读取到指针信息以及block信息,那么就可以看到此目录里面的数据信息

    文件的属性信息为???说明没有读取到,因为其存储到文件的inode里面

    但是wang没有x执行权限进入到/test3/teststy/目录里面,也就无法查看到此目录里面的文件的inode信息了

    那么就无法查看到目录下面文件的属性信息,得不到指针信息和block信息

    [wang@centos71 ~]$ ls  /test3/teststy/
    ls: cannot access /test3/teststy/happy02.txt: Permission denied
    ls: cannot access /test3/teststy/happy03.txt: Permission denied
    ls: cannot access /test3/teststy/happy04.txt: Permission denied
    ls: cannot access /test3/teststy/happy05.txt: Permission denied
    ls: cannot access /test3/teststy/happy01.txt: Permission denied
    happy01.txt  happy02.txt  happy03.txt  happy04.txt  happy05.txt
    [wang@centos71 ~]$ ll   /test3/teststy/
    ls: cannot access /test3/teststy/happy02.txt: Permission denied
    ls: cannot access /test3/teststy/happy03.txt: Permission denied
    ls: cannot access /test3/teststy/happy04.txt: Permission denied
    ls: cannot access /test3/teststy/happy05.txt: Permission denied
    ls: cannot access /test3/teststy/happy01.txt: Permission denied
    total 0
    -????????? ? ? ? ?            ? happy01.txt
    -????????? ? ? ? ?            ? happy02.txt
    -????????? ? ? ? ?            ? happy03.txt
    -????????? ? ? ? ?            ? happy04.txt
    -????????? ? ? ? ?            ? happy05.txt
    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ pwd
    /home/wang

    四操作系统权限设置方法

    (一)系统数据默认权限


    创建一个文件:          默认权限644
    创建一个目录:          默认权限755
    umask                     查看默认权限运算数值/改变默认权限
    默认文件权限:          666          -                                  umask  =    666                      -  022  =  644
    666                    -            044                                =      622  umask偶数正常运算
    666                    -            033                                =      644  umask奇数正常运算之后+1
    默认目录权限:          777          -                                  umask  =    777                      -  022  =  755
    777                    -            044                                =      733
    777                    -            033                                =      744

    注意对于文件的权限,umask是偶数,正常运算;奇数,正常运算之后+1

    [root@centos71 ~]# whoami 
    root
    [root@centos71 ~]# pwd
    /root
    [root@centos71 ~]# umask 
    0022
    [wang@centos71 test]$ whoami 
    wang
    [wang@centos71 test]$ umask 
    0002

    上面的设置由此文件决定

    [root@centos71 ~]# vim  /etc/profile
    # By default, we want umask to get set. This sets it for login shell
    # Current threshold for system reserved uid/gids is 200
    # You could check uidgid reservation validity in
    # /usr/share/doc/setup-*/uidgid file
    if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
        umask 002
    else
        umask 022
    fi

    $UID -gt 199

    判断当前登录用户UID是否大于199

    [root@centos71 ~]# id  root
    uid=0(root) gid=0(root) groups=0(root)
    [root@centos71 ~]# id  wang
    uid=1020(wang) gid=1020(wang) groups=1020(wang)

    /usr/bin/id -gn

    判断登录用户名称和组名称是否一致

    [root@centos71 ~]# id  -g
    0
    [root@centos71 ~]# id  -gn
    root
    [root@centos71 ~]# id  -n
    id: cannot print only names or real IDs in default format
    [root@centos71 ~]# id  -u
    0
    [root@centos71 ~]# id  -n
    id: cannot print only names or real IDs in default format
    [root@centos71 ~]# id  -un
    root

    五操作系统数据权限设置


    (一)直接修改数据权限

    注意权限不能过宽,否则可能会被黑客攻击,保证数据的安全性

    chmod u/g/o+/-/=---针对不同用户设置权限
    chmod a+/-/----针对所有用户统一设置权限
    chmod 755---针对所有用户设置权限
    chmod-Rxxx--递归设置权限(慎用)

    (二)修改数据属主用户


    chown属主信息   数据信息
    chown属组信息   数据信息
    chown属主信息   属组信息数据信息

    chown   -R     属主信息.属组信息   目录信息     --递归修改目录属主和属组信息(比如网站权限调整)

    文件无法保存并且root用户无法编写文件


    确认数据信息是否上锁

    [root@centos71 ~]# lsattr  /etc/hosts
    ---------------- /etc/hosts
    [root@centos71 ~]# chattr   +i   /etc/hosts
    [root@centos71 ~]# lsattr  /etc/hosts
    ----i----------- /etc/hosts

     解锁

    [root@centos71 ~]# chattr   -i   /etc/hosts
    [root@centos71 ~]# lsattr  /etc/hosts
    ---------------- /etc/hosts

    六操作系统特殊权限

    (一)setuid: 让普通用户可以拥有属主用户能力

    setuid: 让普通用户可以拥有属主的能力,是对命令文件进行权限调整

    没有setuid权限时,只能root用户查看shadow文件

    拥有setuid权限时,所有普通用户查看shadow文件

    设置setuid权限

    [root@centos71 ~]# whoami 
    root
    [root@centos71 ~]# pwd
    /root
    [root@centos71 ~]# ll  /etc/shadow
    ----------. 1 root root 4620 Dec 23 12:18 /etc/shadow
    [root@centos71 ~]# cat  /etc/shadow  |  head
    root:$6$74iiqdl8$U926ZrOy38rx8tapqOrdwJDcSAUbZjkQVGKNCaaX.5RdWW6J4nPRhiy5mq9xazTIPIlm7CzkdRWbTqWZMTHMS.:18250:0:99999:7:::
    bin:*:17834:0:99999:7:::
    daemon:*:17834:0:99999:7:::
    adm:*:17834:0:99999:7:::
    lp:*:17834:0:99999:7:::
    sync:*:17834:0:99999:7:::
    shutdown:*:17834:0:99999:7:::
    halt:*:17834:0:99999:7:::
    mail:*:17834:0:99999:7:::
    operator:*:17834:0:99999:7:::
    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ pwd
    /home/wang
    [wang@centos71 ~]$ ll  /etc/shadow
    ----------. 1 root root 4620 Dec 23 12:18 /etc/shadow
    [wang@centos71 ~]$ cat  /etc/shadow | head
    cat: /etc/shadow: Permission denied

    setgid:让普通用户可以拥有属组用户能力

    对操作文件命令进行权限调整,不常用

    chmod g+s/chmod 2644---设置setgid权限

    (二)粘滞位:只有文件属主对该目录数据进行调整

    粘滞位:创建一个共享目录,只能文件属主用户对自己数据进行调整,其他用户只能查看

    chmod o+t/chmod 1755---设置粘滞位权限

    共享目录的权限只能自己可以修改,其他用户只能看

    临时共享数据目录/tmp/

    注意此目录权限不能修改,否则mysqu5.5--无法启动

    [root@centos71 ~]# ll -d  /tmp/
    drwxrwxrwt. 13 root root 4096 Dec 23 11:35 /tmp

    对于其他人wang用户来说,没有执行权限,w无法起作用,也就是无法删除目录里面的文件和子目录了

    [wang@centos71 ~]$  ll  -d  /tmp/
    drwxrwxrwt. 15 root root 4096 Dec 24 10:44 /tmp/
    [wang@centos71 ~]$  ll    /tmp/
    total 20
    -rw-r--r--. 1 root root 18281 Dec 19 21:31 functions
    drwx------. 3 root root    17 Dec 24 08:28 systemd-private-ea4129b5d18c4ee580dd07a2c8154e77-chronyd.service-Nb09BH
    drwx------. 2 root root     6 Dec 20 08:32 vmware-root_6183-1983194517
    drwx------. 2 root root     6 Dec 22 23:43 vmware-root_6219-1690047046
    drwx------. 2 root root     6 Dec 21 14:37 vmware-root_6223-1681855427
    drwx------. 2 root root     6 Dec 23 08:24 vmware-root_6224-734038020
    drwx------. 2 root root     6 Dec 24 08:28 vmware-root_6230-734169091
    drwx------. 2 root root     6 Dec 23 23:22 vmware-root_6233-1714755028
    drwx------. 2 root root     6 Dec 20 08:44 vmware-root_6234-692293512
    [wang@centos71 ~]$ rm  -f  /tmp/*
    rm: cannot remove ‘/tmp/functions’: Operation not permitted
    rm: cannot remove ‘/tmp/systemd-private-ea4129b5d18c4ee580dd07a2c8154e77-chronyd.service-Nb09BH’: Is a directory
    rm: cannot remove ‘/tmp/vmware-root_6183-1983194517’: Is a directory
    rm: cannot remove ‘/tmp/vmware-root_6219-1690047046’: Is a directory
    rm: cannot remove ‘/tmp/vmware-root_6223-1681855427’: Is a directory
    rm: cannot remove ‘/tmp/vmware-root_6224-734038020’: Is a directory
    rm: cannot remove ‘/tmp/vmware-root_6230-734169091’: Is a directory
    rm: cannot remove ‘/tmp/vmware-root_6233-1714755028’: Is a directory
    rm: cannot remove ‘/tmp/vmware-root_6234-692293512’: Is a directory
    [wang@centos71 ~]$ rm  -rf  /tmp/*
    rm: cannot remove ‘/tmp/functions’: Operation not permitted
    rm: cannot remove ‘/tmp/systemd-private-ea4129b5d18c4ee580dd07a2c8154e77-chronyd.service-Nb09BH’: Operation not permitted
    rm: cannot remove ‘/tmp/vmware-root_6183-1983194517’: Operation not permitted
    rm: cannot remove ‘/tmp/vmware-root_6219-1690047046’: Operation not permitted
    rm: cannot remove ‘/tmp/vmware-root_6223-1681855427’: Operation not permitted
    rm: cannot remove ‘/tmp/vmware-root_6224-734038020’: Operation not permitted
    rm: cannot remove ‘/tmp/vmware-root_6230-734169091’: Operation not permitted
    rm: cannot remove ‘/tmp/vmware-root_6233-1714755028’: Operation not permitted
    rm: cannot remove ‘/tmp/vmware-root_6234-692293512’: Operation not permitted
    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ 
    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ mkdir  /home/wang/share
    [wang@centos71 ~]$ ls  /home/wang/share
    [wang@centos71 ~]$ ll  -d  /home/wang/share
    drwxrwxr-x. 2 wang wang 6 Dec 24 10:38 /home/wang/share
    [wang@centos71 ~]$ chmod   o+t   /home/wang/share
    [wang@centos71 ~]$ ll  -d  /home/wang/share
    drwxrwxr-t. 2 wang wang 6 Dec 24 10:38 /home/wang/share
    [wang@centos71 ~]$ cd  /home/wang/share
    [wang@centos71 share]$ touch   hahaha{01..06}.txt
    [wang@centos71 share]$ ll
    total 0
    -rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha01.txt
    -rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha02.txt
    -rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha03.txt
    -rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha04.txt
    -rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha05.txt
    -rw-rw-r--. 1 wang wang 0 Dec 24 10:41 hahaha06.txt
    [root@centos71 ~]# id  zhao
    uid=1040(zhao) gid=1040(zhao) groups=1040(zhao)
    [root@centos71 ~]# su  -  zhao
    Last login: Mon Dec 23 21:22:13 CST 2019 on pts/5
    [zhao@centos71 ~]$ whoami 
    zhao
    [zhao@centos71 ~]$ pwd
    /home/zhao
    [zhao@centos71 ~]$ ll  -d  /home/wang/share
    ls: cannot access /home/wang/share: Permission denied
    [zhao@centos71 ~]$ rm  -rf    /home/wang/share
    rm: cannot remove ‘/home/wang/share’: Permission denied
    [zhao@centos71 ~]$ ls  /home/wang/share
    ls: cannot access /home/wang/share: Permission denied
    [zhao@centos71 ~]$ cd  /home/wang/share
    -bash: cd: /home/wang/share: Permission denied
    [zhao@centos71 ~]$ 

    往文件里面添加内容

    [wang@centos71 ~]$ ll -d  /home/wang/share/
    drwxrwxr-t. 2 wang wang 126 Dec 24 10:41 /home/wang/share/
    [wang@centos71 ~]$ cd  /home/wang/share/
    [wang@centos71 share]$ ls
    hahaha01.txt  hahaha02.txt  hahaha03.txt  hahaha04.txt  hahaha05.txt  hahaha06.txt
    [wang@centos71 share]$ echo   abcdefghijklmn  >>  hahaha01.txt 
    [wang@centos71 share]$ cat  hahaha01.txt
    abcdefghijklmn

    其他人zhao无法查看

    [zhao@centos71 ~]$ cat    /home/wang/share/hahaha01.txt 
    cat: /home/wang/share/hahaha01.txt: Permission denied

    七操作系统用户提权配置

    集中管理用户权限,相当于windows的域控

    之前使用的是LDAP服务,已经淘汰了,现在使用jumpserver跳板机

    说明:指定相应普通用户可以拥有root用户能力

    (一)修改提权配置文件——/etc/sudoers

    打开文件,指定跳到100行,建议使用visudo 打开,这样可以检查语法错误
    第一列:只能提权用户信息;第二列:权限集中管理配置;第三列:指定特权信息

    [root@centos71 ~]# cat  -n   /etc/sudoers  |  grep  "100"
       100    root    ALL=(ALL)     ALL

    (二)sudo提权文件书写规范


    1)必须有三列信息,列与列之前要有空格分隔

    2)提权命令必须写成绝对路径,否则会出现语法报错

    3) 提权多个命令, 用逗号空格进行分隔
           

    语法报错,因为/bin/cat  之前没有写绝对路径

    [root@centos71 ~]# visudo 
    
    "/etc/sudoers.tmp" 121L, 4368C written
    >>> /etc/sudoers: syntax error near line 101 <<<
    What now? 
    Options are:
      (e)dit sudoers file again
      e(x)it without saving changes to sudoers file
      (Q)uit and save changes to sudoers file (DANGER!)
    [root@centos71 ~]# cat   /etc/sudoers |  grep  wang
    wang    ALL=(ALL)      /bin/cat  /etc/shadow
    [wang@centos71 ~]$ cat /etc/shadow
    cat: /etc/shadow: Permission denied
    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ ll  /etc/shadow
    ----------. 1 root root 4524 Dec 23 09:06 /etc/shadow

    (三)测试提权效果

    查看是否拥有特权信息

    [root@centos71 ~]# su  -  wang
    Last login: Tue Dec 24 09:30:23 CST 2019 on pts/1
    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$ sudo -l
    Matching Defaults entries for wang on centos71:
        !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
        env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
        USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
        LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
        LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
    
    User wang may run the following commands on centos71:
        (ALL) NOPASSWD: /bin/cat /etc/shadow

    查看文件要加sudo

    [wang@centos71 ~]$ sudo  cat  /etc/shadow  |  head
    root:$6$74iiqdl8$U926ZrOy38rx8tapqOrdwJDcSAUbZjkQVGKNCaaX.5RdWW6J4nPRhiy5mq9xazTIPIlm7CzkdRWbTqWZMTHMS.:18250:0:99999:7:::
    bin:*:17834:0:99999:7:::
    daemon:*:17834:0:99999:7:::
    adm:*:17834:0:99999:7:::
    lp:*:17834:0:99999:7:::
    sync:*:17834:0:99999:7:::
    shutdown:*:17834:0:99999:7:::
    halt:*:17834:0:99999:7:::
    mail:*:17834:0:99999:7:::
    operator:*:17834:0:99999:7:::
    [wang@centos71 ~]$ 

    echo的时候,使用到>会有问题,系统会识别为字符信息,所以吧建议加到文件里面

    使用vim,注意加入到文件里面的命令不能有别名

    提权操作在命令信息前面加上NOPASSWD表示取消提权输入密码的过程

    [root@centos71 ~]# cat  -n   /etc/sudoers  |  grep  "101"
       101    wang    ALL=(ALL)    NOPASSWD:  /bin/cat  /etc/shadow, /bin/cat  /etc/hosts,/usr/bin/vim   /etc/hosts
    [root@centos71 ~]# cat  -n   /etc/sudoers  |  grep  "wang"
       101    wang    ALL=(ALL)    NOPASSWD:  /bin/cat  /etc/shadow, /bin/cat  /etc/hosts,/usr/bin/vim   /etc/hosts
    [wang@centos71 ~]$ sudo  -l
    Matching Defaults entries for wang on centos71:
        !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset,
        env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR
        USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
        LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
        LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin:/bin:/usr/sbin:/usr/bin
    
    User wang may run the following commands on centos71:
        (ALL) NOPASSWD: /bin/cat /etc/shadow, /bin/cat /etc/hosts, /usr/bin/vim /etc/hosts
    [wang@centos71 ~]$ ll  /etc/hosts
    -rwxr-x--x. 1 root root 184 Dec 24 11:28 /etc/hosts

    在尾行添加内容

    [wang@centos71 ~]$ whoami 
    wang
    [wang@centos71 ~]$  sudo  vim  /etc/hosts

    [wang@centos71 ~]$ cat  /etc/hosts
    cat: /etc/hosts: Permission denied
    [wang@centos71 ~]$ sudo  cat  /etc/hosts
    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    10.0.0.200  www.baidu.com

    取反就不会删除指定目录

    Linux setfacl没什么用的,不学

    [root@centos71 ~]# setfacl   --help
    setfacl 2.2.51 -- set file access control lists
    Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
      -m, --modify=acl        modify the current ACL(s) of file(s)
      -M, --modify-file=file  read ACL entries to modify from file
      -x, --remove=acl        remove entries from the ACL(s) of file(s)
      -X, --remove-file=file  read ACL entries to remove from file
      -b, --remove-all        remove all extended ACL entries
      -k, --remove-default    remove the default ACL
          --set=acl           set the ACL of file(s), replacing the current ACL
          --set-file=file     read ACL entries to set from file
          --mask              do recalculate the effective rights mask
      -n, --no-mask           don't recalculate the effective rights mask
      -d, --default           operations apply to the default ACL
      -R, --recursive         recurse into subdirectories
      -L, --logical           logical walk, follow symbolic links
      -P, --physical          physical walk, do not follow symbolic links
          --restore=file      restore ACLs (inverse of `getfacl -R')
          --test              test mode (ACLs are not modified)
      -v, --version           print version and exit
      -h, --help              this help text

    系统用户权限问题及调整方法


    1)直接修改文件数据权限信息(rwx)chmod
    2)直接修改文件数据属主信息chown
    3)修改文件数据特殊权限信息setuid/粘滞位

    4)修改系统普通提权信息sudo
    5)确认文件数据是否上锁了chattr +i/-i lsattr
    6)将用户切换为root用户su-root,比如出现报警情况

  • 相关阅读:
    【转】Ajax 基础学习
    Top 10 Programming Fonts
    如何成为一个C++高级程序员
    11本免费的编程电子书(英文)
    十个顶级的C语言资源助你成为优秀的程序员
    【转】自己动手写SC语言编译器
    windows下Idea2019.3.4的安装与破解
    大数据小白零基础学习大数据分享
    windows下jdk按装
    windows下Scala安装
  • 原文地址:https://www.cnblogs.com/wang618/p/12109917.html
Copyright © 2020-2023  润新知