chmod
修改某类用户或某些类用户权限:
u,g,o,a(用户类别)
[root@localhost ~]# ll
total 0
drwxr-xr-x. 2 root root 6 Oct 27 00:51 abc
drwxr-xr-x. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod u-w abc
[root@localhost ~]# chmod u-r pyhptl
[root@localhost ~]# ll
total 0
dr-xr-xr-x. 2 root root 6 Oct 27 00:51 abc
d-wxr-xr-x. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod u+r pyhptl
[root@localhost ~]# chmod u+w abc
[root@localhost ~]# ll
total 0
drwxr-xr-x. 2 root root 6 Oct 27 00:51 abc
drwxr-xr-x. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod g=w abc
[root@localhost ~]# chmod o=x pyhptl
[root@localhost ~]# ll
total 0
drwx-w-r-x. 2 root root 6 Oct 27 00:51 abc
drwxr-x--x. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]#
[root@localhost ~]# chmod g-w abc
[root@localhost ~]# chmod o-x pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 root root 6 Oct 27 00:51 abc
drwxr-x---. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod g= pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 root root 6 Oct 27 00:51 abc
drwx------. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod 644 pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 root root 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
chown
chown命令只有管理员可以使用。
[root@localhost ~]# chown tom pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 root root 6 Oct 27 00:51 abc
drw-r--r--. 2 tom root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chown tom abc
[root@localhost ~]# ll
total 0
drwx---r-x. 2 tom root 6 Oct 27 00:51 abc
drw-r--r--. 2 tom root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chown .root pyhptl
[root@localhost ~]# chown .root abc
[root@localhost ~]# ll
total 0
drwx---r-x. 2 tom root 6 Oct 27 00:51 abc
drw-r--r--. 2 tom root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chown :tom abc
[root@localhost ~]# chown :tom pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 tom tom 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chown tom.tom abc
[root@localhost ~]# chown root.root pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
-rw-r--r--. 1 tom root 0 Oct 27 01:38 lscs
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
遮罩码
文件最终的权限为:
666-umask
目录最终的权限为:
777-umask
umask
[root@localhost ~]# umask
0022
[root@localhost ~]# umask 002
[root@localhost ~]# umask
0002
[root@localhost ~]# ll
total 0
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# touch 123
[root@localhost ~]# mkdir 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwxr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
suid,sgid(特殊权限)
linux默认权限是根据linux安全上下文的方式来控制的,而特殊权限的存在打破了linux安全上下文的规则。
suid
[root@localhost ~]# ll /usr/bin/vi
-rwxr-xr-x. 1 root root 1416744 Jul 23 2019 /usr/bin/vi
[root@localhost ~]# chmod u+s /usr/bin/vi
[root@localhost ~]# ll /usr/bin/vi
-rwsr-xr-x. 1 root root 1416744 Jul 23 2019 /usr/bin/vi
[root@localhost ~]# chmod u-x /usr/bin/vi
[root@localhost ~]# ll /usr/bin/vi
-rwSr-xr-x. 1 root root 1416744 Jul 23 2019 /usr/bin/vi
[root@localhost ~]# chmod u+x /usr/bin/vi
[root@localhost ~]# ll /usr/bin/vi
-rwsr-xr-x. 1 root root 1416744 Jul 23 2019 /usr/bin/vi
[root@localhost ~]# chmod u-s /usr/bin/vi
[root@localhost ~]# ll /usr/bin/vi
-rwxr-xr-x. 1 root root 1416744 Jul 23 2019 /usr/bin/vi
[root@localhost ~]# chmod 4755 /usr/bin/vi
[root@localhost ~]# ll /usr/bin/vi
-rwsr-xr-x. 1 root root 1416744 Jul 23 2019 /usr/bin/vi
sgid
[root@localhost ~]# chmod g+s 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwsr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod g-s 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwxr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod 2755 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxr-sr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod g-x 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxr-Sr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod g+x 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxr-sr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod 777 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwsrwx. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod o+t 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwsrwt. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod o-x 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwsrwT. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod o+x 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwsrwt. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom tom 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod o-t 123
[root@localhost ~]# ll
total 4
drwxr-xr-x. 2 root root 6 Oct 30 19:00 123
drwxr-xr-x. 2 root root 6 Oct 30 19:00 456
[root@localhost ~]# chmod 1777 123
[root@localhost ~]# ll
total 4
drwxrwxrwt. 2 root root 6 Oct 30 19:00 123
drwxr-xr-x. 2 root root 6 Oct 30 19:00 456
[root@localhost ~]# chmod 0777 123
[root@localhost ~]# ll
total 4
drwxrwxrwx. 2 root root 6 Oct 30 19:00 123
drwxr-xr-x. 2 root root 6 Oct 30 19:00 456
文件系统访问控制列表facl
利用文件扩展保存额外的访问控制权限
[root@localhost ~]# setfacl -m u:tom:rw 456
[root@localhost ~]# getfacl 456
# file: 456
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
[root@localhost ~]# ll
total 4
drwxrwxrwx. 2 root root 6 Oct 30 19:00 123
drwxr-xr-x. 2 root root 6 Oct 30 19:00 456
[root@localhost ~]# setfacl -m g:lscs:6 456
[root@localhost ~]# getfacl 456
# file: 456
# owner: root
# group: root
user::rwx
group::r-x
group:lscs:rw-
mask::rwx
other::r-x
[root@localhost ~]# getfacl 123
# file: 123
# owner: root
# group: root
user::rwx
group::rwx
group:lscs:rw-
mask::rwx
other::rwx
[root@localhost ~]# setfacl -x u:pyhptl 456
[root@localhost ~]# getfacl 456
# file: 456
# owner: root
# group: root
user::rwx
group::r-x
group:lscs:rw-
mask::rwx
other::r-x
[root@localhost ~]# setfacl -b 456
[root@localhost ~]# getfacl 456
# file: 456
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
[lscs@localhost root]$ which useradd
/usr/sbin/useradd
[lscs@localhost root]$ /usr/sbin/useradd
[lscs@localhost root]$ /usr/sbin/useradd qn02
useradd: Permission denied.
useradd: cannot lock /etc/passwd; try again later.
[lscs@localhost root]$ sudo /usr/sbin/useradd qn02
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
lscs is not in the sudoers file. This incident will be reported
[lscs@localhost root]$id qn02
id:'qn02':no_such user
sudo
sudo的配置文件:/etc/sudoers
使用visudo命令进行sudo的配置,每一行就是一个sudo条目,条目格式如下:
who which_hosts=(runas) command
who:User_Alias表示运行命令者的身份
which_hosts:Host_Alias,通过哪些主机
runas:Runas_Alias,以哪个用户的身份
command:Cmnd_Alias,运行哪些命令