一、special permissions for executables
1.special permissions for executables:
-suid:command run with permissions of the owner of the command,not executor of the command
-sgid:command runs with group affiliation of the group of the command
eg:
file:
user group other
suid sgid
二、special permissions for direct
1.sgid is used to create a collaborative directory
-when a file is created in a directory with the SGID bit set,it belongs to the same group as the directory,rather than the creator‘s primary gropu
-#chmod g+s directory (让该文件夹带上SGID权限,可以转换为组身份)
-#chmod u+s directory (让该文件夹带上SUID权限,可以转换为用户身份)
2.sticky allows only the owner of a file to delete it
-normally user with write permission to a directory can delete any file in that directotry regardless of that file‘s permission or ownership
-#chmod o+t directory (例如 /tmp/目录)
eg:
[root@instructor ~]# ll -d /tmp
drwxrwxrwt. 18 root root 12288 Jan 2 19:51 /tmp
[root@instructor ~]#
dir:
user group other
sticky
实验一:新建一个CORP文件夹,分配给IT组,组内有三个成员frodo,sam,pippin。三个用户都可以创建自己的文件,并且其他组内成员都可以看,可以修改。
[root@instructor ~]# mkdir /corp
[root@instructor ~]# chmod 770 /corp (权限为rwxrwx---)
[root@instructor ~]# groupadd IT
[root@instructor ~]# chgrp IT /corp (将/corp分配给IT组)
[root@instructor ~]# ll -d /corp
drwxrwx---. 2 root IT 4096 Jan 2 21:37 /corp
[root@instructor ~]# chmod 777 /corp
[root@instructor ~]# ll -d /corp
drwxrwxrwx. 2 root IT 4096 Jan 2 21:37 /corp
[root@instructor ~]# vi /etc/group (进入/etc/group将frodo,sam,pippin三个用户添加进IT组)
IT:x:502:sam,pippin,frodo
"/etc/group" 72L, 1012C written
[root@instructor ~]# ll -d /corp
drwxrwxrwx. 2 root IT 4096 Jan 2 21:37 /corp
[root@instructor ~]# chmod 770 /corp
[root@instructor ~]# ll -d /corp
drwxrwx---. 2 root IT 4096 Jan 2 21:37 /corp
[root@instructor ~]# su - frodo
[frodo@instructor ~]$ id
uid=506(frodo) gid=507(frodo) groups=507(frodo),502(IT) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[frodo@instructor ~]$ cd /corp
[frodo@instructor corp]$ ll -d
drwxrwx---. 2 root IT 4096 Jan 2 21:37 .
[frodo@instructor corp]$ touch frodofile (创建一个名为frodofile的文件)
[frodo@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo frodo 0 Jan 2 21:46 frodofile (文件权限为rw-rw-r,664)
[frodo@instructor corp]$ su -
Password:
[root@instructor ~]# su - sam
[sam@instructor ~]$ cd /corp
[sam@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo frodo 0 Jan 2 21:46 frodofile
[sam@instructor corp]$ touch samfile (创建一个名为samfile的文件)
[sam@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo frodo 0 Jan 2 21:46 frodofile
-rw-rw-r--. 1 sam sam 0 Jan 2 21:47 samfile
[sam@instructor corp]$ su -
Password:
[root@instructor ~]# su - pippin
[pippin@instructor ~]$ cd /corp
[pippin@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo frodo 0 Jan 2 21:46 frodofile
-rw-rw-r--. 1 sam sam 0 Jan 2 21:47 samfile
[pippin@instructor corp]$ touch pippinfile (创建一个名为pippinfile的文件)
[pippin@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo frodo 0 Jan 2 21:46 frodofile
-rw-rw-r--. 1 pippin pippin 0 Jan 2 21:48 pippinfile
-rw-rw-r--. 1 sam sam 0 Jan 2 21:47 samfile
[pippin@instructor corp]$ su - frodo
Password:
[frodo@instructor ~]$ ll
total 0
[frodo@instructor ~]$ ll -d /corp
drwxrwx---. 2 root IT 4096 Jan 2 21:48 /corp
[frodo@instructor ~]$ cd /corp
[frodo@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo frodo 0 Jan 2 21:46 frodofile (注意这里的组别为frodo)
-rw-rw-r--. 1 pippin pippin 0 Jan 2 21:48 pippinfile (注意这里的组别为pippin)
-rw-rw-r--. 1 sam sam 0 Jan 2 21:47 samfile (注意这里的组别为sam)
[frodo@instructor corp]$ vim samfile
~
~
(frodo既不是sam用户,又不是sam组成员,只是others,而others只有可读权限,所以frodo无法修改sam的文件,我们需要用户自己创建的文件属于自己,但是组别统一属于IT组,这里明显不符合要求,删除文件,重来)
[frodo@instructor corp]$
[frodo@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo frodo 0 Jan 2 21:46 frodofile
-rw-rw-r--. 1 pippin pippin 0 Jan 2 21:48 pippinfile
-rw-rw-r--. 1 sam sam 0 Jan 2 21:47 samfile
[frodo@instructor corp]$ su -
Password:
[root@instructor ~]#
[root@instructor ~]# cd /corp
[root@instructor corp]# ll
total 0
-rw-rw-r--. 1 frodo frodo 0 Jan 2 21:46 frodofile
-rw-rw-r--. 1 pippin pippin 0 Jan 2 21:48 pippinfile
-rw-rw-r--. 1 sam sam 0 Jan 2 21:47 samfile
[root@instructor corp]# rm * -f
[root@instructor corp]# ll
total 0
[root@instructor corp]# cd ..
[root@instructor /]# ll -d /corp
drwxrwx---. 2 root IT 4096 Jan 2 21:57 /corp
[root@instructor /]# chmod g+s corp/ (注意这里给文件夹的组属性添加SGID属性)
[root@instructor /]# ll -d corp/
drwxrws---. 2 root IT 4096 Jan 2 21:57 corp/
[root@instructor /]# su - frodo
[frodo@instructor ~]$ cd /corp/
[frodo@instructor corp]$ ll
total 0
[frodo@instructor corp]$ touch frodofile
[frodo@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo IT 0 Jan 2 22:00 frodofile (注意这里frodo创建的文件组别属于IT组了)
[frodo@instructor corp]$ su - sam
Password:
[sam@instructor ~]$ cd /corp
[sam@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo IT 0 Jan 2 22:00 frodofile
[sam@instructor corp]$ touch samfile
[sam@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo IT 0 Jan 2 22:00 frodofile
-rw-rw-r--. 1 sam IT 0 Jan 2 22:01 samfile (注意这里sam创建的文件组别属于IT组了)
[sam@instructor corp]$ su - pippin
Password:
[pippin@instructor ~]$ cd /corp
[pippin@instructor corp]$ touch pippinfile
[pippin@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo IT 0 Jan 2 22:00 frodofile
-rw-rw-r--. 1 pippin IT 0 Jan 2 22:01 pippinfile (注意这里pippin创建的文件组别属于IT组了)
-rw-rw-r--. 1 sam IT 0 Jan 2 22:01 samfile
[pippin@instructor corp]$ su - frodo
Password:
[frodo@instructor ~]$ cd /corp
[frodo@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo IT 0 Jan 2 22:00 frodofile (都属于IT组)
-rw-rw-r--. 1 pippin IT 0 Jan 2 22:01 pippinfile (都属于IT组)
-rw-rw-r--. 1 sam IT 0 Jan 2 22:01 samfile (都属于IT组)
[frodo@instructor corp]$ vim samfile
~
~
[frodo@instructor corp]$
[frodo@instructor corp]$
[frodo@instructor corp]$ ll
total 0
-rw-rw-r--. 1 frodo IT 0 Jan 2 22:00 frodofile
-rw-rw-r--. 1 pippin IT 0 Jan 2 22:01 pippinfile
-rw-rw-r--. 1 sam IT 0 Jan 2 22:01 samfile
[frodo@instructor corp]$ vim samfile
edit by frodo
~
~
"samfile" 1L, 14C written (这里不再是readonly)
[frodo@instructor corp]$ su - sam
Password:
[sam@instructor ~]$ cd /corp
[sam@instructor corp]$ ll
total 4
-rw-rw-r--. 1 frodo IT 0 Jan 2 22:00 frodofile
-rw-rw-r--. 1 pippin IT 0 Jan 2 22:01 pippinfile
-rw-rw-r--. 1 sam IT 14 Jan 2 22:06 samfile
[sam@instructor corp]$ cat samfile
edit by frodo
三、access control lists (ACLs)
1.grant or deny additional access to multiple users or group
2.implemented as a mount option(acl)
-embedded in filesystem superblock at install time
用chmod更改大权限,用ACL进行微调。
四、managing ACLs
1.viewing:
-$getfacl filename
2.modifying (adding or changing)
-$setfacl -m u:gandalf:rw filename (追加权限)
3.removing(expunging):
-$setfacl -x u:gandalf filename (删减权限)
实验二、root用户新建/file文件,权限为640,分配给IT组,frodo,sam和pippin仍为IT成员
1.frodo可以编辑/file文件
2.pippin不可以查看/file
users: group:
frodo IT
sam IT
pippin IT
/file root IT
rw- r-- ---
(这样的权限组成员是无法修改该文件,只能查看该文件)
eg:
[root@instructor /]# touch /file
[root@instructor /]# chmod 640 /file
[root@instructor /]# ll /file
-rw-r-----. 1 root root 0 Jan 2 22:45 /file
[root@instructor /]# chgrp IT /file
[root@instructor /]# ll /file
-rw-r-----. 1 root IT 0 Jan 2 22:45 /file
[root@instructor /]# vi /file
secret
~
~
"/file" 2L, 8C written (root修改了/file文件)
[root@instructor /]# su - frodo
[frodo@instructor ~]$ cat /file (frodo可以查看该文件内容)
secret
[frodo@instructor ~]$ vim /file (frodo无法修改该文件内容)
secret
~
~
[frodo@instructor ~]$ cat /file
secret
[frodo@instructor ~]$ su -
Password:
[root@instructor ~]# setfacl -m u:frodo:rw- /file
[root@instructor ~]# su - frodo
[frodo@instructor ~]$ cd ..
[frodo@instructor home]$ cd ..
[frodo@instructor /]$ vim /file
secret
modified by frodo
~
~
"/file" 3L, 26C written (frodo增加了/file内容:modified by frodo)
[frodo@instructor /]$ su - sam
Password:
[sam@instructor ~]$ cat /file (sam可以看到文件被frodo修改了)
secret
modified by frodo
[sam@instructor ~]$ vim /file (sam也想修改,但是readonly)
secret
modified by frodo
~
[sam@instructor ~]$
[sam@instructor ~]$
[sam@instructor ~]$ su - pippin
Password:
[pippin@instructor ~]$ cat /file
secret
modified by frodo
[pippin@instructor ~]$ su -
Password:
[root@instructor ~]# setfacl -m u:pippin:--- /file
[root@instructor ~]# su - pippin
[pippin@instructor ~]$ cat /file
cat: /file: Permission denied
[pippin@instructor ~]$ su -
Password:
[root@instructor ~]# ll
total 31796
-rw-------. 1 root root 965 Aug 24 16:11 anaconda-ks.cfg
drwxr-xr-x. 2 root root 4096 Aug 31 16:26 Desktop
drwxr-xr-x. 2 root root 4096 Aug 24 08:20 Documents
drwxr-xr-x. 2 root root 4096 Aug 24 08:20 Downloads
drwxr-xr-x. 127 root root 12288 Aug 30 11:09 etc
-rw-r--r--. 1 root root 15057753 Aug 30 11:53 etc.tar.bz2
-rw-r--r--. 1 root root 17429237 Aug 30 11:55 etc.tar.gz
drwxr-xr-x. 2 root root 4096 Aug 24 08:20 Music
drwxr-xr-x. 2 root root 4096 Aug 24 08:20 Pictures
-rw-r--r--. 1 root root 11955 Jul 7 2012 post-install
-rw-r--r--. 1 root root 550 Jul 7 2012 post-install.log
drwxr-xr-x. 2 root root 4096 Aug 24 08:20 Public
drwxr-xr-x. 2 root root 4096 Aug 24 08:20 Templates
drwxr-xr-x. 2 root root 4096 Aug 24 08:20 Videos
[root@instructor ~]# cd ..
[root@instructor /]# ll
total 118
dr-xr-xr-x. 2 root root 4096 Aug 27 11:33 bin
dr-xr-xr-x. 5 root root 1024 Aug 24 16:11 boot
drwxrws---. 2 root IT 4096 Jan 2 22:06 corp
drwxr-xr-x. 19 root root 3920 Jan 2 19:49 dev
drwxr-xr-x. 127 root root 12288 Jan 2 21:43 etc
-rw-rw----+ 1 root IT 26 Jan 2 22:58 file
drwxr-xr-x. 9 root root 4096 Jan 2 21:36 home
dr-xr-xr-x. 19 root root 12288 Sep 4 21:24 lib
drwx------. 2 root root 16384 Jul 7 2012 lost+found
drwxr-xr-x. 3 root root 4096 Jan 2 19:51 media
drwxr-xr-x. 2 root root 0 Jan 2 19:49 misc
drwxr-xr-x. 5 root root 4096 Aug 30 15:03 mnt
drwxr-xr-x. 2 root root 0 Jan 2 19:49 net
drwxr-xr-x. 3 root root 4096 Jul 7 2012 opt
dr-xr-xr-x. 198 root root 0 Jan 2 19:48 proc
dr-xr-x---. 30 root root 4096 Jan 2 19:50 root
dr-xr-xr-x. 2 root root 12288 Sep 2 10:15 sbin
drwxr-xr-x. 7 root root 0 Jan 2 19:48 selinux
drwx------. 2 tommy root 4096 Sep 4 22:22 smbshare
drwxr-xr-x. 2 root root 4096 Sep 23 2011 srv
drwxr-xr-x. 13 root root 0 Jan 2 19:48 sys
drwxrwxrwt. 19 root root 12288 Jan 2 22:56 tmp
drwxr-xr-x. 12 root root 4096 Jul 7 2012 usr
drwxr-xr-x. 23 root root 4096 Aug 28 21:22 var
[root@instructor /]# getfacl /file
getfacl: Removing leading ‘/‘ from absolute path names
# file: file
# owner: root
# group: IT
user::rw-
user:pippin:---
user:frodo:rw-
group::r--
mask::rw-
other::---
[root@instructor /]# setfacl -x u:pippin /file
[root@instructor /]# su - pippin
[pippin@instructor ~]$ cat /file
secret
modified by frodo
[pippin@instructor ~]$ su -
Password:
[root@instructor ~]# getfacl /file
getfacl: Removing leading ‘/‘ from absolute path names
# file: file
# owner: root
# group: IT
user::rw-
user:frodo:rw-
group::r--
mask::rw-
other::---
五、permission precedence with ACLs
1.compare process UID to
-UID of file => user permissions apply
-ACL UID of file => ACL‘s permissions apply
2.otherwise,compare list of process GIDs to
-GID of file =>group permissions apply
-ACL GID of file => ACL‘s permissions apply
-since there can be multiple matchers at this level,it is additive within this level
3.if neither match,other permissions aply