• Linux中读写权限


    learn the auth of Linux.
     
    Generally, r-x
    w: write , modify and delete  -2
    r: read   -4
    x: execute  -1
     
    A file has 3 auth show:
    -owner
    -group
    -other
     
    当时用sudo的时候表示使用root用户的身份,因此,新建的文件或者dir都是root用户的而不是你自己的。这时,自己反而没有权限:
    我sudo创建了文件,然后想要修改的时候说没有权限。在脚本中,>输出这个命令就无法执行了。
     
    the owner has the 7 with the file, group useually 5, other 5. If I don't want others read the file , just chmod 750, but there is a problem: how can the specific person get the auth?
     
    That is I want someone or a specific group get the auth of a file but others can't. Then, the ACL is do this.
     
     
    1.Auth to specificer
    The following show auth to dir for user:st
     
    //create a dir named project
    mkdir project
    chmod 770 project/
     
    //add two uers to tgroup
    useradd bimm
    useradd cangls
    groupadd tgroup
    gpasswd -a bimm tgroup
    gpasswd -a cangls tgroup
    chown root:tgroup project/
     
    //auth to user:st
    useradd st
    setfacl -m u:st:rx project/
    //then the ll show +
    [root@bogon temp]# ll -d project/
    drwxrwx---+ 2 root tgroup 16 5月  14 21:14 project/
     
    [root@bogon temp]# getfacl project/
    # file: project/
    # owner: root
    # group: tgroup
    user::rwx
    user:st:r-x
    group::rwx
    mask::rwx
    other::---
     
    //auth to group:tgroup2
    [root@bogon temp]# setfacl -m g:tgroup2:rwx project/  
    [root@bogon temp]# getfacl project/
    # file: project/
    # owner: root
    # group: tgroup
    user::rwx
    user:st:r-x
    group::rwx
    group:tgroup2:rwx
    mask::rwx
    other::---
     
     
    2.change mask, the top effective auth
    when auth to someone or somegroup by setfacl with a auth like rwx, it will &mask to get their auth.For instance, if
    setfacl -m u:st:rw project
    , and the project's auth is r-x, then, the auth of user:st to project is r--. Howerver, we can also change the mask:
     
    [root@bogon temp]# setfacl -m u:st:rw project/
    [root@bogon temp]# getfacl project/
    # file: project/
    # owner: root
    # group: tgroup
    user::rwx
    user:st:rw-
    group::rwx
    group:tgroup2:rwx
    mask::rwx
    other::---
     
    [root@bogon temp]# setfacl -m m:r-x project/
    [root@bogon temp]# getfacl project/
    # file: project/
    # owner: root
    # group: tgroup
    user::rwx
    user:st:rw-            #effective:r--
    group::rwx            #effective:r-x
    group:tgroup2:rwx        #effective:r-x
    mask::r-x
    other::---
     
     
     
    3.delete ACL
      -x u:st file(s) , --remove=acl        remove entries from the ACL(s) of file(s)
      -b file(s) , --remove-all                remove all extended ACL entries 
     
    [root@bogon temp]# setfacl -x u:st project/
    [root@bogon temp]# setfacl -x g:tgroup2 project/
    [root@bogon temp]# getfacl project/
    # file: project/
    # owner: root
    # group: tgroup
    user::rwx
    group::rwx
    mask::rwx
    other::---
     
     
    4.recursive set ACL and default ACL for dir
    if you do it as step2, you just set ACL to the specify dir, not works with the sub-file of the dir.
    if you want to do the same with the sub-file, set option -R
     
    [root@bogon temp]# touch project/abc
    [root@bogon temp]# ll project/abc
    -rw-r--r-- 1 root root 0 5月  14 21:14 project/abc
    [root@bogon temp]# ll -d project/
    drwxrwx--- 2 root tgroup 16 5月  14 21:14 project/
    [root@bogon temp]# setfacl -m u:st:rx project/
    [root@bogon temp]# ll -d project/
    drwxrwx---+ 2 root tgroup 16 5月  14 21:14 project/
    [root@bogon temp]# setfacl -m u:st:rx project/
    [root@bogon temp]# getfacl project/
    # file: project/
    # owner: root
    # group: tgroup
    user::rwx
    user:st:r-x
    group::rwx
    mask::rwx
    other::---
     
    [root@bogon temp]# getfacl project/abc
    # file: project/abc
    # owner: root
    # group: root
    user::rw-
    group::r--
    other::r--
     
    //-R just work with the exists files, but new file doesn't
    [root@bogon temp]# setfacl -m u:st:rx -R project/
    [root@bogon temp]# getfacl project/abc
    # file: project/abc
    # owner: root
    # group: root
    user::rw-
    user:st:r-x
    group::r--
    mask::r-x
    other::r--
     
    [root@bogon temp]# touch project/newabc
    [root@bogon temp]# getfacl project/newabc
    # file: project/newabc
    # owner: root
    # group: root
    user::rw-
    group::r--
    other::r--
     
     
    You can see -R dosen't work with new file, if you want the new sub-file also has the auth, use the default ACL by orption d:
     
    [root@bogon temp]# setfacl -m d:u:st:rx project/
    [root@bogon temp]# getfacl project/newabc
    # file: project/newabc
    # owner: root
    # group: root
    user::rw-
    group::r--
    other::r--
     
    [root@bogon temp]# touch project/newabc2
    [root@bogon temp]# getfacl project/newabc2
    # file: project/newabc2
    # owner: root
    # group: root
    user::rw-
    user:st:r-x            #effective:r--
    group::rwx            #effective:rw-
    mask::rw-
    other::---
     
     
    -R for the exists and d: for the future.
     
    5.setUID
    [root@bogon temp]# ll /usr/bin/passwd
    -rwsr-xr-x. 1 root root 27832 6月  10 2014 /usr/bin/passwd
     
    s表示用户在执行时暂时获得文件owner的权限,因为passwd会操作shadow,而只有root才有shadow权限,因此需要在用户运行passwd的时候有权力写入shadow。
    要求该文件必须是可执行文件。
     
     
     
     
     
     
     
     
     
     
     
  • 相关阅读:
    浅析数据库安全技术
    本站快捷付款方式
    VMware Workstation 官方正式版及激活密钥
    Win10真正好用之处
    我眼中的CentOS 下 安全策略
    美团
    Tomcat connector元素常用配置(最大连接数等)
    9.22面经:
    9.7
    合并两个有序数组为一个新的有序数组
  • 原文地址:https://www.cnblogs.com/woshimrf/p/5503162.html
Copyright © 2020-2023  润新知