权限管理2020-11-3

chmod

修改某类用户或某些类用户权限：
u,g,o,a（用户类别）

[root@localhost ~]# ll
total 0
drwxr-xr-x. 2 root root 6 Oct 27 00:51 abc
drwxr-xr-x. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod u-w abc
[root@localhost ~]# chmod u-r pyhptl
[root@localhost ~]# ll
total 0
dr-xr-xr-x. 2 root root 6 Oct 27 00:51 abc
d-wxr-xr-x. 2 root root 6 Oct 27 00:46 pyhptl 
[root@localhost ~]# chmod u+r pyhptl
[root@localhost ~]# chmod u+w abc
[root@localhost ~]# ll
total 0
drwxr-xr-x. 2 root root 6 Oct 27 00:51 abc
drwxr-xr-x. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod g=w abc
[root@localhost ~]# chmod o=x pyhptl
[root@localhost ~]# ll
total 0
drwx-w-r-x. 2 root root 6 Oct 27 00:51 abc
drwxr-x--x. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# 
[root@localhost ~]# chmod g-w abc
[root@localhost ~]# chmod o-x pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 root root 6 Oct 27 00:51 abc
drwxr-x---. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod g= pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 root root 6 Oct 27 00:51 abc
drwx------. 2 root root 6 Oct 27 00:46 pyhptl
 [root@localhost ~]# chmod 644 pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 root root 6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl

chown

chown命令只有管理员可以使用。

[root@localhost ~]# chown tom pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 root root 6 Oct 27 00:51 abc
drw-r--r--. 2 tom  root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chown tom abc
[root@localhost ~]# ll
total 0
drwx---r-x. 2 tom root 6 Oct 27 00:51 abc
drw-r--r--. 2 tom root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chown .root pyhptl
[root@localhost ~]# chown .root abc
[root@localhost ~]# ll
total 0
drwx---r-x. 2 tom root 6 Oct 27 00:51 abc
drw-r--r--. 2 tom root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chown :tom abc
[root@localhost ~]# chown :tom pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 tom tom  6 Oct 27 00:51 abc
drw-r--r--. 2 tom tom  6 Oct 27 00:46 pyhptl
[root@localhost ~]# chown tom.tom abc
[root@localhost ~]# chown root.root pyhptl
[root@localhost ~]# ll
total 0
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
-rw-r--r--. 1 tom  root 0 Oct 27 01:38 lscs
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl

遮罩码

文件最终的权限为：
666-umask
目录最终的权限为：
777-umask

umask
[root@localhost ~]# umask
0022
[root@localhost ~]# umask 002
[root@localhost ~]# umask
0002
[root@localhost ~]# ll
total 0
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# touch 123
[root@localhost ~]# mkdir 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwxr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl

suid，sgid（特殊权限）

linux默认权限是根据linux安全上下文的方式来控制的，而特殊权限的存在打破了linux安全上下文的规则。

suid
[root@localhost ~]# ll /usr/bin/vi
-rwxr-xr-x. 1 root root 1416744 Jul 23  2019 /usr/bin/vi
[root@localhost ~]# chmod u+s /usr/bin/vi
[root@localhost ~]# ll /usr/bin/vi
-rwsr-xr-x. 1 root root 1416744 Jul 23  2019 /usr/bin/vi
[root@localhost ~]# chmod u-x /usr/bin/vi
[root@localhost ~]# ll /usr/bin/vi
-rwSr-xr-x. 1 root root 1416744 Jul 23  2019 /usr/bin/vi
[root@localhost ~]# chmod u+x /usr/bin/vi
[root@localhost ~]# ll /usr/bin/vi
-rwsr-xr-x. 1 root root 1416744 Jul 23  2019 /usr/bin/vi
[root@localhost ~]# chmod u-s /usr/bin/vi
[root@localhost ~]# ll /usr/bin/vi
-rwxr-xr-x. 1 root root 1416744 Jul 23  2019 /usr/bin/vi
[root@localhost ~]# chmod 4755 /usr/bin/vi
[root@localhost ~]# ll /usr/bin/vi
-rwsr-xr-x. 1 root root 1416744 Jul 23  2019 /usr/bin/vi

sgid
[root@localhost ~]# chmod g+s 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwsr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod g-s 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwxr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod 2755 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxr-sr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod g-x 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxr-Sr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod g+x 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxr-sr-x. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod 777 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwsrwx. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod o+t 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwsrwt. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod o-x 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwsrwT. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod o+x 456
[root@localhost ~]# ll
total 0
-rw-rw-r--. 1 root root 0 Oct 27 03:11 123
drwxrwsrwt. 2 root root 6 Oct 27 03:11 456
drwx---r-x. 2 tom  tom  6 Oct 27 00:51 abc
drw-r--r--. 2 root root 6 Oct 27 00:46 pyhptl
[root@localhost ~]# chmod o-t 123
[root@localhost ~]# ll
total 4
drwxr-xr-x. 2 root root    6 Oct 30 19:00 123
drwxr-xr-x. 2 root root    6 Oct 30 19:00 456
[root@localhost ~]# chmod 1777 123
[root@localhost ~]# ll
total 4
drwxrwxrwt. 2 root root    6 Oct 30 19:00 123
drwxr-xr-x. 2 root root    6 Oct 30 19:00 456
[root@localhost ~]# chmod 0777 123
[root@localhost ~]# ll
total 4
drwxrwxrwx. 2 root root    6 Oct 30 19:00 123
drwxr-xr-x. 2 root root    6 Oct 30 19:00 456

文件系统访问控制列表facl

利用文件扩展保存额外的访问控制权限

[root@localhost ~]# setfacl -m u:tom:rw 456
[root@localhost ~]# getfacl 456
# file: 456
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[root@localhost ~]# ll
total 4
drwxrwxrwx. 2 root root    6 Oct 30 19:00 123
drwxr-xr-x. 2 root root    6 Oct 30 19:00 456

[root@localhost ~]# setfacl -m g:lscs:6 456
[root@localhost ~]# getfacl 456
# file: 456
# owner: root
# group: root
user::rwx
group::r-x
group:lscs:rw-
mask::rwx
other::r-x
[root@localhost ~]# getfacl 123
# file: 123
# owner: root
# group: root
user::rwx
group::rwx
group:lscs:rw-
mask::rwx
other::rwx
[root@localhost ~]# setfacl -x u:pyhptl 456
[root@localhost ~]# getfacl 456
# file: 456
# owner: root
# group: root
user::rwx
group::r-x
group:lscs:rw-
mask::rwx
other::r-x
[root@localhost ~]# setfacl -b 456
[root@localhost ~]# getfacl 456
# file: 456
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
[lscs@localhost root]$ which useradd
/usr/sbin/useradd
[lscs@localhost root]$ /usr/sbin/useradd
[lscs@localhost root]$ /usr/sbin/useradd qn02
useradd: Permission denied.
useradd: cannot lock /etc/passwd; try again later.
[lscs@localhost root]$ sudo /usr/sbin/useradd qn02

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

lscs is not in the sudoers file. This incident will be reported
[lscs@localhost root]$id qn02
id:'qn02':no_such user

sudo

sudo的配置文件：/etc/sudoers
使用visudo命令进行sudo的配置，每一行就是一个sudo条目，条目格式如下：
who which_hosts=(runas) command
who：User_Alias表示运行命令者的身份
which_hosts：Host_Alias，通过哪些主机
runas：Runas_Alias，以哪个用户的身份
command：Cmnd_Alias，运行哪些命令