第六章 管理文件权限

于 2019-07-18 20:23:58 发布
阅读量286 收藏
点赞数 1
分类专栏: linux RHCE培训内容 文章标签: linux
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_34355232/article/details/96450549
版权

1.Linux 实现文件权限

1)普通权限

2)特殊权限 理解

3)ACL访问控制列表

4)SELlinux 文件上下文fcontext

5 ) attr权限

普通权限:   r :读   , w: 写(删除)   , x: 执行   数字法表示 :  r: 4   w:2  x:1

创建一个目录/project查看权限:

   [root@server0 /]# 
    [root@server0 /]# mkdir /project
    [root@server0 /]# ls -l /
    total 32
    drwxr-xr-x.   3 root root   20 Jun 15 14:48 backup
    lrwxrwxrwx.   1 root root    7 May  7  2014 bin -> usr/bin
    dr-xr-xr-x.   4 root root 4096 Jul 11  2014 boot
    drwxr-xr-x.  19 root root 3080 Jun 16 09:57 dev
    drwxr-xr-x. 134 root root 8192 Jun 16 12:02 etc
    drwxr-xr-x.   5 root root   44 Jun 16 12:02 home
    lrwxrwxrwx.   1 root root    7 May  7  2014 lib -> usr/lib
    lrwxrwxrwx.   1 root root    9 May  7  2014 lib64 -> usr/lib64
    drwxr-xr-x.   2 root root    6 Mar 13  2014 media
    drwxr-xr-x.   2 root root    6 Mar 13  2014 mnt
    drwxr-xr-x.   3 root root   15 Jul 11  2014 opt
    dr-xr-xr-x. 491 root root    0 Jun 16  2019 proc
    drwxr-xr-x.   2 root root    6 Jun 16 13:48 project

dr-xr-x---.  17 root root 4096 Jun 16 09:50 root
drwxr-xr-x.  36 root root 1180 Jun 16 09:52 run
lrwxrwxrwx.   1 root root    8 May  7  2014 sbin -> usr/sbin
drwxr-xr-x.   2 root root    6 Mar 13  2014 srv
dr-xr-xr-x.  13 root root    0 Jun 16  2019 sys
drwxrwxrwt.   9 root root 4096 Jun 16 13:41 tmp
drwxr-xr-x.  13 root root 4096 May  7  2014 usr
drwxr-xr-x.  23 root root 4096 Jun 16  2019 var
drwxr-xr-x.   2 root root    6 Jun 15 14:25 website
[root@server0 /]# 

d      rwx   r-x    r-x     .     2           root        root         6        Jun 16 13:48 project 
类型  owner  group  other 无acl  硬链接数   所有者 所属组(主组)  大小(字节)  修改时间    文件名

d:目录

l:链接

c:字符

b:块设备

一:普通文件

文件格式:

[root@server0 tmp]# file student-file2
student-file2: empty
[root@server0 tmp]# echo "hello" >> student-file2 
[root@server0 tmp]# file student-file2
student-file2: ASCII text
[root@server0 tmp]# file test.sh 
test.sh: Bourne-Again shell script, ASCII text executable
[root@server0 tmp]# 

[root@server0 tmp]# file /sbin/ifconfig
/sbin/ifconfig: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x64131021c4fd2c38cf37a9ed9a20bdc52e9bdf33, stripped
[root@server0 tmp]#

修改文件权限:chmod

1 ) 加减法:在原有权限基础之上加 或 减 掉权限: 将/project所属组的权限 加上w

[root@server0 /]# chmod g+w /project

[root@server0 /]# chmod g-w /project  

[root@server0 /]# chmod u-w /project  

[root@server0 /]# chmod u+w /project  

[root@server0 /]# chmod o+w /project

2 ) 数字法: 将/project rwxr-x— : 750

[root@server0 /]# chmod 750 /project/
[root@server0 /]# ll / |grep project
drwxr-x---.   2 root root    6 Jun 16 13:48 project
[root@server0 /]#

3 ) 赋值法: 将/project rwxr-xr-x

[root@server0 /]# chmod u=rwx,g=rx,o=rx /project
[root@server0 /]# ll / |grep project
drwxr-xr-x.   2 root root    6 Jun 16 13:48 project
[root@server0 /]#

修改文件所有者和所属组:chown ,chgrp :修改所属组

[root@server0 /]# cat /etc/group |grep it
polkitd:x:998:
rtkit:x:172:
gnome-initial-setup:x:991:
it:x:2005:
[root@server0 /]# 


[root@server0 /]# chgrp it /project
[root@server0 /]# ll / |grep project
drwxr-xr-x.   2 root it      6 Jun 16 13:48 project
[root@server0 /]#

将/project修改为 wangwu所有

[root@server0 /]# id wangwu
uid=2003(wangwu) gid=2003(wangwu) groups=2003(wangwu)
[root@server0 /]# chown wangwu /project/
[root@server0 /]# ll / |grep project
drwxr-xr-x.   2 wangwu it      6 Jun 16 13:48 project
[root@server0 /]#

同时修改所有者和所属组:

[root@server0 /]# ll / |grep project
drwxr-xr-x.   2 wangwu it      6 Jun 16 13:48 project
[root@server0 /]# chown root:root /project
[root@server0 /]# ll / |grep project
drwxr-xr-x.   2 root root    6 Jun 16 13:48 project
[root@server0 /]#

a:所有

[root@server0 /]# chmod a-x /project
[root@server0 /]# ll / |grep project
drw-r--r--.   2 wangwu root   24 Jun 16 14:13 project
[root@server0 /]#

目录一定要有r-x的权限,才能进入目录,普通文件一定不要有执行权限,除 脚本和命令文件。 建立在r读权限之上
[root@server0 /]# chmod a+x /project

创建文件或目录默认权限:umask 权限的反掩码 文件正掩码为 0666 目录正掩码: 0777 # 0 特殊权限

root管理员: umask 0022

[root@server0 /]# umask
0022
[root@server0 /]#

默认权限由来:

文件正掩码为 0666 - umask = 0666 - 0022 = 0644

目录正掩码: 0777 - umask = 0777 - 0022 = 0755

普通用户: umask 0002

[student@server0 ~]$ id
uid=1000(student) gid=1000(student) groups=1000(student),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[student@server0 ~]$ umask
0002
[student@server0 ~]$

文件正掩码为 0666 - umask = 0666 - 0002 = 0664

目录正掩码: 0777 - umask = 0777 - 0002 = 0775

[root@server0 tmp]# mkdir root-dir
[root@server0 tmp]# ll
total 8
drwxr-xr-x. 2 root    root     6 Jun 16 14:27 root-dir
[root@server0 tmp]#

修改umask,改变用户创建文件的默认权限:

[root@server0 tmp]# umask 027  #临时有效
[root@server0 tmp]# mkdir root-dir2
[root@server0 tmp]# touch root-file2
[root@server0 tmp]# ll

total 8
drwxr-xr-x. 2 root    root     6 Jun 16 14:27 root-dir
drwxr-x---. 2 root    root     6 Jun 16 14:30 root-dir2

特殊权限:

  1. setuid: 用户user setuid : 4

应用范围: 可执行的二进制程序 (命令)

作用:具有setuid权限的二进制程序 任何用户执行此文件,最终的执行者为文件的所有者

[root@server0 Desktop]#
[root@server0 Desktop]# ll /usr/bin/passwd
-rwsr-xr-x. 1 root root 27832 Jan 30 2014 /usr/bin/passwd

具有setuid的特殊权限:

[root@server0 Desktop]# ll /usr/bin/touch
-rwxr-xr-x. 1 root root 62432 Jan 25  2014 /usr/bin/touch
[root@server0 Desktop]#

将系统中所有具有setuid权限的文件查找出来:

[root@server0 tmp]# 
[root@server0 tmp]# find / -perm /4000 
find: ‘/proc/14856/task/14856/fd/6’: No such file or directory
find: ‘/proc/14856/task/14856/fdinfo/6’: No such file or directory
find: ‘/proc/14856/fd/6’: No such file or directory
find: ‘/proc/14856/fdinfo/6’: No such file or directory
/usr/bin/mount
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/crontab
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/fusermount
/usr/bin/Xorg
/usr/bin/staprun
/usr/bin/at
/usr/sbin/pam_timestamp_check
/usr/sbin/unix_chkpwd
/usr/sbin/userhelper
/usr/sbin/usernetctl
/usr/sbin/mount.nfs
/usr/lib/polkit-1/polkit-agent-helper-1
/usr/lib64/dbus-1/dbus-daemon-launch-helper
/usr/libexec/qemu-bridge-helper
/usr/libexec/pulse/proximity-helper
/usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper
/usr/libexec/abrt-action-install-debuginfo-to-abrt-cache
[root@server0 tmp]#

2 setgid: 组group setgid:2

应用范围: 目录的组

作用: 实现目录所属组的权限继承

[root@server0 /]# chown root:it /project
[root@server0 /]# 
[root@server0 /]# 
[root@server0 /]# chmod g+w /project
[root@server0 /]# 
[root@server0 /]# 

[root@server0 /]# id wangwu
uid=2003(wangwu) gid=2003(wangwu) groups=2003(wangwu)
[root@server0 /]# id zhangsan
id: zhangsan: no such user
[root@server0 /]# useradd zhangsan


[root@server0 /]# usermod -aG it zhangsan
[root@server0 /]# usermod -aG it wangwu
[root@server0 /]# 

[root@server0 /]# chmod g+s /project
[root@server0 /]# ls -l
total 32
drwxr-xr-x.   3 root root   20 Jun 15 14:48 backup
lrwxrwxrwx.   1 root root    7 May  7  2014 bin -> usr/bin
dr-xr-xr-x.   4 root root 4096 Jul 11  2014 boot
drwxr-xr-x.  19 root root 3080 Jun 16 09:57 dev
drwxr-xr-x. 134 root root 8192 Jun 16 15:20 etc
drwxr-xr-x.   6 root root   59 Jun 16 15:19 home
lrwxrwxrwx.   1 root root    7 May  7  2014 lib -> usr/lib
lrwxrwxrwx.   1 root root    9 May  7  2014 lib64 -> usr/lib64
drwxr-xr-x.   2 root root    6 Mar 13  2014 media
drwxr-xr-x.   2 root root    6 Mar 13  2014 mnt
drwxr-xr-x.   3 root root   15 Jul 11  2014 opt
dr-xr-xr-x. 500 root root    0 Jun 16  2019 proc
drwxrwsr-x.   3 root it     64 Jun 16 15:23 project
dr-xr-x---.  17 root root 4096 Jun 16 14:32 root
drwxr-xr-x.  36 root root 1180 Jun 16 09:52 run
lrwxrwxrwx.   1 root root    8 May  7  2014 sbin -> usr/sbin
drwxr-xr-x.   2 root root    6 Mar 13  2014 srv
dr-xr-xr-x.  13 root root    0 Jun 16  2019 sys
drwxrwxrwt.  12 root root 4096 Jun 16 15:24 tmp
drwxr-xr-x.  13 root root 4096 May  7  2014 usr
drwxr-xr-x.  23 root root 4096 Jun 16  2019 var
drwxr-xr-x.   2 root root    6 Jun 15 14:25 website
[root@server0 /]#
  1. t位 : 其他other t: 1

应用范围: 目录的other权限位

作用: 防止删除,设置t位权限的目录中的文件或目录只有文件,目录的所有者才可以删除

[zhangsan@server0 project]$ touch zhangsan-file5
[zhangsan@server0 project]$ mkdir zhangsan-dir5

[zhangsan@server0 project]$ ls -l
total 0
-rw-rw-r--. 1 wangwu   wangwu   0 Jun 16 14:13 wangwu-file
drwxrwxr-x. 2 zhangsan zhangsan 6 Jun 16 15:23 zhangsan-dir
drwxrwsr-x. 2 zhangsan it       6 Jun 16 15:29 zhangsan-dir5
-rw-rw-r--. 1 zhangsan zhangsan 0 Jun 16 15:21 zhangsan-file1
-rw-rw-r--. 1 zhangsan it       0 Jun 16 15:29 zhangsan-file5
[zhangsan@server0 project]$ 


[root@server0 /]# chmod o+t /project
[root@server0 /]# ls -l / |grep project
drwxrwsr-t.   4 root it   4096 Jun 16 15:29 project
[root@server0 /]# 


[wangwu@server0 project]$ ls -l
total 0
-rw-rw-r--. 1 wangwu   wangwu   0 Jun 16 14:13 wangwu-file
drwxrwxr-x. 2 zhangsan zhangsan 6 Jun 16 15:23 zhangsan-dir
drwxrwsr-x. 2 zhangsan it       6 Jun 16 15:29 zhangsan-dir5
-rw-rw-r--. 1 zhangsan zhangsan 0 Jun 16 15:21 zhangsan-file1
-rw-rw-r--. 1 zhangsan it       0 Jun 16 15:29 zhangsan-file5
[wangwu@server0 project]$ rm -rf zhangsan-dir5
rm: cannot remove ‘zhangsan-dir5’: Operation not permitted
[wangwu@server0 project]$ rm -rf zhangsan-file5
rm: cannot remove ‘zhangsan-file5’: Operation not permitted
[wangwu@server0 project]$ 


[zhangsan@server0 ~]$ cd /project
[zhangsan@server0 project]$ ls -l
total 0
-rw-rw-r--. 1 wangwu   wangwu   0 Jun 16 14:13 wangwu-file
drwxrwxr-x. 2 zhangsan zhangsan 6 Jun 16 15:23 zhangsan-dir
drwxrwsr-x. 2 zhangsan it       6 Jun 16 15:29 zhangsan-dir5
-rw-rw-r--. 1 zhangsan zhangsan 0 Jun 16 15:21 zhangsan-file1
-rw-rw-r--. 1 zhangsan it       0 Jun 16 15:29 zhangsan-file5
[zhangsan@server0 project]$ rm -rf zhangsan-dir5
[zhangsan@server0 project]$
DCY7074
关注
  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值