1.Linux 实现文件权限
1)普通权限
2)特殊权限 理解
3)ACL访问控制列表
4)SELlinux 文件上下文fcontext
5 ) attr权限
普通权限: r :读 , w: 写(删除) , x: 执行 数字法表示 : r: 4 w:2 x:1
创建一个目录/project查看权限:
[root@server0 /]#
[root@server0 /]# mkdir /project
[root@server0 /]# ls -l /
total 32
drwxr-xr-x. 3 root root 20 Jun 15 14:48 backup
lrwxrwxrwx. 1 root root 7 May 7 2014 bin -> usr/bin
dr-xr-xr-x. 4 root root 4096 Jul 11 2014 boot
drwxr-xr-x. 19 root root 3080 Jun 16 09:57 dev
drwxr-xr-x. 134 root root 8192 Jun 16 12:02 etc
drwxr-xr-x. 5 root root 44 Jun 16 12:02 home
lrwxrwxrwx. 1 root root 7 May 7 2014 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 May 7 2014 lib64 -> usr/lib64
drwxr-xr-x. 2 root root 6 Mar 13 2014 media
drwxr-xr-x. 2 root root 6 Mar 13 2014 mnt
drwxr-xr-x. 3 root root 15 Jul 11 2014 opt
dr-xr-xr-x. 491 root root 0 Jun 16 2019 proc
drwxr-xr-x. 2 root root 6 Jun 16 13:48 project
dr-xr-x---. 17 root root 4096 Jun 16 09:50 root
drwxr-xr-x. 36 root root 1180 Jun 16 09:52 run
lrwxrwxrwx. 1 root root 8 May 7 2014 sbin -> usr/sbin
drwxr-xr-x. 2 root root 6 Mar 13 2014 srv
dr-xr-xr-x. 13 root root 0 Jun 16 2019 sys
drwxrwxrwt. 9 root root 4096 Jun 16 13:41 tmp
drwxr-xr-x. 13 root root 4096 May 7 2014 usr
drwxr-xr-x. 23 root root 4096 Jun 16 2019 var
drwxr-xr-x. 2 root root 6 Jun 15 14:25 website
[root@server0 /]#
d rwx r-x r-x . 2 root root 6 Jun 16 13:48 project
类型 owner group other 无acl 硬链接数 所有者 所属组(主组) 大小(字节) 修改时间 文件名
d:目录
l:链接
c:字符
b:块设备
一:普通文件
文件格式:
[root@server0 tmp]# file student-file2
student-file2: empty
[root@server0 tmp]# echo "hello" >> student-file2
[root@server0 tmp]# file student-file2
student-file2: ASCII text
[root@server0 tmp]# file test.sh
test.sh: Bourne-Again shell script, ASCII text executable
[root@server0 tmp]#
[root@server0 tmp]# file /sbin/ifconfig
/sbin/ifconfig: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x64131021c4fd2c38cf37a9ed9a20bdc52e9bdf33, stripped
[root@server0 tmp]#
修改文件权限:chmod
1 ) 加减法:在原有权限基础之上加 或 减 掉权限: 将/project所属组的权限 加上w
[root@server0 /]# chmod g+w /project
[root@server0 /]# chmod g-w /project
[root@server0 /]# chmod u-w /project
[root@server0 /]# chmod u+w /project
[root@server0 /]# chmod o+w /project
2 ) 数字法: 将/project rwxr-x— : 750
[root@server0 /]# chmod 750 /project/
[root@server0 /]# ll / |grep project
drwxr-x---. 2 root root 6 Jun 16 13:48 project
[root@server0 /]#
3 ) 赋值法: 将/project rwxr-xr-x
[root@server0 /]# chmod u=rwx,g=rx,o=rx /project
[root@server0 /]# ll / |grep project
drwxr-xr-x. 2 root root 6 Jun 16 13:48 project
[root@server0 /]#
修改文件所有者和所属组:chown ,chgrp :修改所属组
[root@server0 /]# cat /etc/group |grep it
polkitd:x:998:
rtkit:x:172:
gnome-initial-setup:x:991:
it:x:2005:
[root@server0 /]#
[root@server0 /]# chgrp it /project
[root@server0 /]# ll / |grep project
drwxr-xr-x. 2 root it 6 Jun 16 13:48 project
[root@server0 /]#
将/project修改为 wangwu所有
[root@server0 /]# id wangwu
uid=2003(wangwu) gid=2003(wangwu) groups=2003(wangwu)
[root@server0 /]# chown wangwu /project/
[root@server0 /]# ll / |grep project
drwxr-xr-x. 2 wangwu it 6 Jun 16 13:48 project
[root@server0 /]#
同时修改所有者和所属组:
[root@server0 /]# ll / |grep project
drwxr-xr-x. 2 wangwu it 6 Jun 16 13:48 project
[root@server0 /]# chown root:root /project
[root@server0 /]# ll / |grep project
drwxr-xr-x. 2 root root 6 Jun 16 13:48 project
[root@server0 /]#
a:所有
[root@server0 /]# chmod a-x /project
[root@server0 /]# ll / |grep project
drw-r--r--. 2 wangwu root 24 Jun 16 14:13 project
[root@server0 /]#
目录一定要有r-x的权限,才能进入目录,普通文件一定不要有执行权限,除 脚本和命令文件。 建立在r读权限之上
[root@server0 /]# chmod a+x /project
创建文件或目录默认权限:umask 权限的反掩码 文件正掩码为 0666 目录正掩码: 0777 # 0 特殊权限
root管理员: umask 0022
[root@server0 /]# umask
0022
[root@server0 /]#
默认权限由来:
文件正掩码为 0666 - umask = 0666 - 0022 = 0644
目录正掩码: 0777 - umask = 0777 - 0022 = 0755
普通用户: umask 0002
[student@server0 ~]$ id
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[student@server0 ~]$ umask
0002
[student@server0 ~]$
文件正掩码为 0666 - umask = 0666 - 0002 = 0664
目录正掩码: 0777 - umask = 0777 - 0002 = 0775
[root@server0 tmp]# mkdir root-dir
[root@server0 tmp]# ll
total 8
drwxr-xr-x. 2 root root 6 Jun 16 14:27 root-dir
[root@server0 tmp]#
修改umask,改变用户创建文件的默认权限:
[root@server0 tmp]# umask 027 #临时有效
[root@server0 tmp]# mkdir root-dir2
[root@server0 tmp]# touch root-file2
[root@server0 tmp]# ll
total 8
drwxr-xr-x. 2 root root 6 Jun 16 14:27 root-dir
drwxr-x---. 2 root root 6 Jun 16 14:30 root-dir2
特殊权限:
- setuid: 用户user setuid : 4
应用范围: 可执行的二进制程序 (命令)
作用:具有setuid权限的二进制程序 任何用户执行此文件,最终的执行者为文件的所有者
[root@server0 Desktop]#
[root@server0 Desktop]# ll /usr/bin/passwd
-rwsr-xr-x. 1 root root 27832 Jan 30 2014 /usr/bin/passwd
具有setuid的特殊权限:
[root@server0 Desktop]# ll /usr/bin/touch
-rwxr-xr-x. 1 root root 62432 Jan 25 2014 /usr/bin/touch
[root@server0 Desktop]#
将系统中所有具有setuid权限的文件查找出来:
[root@server0 tmp]#
[root@server0 tmp]# find / -perm /4000
find: ‘/proc/14856/task/14856/fd/6’: No such file or directory
find: ‘/proc/14856/task/14856/fdinfo/6’: No such file or directory
find: ‘/proc/14856/fd/6’: No such file or directory
find: ‘/proc/14856/fdinfo/6’: No such file or directory
/usr/bin/mount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/Xorg
/usr/bin/staprun
/usr/bin/at
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/userhelper
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib64/dbus-1/dbus-daemon-launch-helper
/usr/libexec/qemu-bridge-helper
/usr/libexec/pulse/proximity-helper
/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
[root@server0 tmp]#
2 setgid: 组group setgid:2
应用范围: 目录的组
作用: 实现目录所属组的权限继承
[root@server0 /]# chown root:it /project
[root@server0 /]#
[root@server0 /]#
[root@server0 /]# chmod g+w /project
[root@server0 /]#
[root@server0 /]#
[root@server0 /]# id wangwu
uid=2003(wangwu) gid=2003(wangwu) groups=2003(wangwu)
[root@server0 /]# id zhangsan
id: zhangsan: no such user
[root@server0 /]# useradd zhangsan
[root@server0 /]# usermod -aG it zhangsan
[root@server0 /]# usermod -aG it wangwu
[root@server0 /]#
[root@server0 /]# chmod g+s /project
[root@server0 /]# ls -l
total 32
drwxr-xr-x. 3 root root 20 Jun 15 14:48 backup
lrwxrwxrwx. 1 root root 7 May 7 2014 bin -> usr/bin
dr-xr-xr-x. 4 root root 4096 Jul 11 2014 boot
drwxr-xr-x. 19 root root 3080 Jun 16 09:57 dev
drwxr-xr-x. 134 root root 8192 Jun 16 15:20 etc
drwxr-xr-x. 6 root root 59 Jun 16 15:19 home
lrwxrwxrwx. 1 root root 7 May 7 2014 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 May 7 2014 lib64 -> usr/lib64
drwxr-xr-x. 2 root root 6 Mar 13 2014 media
drwxr-xr-x. 2 root root 6 Mar 13 2014 mnt
drwxr-xr-x. 3 root root 15 Jul 11 2014 opt
dr-xr-xr-x. 500 root root 0 Jun 16 2019 proc
drwxrwsr-x. 3 root it 64 Jun 16 15:23 project
dr-xr-x---. 17 root root 4096 Jun 16 14:32 root
drwxr-xr-x. 36 root root 1180 Jun 16 09:52 run
lrwxrwxrwx. 1 root root 8 May 7 2014 sbin -> usr/sbin
drwxr-xr-x. 2 root root 6 Mar 13 2014 srv
dr-xr-xr-x. 13 root root 0 Jun 16 2019 sys
drwxrwxrwt. 12 root root 4096 Jun 16 15:24 tmp
drwxr-xr-x. 13 root root 4096 May 7 2014 usr
drwxr-xr-x. 23 root root 4096 Jun 16 2019 var
drwxr-xr-x. 2 root root 6 Jun 15 14:25 website
[root@server0 /]#
- t位 : 其他other t: 1
应用范围: 目录的other权限位
作用: 防止删除,设置t位权限的目录中的文件或目录只有文件,目录的所有者才可以删除
[zhangsan@server0 project]$ touch zhangsan-file5
[zhangsan@server0 project]$ mkdir zhangsan-dir5
[zhangsan@server0 project]$ ls -l
total 0
-rw-rw-r--. 1 wangwu wangwu 0 Jun 16 14:13 wangwu-file
drwxrwxr-x. 2 zhangsan zhangsan 6 Jun 16 15:23 zhangsan-dir
drwxrwsr-x. 2 zhangsan it 6 Jun 16 15:29 zhangsan-dir5
-rw-rw-r--. 1 zhangsan zhangsan 0 Jun 16 15:21 zhangsan-file1
-rw-rw-r--. 1 zhangsan it 0 Jun 16 15:29 zhangsan-file5
[zhangsan@server0 project]$
[root@server0 /]# chmod o+t /project
[root@server0 /]# ls -l / |grep project
drwxrwsr-t. 4 root it 4096 Jun 16 15:29 project
[root@server0 /]#
[wangwu@server0 project]$ ls -l
total 0
-rw-rw-r--. 1 wangwu wangwu 0 Jun 16 14:13 wangwu-file
drwxrwxr-x. 2 zhangsan zhangsan 6 Jun 16 15:23 zhangsan-dir
drwxrwsr-x. 2 zhangsan it 6 Jun 16 15:29 zhangsan-dir5
-rw-rw-r--. 1 zhangsan zhangsan 0 Jun 16 15:21 zhangsan-file1
-rw-rw-r--. 1 zhangsan it 0 Jun 16 15:29 zhangsan-file5
[wangwu@server0 project]$ rm -rf zhangsan-dir5
rm: cannot remove ‘zhangsan-dir5’: Operation not permitted
[wangwu@server0 project]$ rm -rf zhangsan-file5
rm: cannot remove ‘zhangsan-file5’: Operation not permitted
[wangwu@server0 project]$
[zhangsan@server0 ~]$ cd /project
[zhangsan@server0 project]$ ls -l
total 0
-rw-rw-r--. 1 wangwu wangwu 0 Jun 16 14:13 wangwu-file
drwxrwxr-x. 2 zhangsan zhangsan 6 Jun 16 15:23 zhangsan-dir
drwxrwsr-x. 2 zhangsan it 6 Jun 16 15:29 zhangsan-dir5
-rw-rw-r--. 1 zhangsan zhangsan 0 Jun 16 15:21 zhangsan-file1
-rw-rw-r--. 1 zhangsan it 0 Jun 16 15:29 zhangsan-file5
[zhangsan@server0 project]$ rm -rf zhangsan-dir5
[zhangsan@server0 project]$