2021-01-18 User and File management(Permission)

  • User identity management

    • UID(User Identification)
    1. UID of Administrator is 0
    2. UID of Sys Users is range from 1~999, for the sake of security, Linux allows individual sys-user for each services by default which prevents massive destruction from Hackers to some extent.
    3. Ordinary users their UID starts from 1000 that must be created by Administrator
    • UID must be independent, and Linux also has GID(Group Identification) to which the similar Users can be put together for the betterment of management.

    When a new user is created, there is a basic group automatically created which has the same name as the user, this basic group has only one user and that is the current user itself. If the current user is added by other groups, then the latter groups are called "extended groups" which helps to improve the betterment of the work or services.

    • id
      Print real and effective user and group IDs
    [root@linuxprobe userAndFilePermission]# id linuxprobe
    uid=1000(linuxprobe) gid=1000(linuxprobe)        groups=1000(linuxprobe)
    
    • useradd
      create a new user or update default new user information
      The default home directory would be put in the /home directory and the default shell interpreter is /bin/shell

    -d home directory(default directory /home/username)
    -e user account expiration at YYYY-MM-DD.
    -u Default UID
    -g Initial group(basic group)
    -G extended groups
    -N Don't create the home directory with the same name of the user
    -s default bash interpreter

    [root@linuxprobe userAndFilePermission]# useradd test
    [root@linuxprobe userAndFilePermission]# id test
    uid=1005(test) gid=1005(test) groups=1005(test)
    
    # useradd with cusotmized options
    [root@linuxprobe userAndFilePermission]# useradd -d   /home/linuxtest -u 8889 -s /sbin/noloing linuxtest
    [root@linuxprobe userAndFilePermission]# id linuxtest
    uid=8889(linuxtest) gid=8889(linuxtest) groups=8889(linuxtest)
    
    [root@linuxprobe userAndFilePermission]# su linuxdown
    su: failed to execute /sbin/noloing: No such file or directory
    
    • groupadd
      create a new group

    Add user to a group which cause better convenience since the permissions will be automatically set to the same for all users that are in the same group

    [root@linuxprobe userAndFilePermission]# groupadd xuan
    
    • usermod user modify
      modify a user account

    -c comment for the particular user
    -d -m set home directory and move all data to
    -e set the expiration at YYYY-MM-D
    -g change the group
    -G change the extended group
    -L disable login
    -U enable login
    -s change default terminal /sbin/...
    -u change UID

    [root@linuxprobe cool]# usermod -G root linxprobe
    [root@linuxprobe cool]# usermod -u 10000 linxprobe
    [root@linuxprobe cool]# id linxprobe
    uid=10000(linxprobe) gid=8889(linxprobe)   groups=8889(linxprobe),0(root)
    [root@linuxprobe cool]# usermod -s /sbin/nologin linxprobe
    [root@linuxprobe cool]# su - linxprobe
    This account is currently not available.
    # once the default terminal has been changed to /sbin/nologin, this   user will not be able to login in to the terminal but the service still   work
    
    • passwd password
      passwd can be used to change user password.
      ordinary user can use passwd to change the password itself, root can change all users password

    -l disable login

    -u enable login
    --stdin allow changing passwd through standard input, e.g. echo "NewPassWord" | passwd --stdin Username
    -d allow empty passwd login
    -e force user change passwd during next login
    -S check whether the login is disabled, and the autentication algorithm

    # root user
    [root@linuxprobe cool]# passwd
    Changing password for user root.
    New password: 
    Retype new password: 
    passwd: all authentication tokens updated successfully.  
    
    [root@linuxprobe cool]# passwd -S linxprobe
    linxprobe LK 2021-01-20 0 99999 7 -1 (Password locked.)
    
    # ordinary user
    [linuxprobe@linuxprobe cool]$ passwd
    Changing password for user linuxprobe.
    Current password: 
    New password: 
    Retype new password: 
    passwd: all authentication tokens updated successfully.
    
    # lock and unlock user
    root@linuxprobe ~]# passwd -l linuxprobe
    Locking password for user linuxprobe.
    passwd: Success
    [root@linuxprobe ~]# passwd -u linuxprobe
    Unlocking password for user linuxprobe.
    passwd: Success
    
    • userdel user delete
      delete the exist users. userdel will delete the account and remain the home directory, add -r parameter will remove it completely

    -f force to delete the user
    -r delete the user completely which will cause the home directory to be removed together

    Normally it is recommended to remain the home directory for which the data is valuable in the future

    [root@linuxprobe ~]# userdel linxprobe
    [root@linuxprobe ~]# id linxprobe
    id: ‘linxprobe’: no such user
    
    [root@linuxprobe ~]# cd /home
    [root@linuxprobe home]# tree
    .
    ├── cool
    ├── linuxcool
    ├── linuxprobe
    │   ├── Desktop
    │   ├── Documents
    │   ├── Downloads
    │   ├── Music
    │   ├── Pictures
    │   ├── Public
    │   ├── Templates
    │   ├── test
    │   ├── the job from file rather than standard input.
    │   └── Videos
    └── linxprobe
    13 directories, 1 file
    [root@linuxprobe home]# rm -fR linxprobe/
    
  • File Permission and Ownership

    1. Each file relates to a particular user and group in Linux and the permission which are read, write, and executable.
    2. It is easier to understand w,r, and x for ordinary files but directories. In fact, files and directories have a similar but different approach in Linux permission management.

    The following content shows the difference between file and directory operations

    image.png

    The following content shows the different permission and its text and digital representation as well as the ownership

    [root@linuxprobe ~]# ls -la
    total 36
    dr-xr-x---.  5 root root  221 Jan 20 21:16 .
    dr-xr-xr-x. 17 root root  224 Jan  6 22:13 ..
    -rw-------.  1 root root 1403 Jan  6 22:20 anaconda-ks.cfg
    -rw-------.  1 root root  281i Jan 19 01:28 .bash_history
    -rw-r--r--.  1 root root   18 Aug 13  2018 .bash_logout
    -rw-r--r--.  1 root root  176 Aug 13  2018 .bash_profile
    -rw-r--r--.  1 root root  176 Aug 13  2018 .bashrc
    

    Every 3 bits represents read, write, and execute properties respectively as well as the ownerships, either in text form or digital form

    image.png

    image.png

    image.png

    image.png

    Frequently used file type:
    • Ordinary File(-)
    • Directory(d)
    • LinkFile(l)
    • Pipe(p)
    • Block(b)
    • CharacterDevice(c)
  • Special Permssion

    • SUID
      SUID provides special permission for binary applications which allows the user who executes the binary applications to get the owner permission temporarily(only work for binary application). e.g. the passwd command can do the password modification for the user itself, even though the password are stored within the /etc/shadow file which has the default permission 000 - Only root user can make the change for it. It is feasible since passwd has SUID Permission
      [root@linuxprobe ~]# ls -l /bin/passwd
      -rwsr-xr-x. 1 root root 34512 Aug 12  2018 /bin/passwd
      
      Warning!!!, SUID is powerful and dangerous, it must be avoided to have vim, cat, rm, etc...
    • SGID
      • User will require the same permission of the group as the file belongs to rather than the file itself
      [root@linuxprobe sgid]# chmod 440 onlyroot.txt 
      [root@linuxprobe sgid]# ls -l onlyroot.txt 
      -r--r-----. 1 root root 14 Jan 20 15:53 onlyroot.txt
      [root@linuxprobe sgid]# chmod g+s onlyroot.txt 
      [root@linuxprobe sgid]# ls -l onlyroot.txt 
      -r--r-S---. 1 root root 14 Jan 20 15:53 onlyroot.txt
      
      When the user access the file onlyroot.txt will require the same permission as the file belongs to which is root
      • For a directory, the newly created file will be put into the same group as the directory, e.g. If we set up a directory with SGID permission and the directory will be shared with all the people in the same department. Now everyone in this department will generate the file in which belongs to the same group as the directory as we set up before with SGID permission.
      # create a test directory for sgid with root permission and gorup
      [root@linuxprobe sgid]# chmod -R 777 sgidDir/
      [root@linuxprobe sgid]# chmod -R g+s sgidDir/
      [root@linuxprobe sgid]# ls -ald sgidDir/
      drwxrwsrwx. 3 root root 18 Jan 20 16:06 sgidDir/
      
      # switch to an ordinary user and create a new file within the same directory as above, 
      # check the group name of this newly generated text file
      [test@linuxprobe test]$ echo "test" > test.txt
      [test@linuxprobe test]$ ls -al test.txt 
      -rw-rw-r--. 1 test root 5 Jan 20 16:24 test.txt
      
      # switch to another directory and now the group name becomes to the ordinary user group, 
      #i.e. the basic group
      [test@linuxprobe userAndFilePermission]$ ls -la test.txt 
      -rw-rw-r--. 1 test test 5 Jan 20 16:31 test.txt
      
    • SBIT
      SBIT also known as sticky bit is has a special function that will only allow the file to be deleted by the creator himself, not other users.
      # the other user permission "x" now becomes "t", i.e. the sticky bit 
      # in another words, only the owner of /tmp can delete the file within 
      [root@linuxprobe ~]# ls -lad /tmp
      drwxrwxrwt. 23 root root 4096 Jan 20 16:37 /tmp
      
      So the critical point is whether the user has read, write, and delete permission within the particular directory rather than the user permission himself
      # create a new file with /tmp in which it has sbit permssion configured already
      [root@linuxprobe ~]# cd /tmp
      [root@linuxprobe tmp]# echo "test for sbit" > sbit_test.txt
      [root@linuxprobe tmp]# ls -al sbit_test.txt 
      -rw-r--r--. 1 root root 14 Jan 20 16:45 sbit_test.txt
      [root@linuxprobe tmp]# chmod +777 sbit_test.txt 
      [root@linuxprobe tmp]# ls -al sbit_test.txt 
      -rwxrwxrwx. 1 root root 14 Jan 20 16:45 sbit_test.txt
      
      # switch to the ordinary user
      [root@linuxprobe tmp]# su test
      # try to delete the file and it is ended up with an error of lacking permission
      [test@linuxprobe tmp]$ rm -f sbit_test.txt 
      rm: cannot remove 'sbit_test.txt': Operation not permitted
      
    • chmod, chown
      • chmod change the mod bits, i.e. to change file or directory permission bits
      • chown change file or directory owner or group
      [root@linuxprobe sgid]# echo "test for chmod and chown" >> chmod_chown.txt
      [root@linuxprobe sgid]# dir
      chmod_chown.txt  onlyroot.txt  sgidDir
      [root@linuxprobe sgid]# ls -l chmod_chown.txt 
      -rw-r--r--. 1 root root 25 Jan 20 16:53 chmod_chown.txt
      [root@linuxprobe sgid]# chmod +440 chmod_chown.txt 
      [root@linuxprobe sgid]# chown linuxprobe:test chmod_chown.txt 
      [root@linuxprobe sgid]# ls -la chmod_chown.txt 
      -rw-r--r--. 1 linuxprobe test 25 Jan 20 16:53 chmod_chown.txt
      

      u+s +SUID
      u-s -SUID
      g+s +SGID
      g-s -SGID
      o+t +SBIT
      o-t -SBIT

    Conclusion

    SUID Let ordinary user can execute the program as the owner of the program temporarily
    SGID Let ordinary user require the same permission as the file belongs to; let the file be created within the directory belongs to the directory owner
    SBIT Let other users cannot execute the delete operation even they have the full permission r,w,x
    If the original permission is _ the special permission will be ended up with upper case, lower case otherwise
    special permission and ordinary permission can be mixed together that suid, sgid and sbit are also can be represented as the digital nums 4, 2, 1, and the special permission is taken by the first bit of the permission list, i.e.

    [root@linuxprobe full_permission]# chmod +7777 fullP.txt 
    [root@linuxprobe full_permission]# ls -la fullP.txt 
    -rwsrwsrwt. 1 root root 12 Jan 20 17:15 fullP.txt
    
  • Hidden attribute

    • chattr change file attributes on a Linux file system
      Usage: chattr [-pRVf] [-+=aAcCdDeijPsStTu] [-v version] files...

      i Disable file modification; For the directory, disable create and delete
      a Append only, deletion is not allowed
      S Sync the file content right off the bat
      s Delete the data thoroughly, recovery is not allowed, fill the original data with all ZERO
      A stop updating the atime attribute
      b stop updating the mtime attribute
      D detect the error or corruption of the compressed file
      d ignore the current file when using dump command
      c compress the file by default
      u remain the actual data after file deletion
      t allow tail-merging
      x allow direct-access from the compressed file

      Try to delete a file with +a append only attribute
      # without +a
      [root@linuxprobe test]# echo "test " > testForHidden.txt 
      [root@linuxprobe test]# rm testForHidden.txt 
      rm: remove regular file 'testForHidden.txt'? y
      
      [root@linuxprobe test]# chattr +a linuxHidden.txt 
      [root@linuxprobe test]# rm linuxHidden.txt
      rm: remove regular file 'linuxHidden.txt'? y
      rm: cannot remove 'linuxHidden.txt': Operation not permitted
      
    • lsattr list file attributes on a Linux second extended file system

      [root@linuxprobe test]# lsattr linuxHidden.txt 
      --S-iadA---------- linuxHidden.txt
      

      One of the most widely used operations of the hidden attribute is to set up +a for log files /var/log/messages, hence the hacker won't be able to clean up the path where he has walked though

  • FACL file access control lists

    Permission management we have been talking about so far works for one group or one type of user, there is also FACL File Access Control Lists which works for the individual user.

    • File ACL - File permission will be irrelevant to the directory where the file resides
    • Directory ACL - All files within the directory will inherit the permissions that the directory gives to them
    [root@linuxprobe ~]# su linuxprobe
    [linuxprobe@linuxprobe root]$ cd /root
    bash: cd: /root: Permission denied
    
    • setfacl manage ACL set files ACL, it controls each individual user, group, file or directory
      -m set up permission
      -M detect permission
      -x remove one of the permissions
      -b remove all permissions
      -R do the operation recursively

      [root@linuxprobe ~]# setfacl -Rm u:1000:rwx /root
      [root@linuxprobe ~]# su linuxprobe
      [linuxprobe@linuxprobe root]$ cd /root
      
      [linuxprobe@linuxprobe root]$ ls -ld /root
         dr-xrwx---+ 15 root root 4096 Jan 22 00:28 /root
      # "+" sign means the **/root directory is now having ACL configuration**
      
    • getfacl get the facl information from file or directory

      [linuxprobe@linuxprobe root]$ getfacl /root
      getfacl: Removing leading '/' from absolute path names
      # file: root
      # owner: root
      # group: root 
      user::r-x
      user:linuxprobe:rwx
      group::r-x 
      mask::rwx
      other::---
      
      Mistakes while setting up the ACL, what if -_-
      Bacup and Restore ACL
      [root@linuxprobe ~]# getfacl -R /home > backup.acl
      getfacl: Removing leading '/' from absolute path names
      [root@linuxprobe ~]# setfacl --restore ./backup.acl &> /dev/null
      
  • su and sudo

    • su allows user switch to and back between different accounts

      [root@linuxprobe /]# su - linuxprobe
      [linuxprobe@linuxprobe ~]$ 
      # "-" means switch over completely
      

      root -> user no validation
      user -> root validation check

    • sudo allows user to perform some of the superuser tasks while limiting
      and watching the ordinary user from taking superuser permission completely. Linux system will record each command that has been done by an ordinary user with sudo command, manage those sudo users in /etc/sudoers, as well as allow executing command without validation in a short period of time.

      -h display help information
      -l list executable command for the current user
      -u execute commands with specified user-name/UID
      -k clean up the existing validation information, force the user to input password when executing the new command next time
      -b executes the command in the background
      -p change the prompt for asking password

      • Using visudo to edit /etc/sudoers file in order to make more resilient configuration for sudo command

        Call the vim editor
        More reliable, easier to edit

        ## Allow root to run any commands anywhere
        # target user     available host=(permission, or user-name)   executable list,seperated by "comma"     
        root                                  ALL=(ALL)                    ALL
        linuxprobe                            ALL=(ALL)                    ALL
        
        # when you run the following command you can see the permission for "inuxprobe" 
        [linuxprobe@linuxprobe ~]$ sudo -l
        [sudo] password for linuxprobe: 
        Matching Defaults entries for linuxprobe on linuxprobe:
        !visiblepw, always_set_home, match_group_by_gid,       always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY       HOSTNAME HISTSIZE
        KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR         USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE     LC_IDENTIFICATION
        LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",   env_keep+="LC_TIME LC_ALL LANGUAGE
        LINGUAS _XKB_CHARSET XAUTHORITY",       secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
        
        User linuxprobe may run the following commands on linuxprobe:
        (ALL) ALL
        
        # It is unsafe to have sudo permission for all "Commands"
        # Modify the sudoers file and change the available command for "linuxprobe"
        ## Allow root to run any commands anywhere
        ## Allow root to run any commands anywhere
        root               ALL=(ALL)                    ALL
        linuxprobe         ALL=(ALL)                    /usr/bin/ls,/usr/bin/cat,/usr/sbin/reboot
        
         # now try to list the content of /root with or without "sudo"
        [linuxprobe@linuxprobe ~]$ ls /root
        ls: cannot open directory '/root': Permission denied
        [linuxprobe@linuxprobe ~]$ sudo ls /root
        anaconda-ks.cfg  backup.acl  Desktop  Documents  Downloads  initial-        setup-ks.cfg  Music  Pictures  Public  Templates  Videos
        
        [linuxprobe@linuxprobe ~]$ cat /etc/shadow
        cat: /etc/shadow: Permission denied
        [linuxprobe@linuxprobe ~]$ sudo cat /etc/shadow
        root:$6$qAPQugz7F2TmGSMr$NnTP4W4WyQooEx3gmfxM611e893PraAZMMdaPUpkmNzieolNjT8rYoPyVTWcFia/Sc3XNbawKUQ9KQbDCxLqd/:18647:0:99999:7:::
        bin:*:17784:0:99999:7:::
        
        # NOPASS   let  user use "sudo" without inputting the passwd all the time
        ## Allow root to run any commands anywhere
        root               ALL=(ALL)                    ALL
        linuxprobe         ALL=(ALL)                   NOPASSWD:/usr/bin/ls,/usr/bin/cat,/usr/sbin/reboot
        
        [linuxprobe@linuxprobe ~]$ sudo reboot
        ......
        
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 序言:七十年代末,一起剝皮案震驚了整個(gè)濱河市,隨后出現(xiàn)的幾起案子,更是在濱河造成了極大的恐慌文虏,老刑警劉巖馏臭,帶你破解...
    沈念sama閱讀 211,265評(píng)論 6 490
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件滓技,死亡現(xiàn)場(chǎng)離奇詭異姜贡,居然都是意外死亡囱怕,警方通過(guò)查閱死者的電腦和手機(jī)功舀,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 90,078評(píng)論 2 385
  • 文/潘曉璐 我一進(jìn)店門萍倡,熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái),“玉大人辟汰,你說(shuō)我怎么就攤上這事列敲。” “怎么了帖汞?”我有些...
    開封第一講書人閱讀 156,852評(píng)論 0 347
  • 文/不壞的土叔 我叫張陵戴而,是天一觀的道長(zhǎng)。 經(jīng)常有香客問(wèn)我翩蘸,道長(zhǎng)所意,這世上最難降的妖魔是什么? 我笑而不...
    開封第一講書人閱讀 56,408評(píng)論 1 283
  • 正文 為了忘掉前任,我火速辦了婚禮扶踊,結(jié)果婚禮上泄鹏,老公的妹妹穿的比我還像新娘。我一直安慰自己秧耗,他們只是感情好备籽,可當(dāng)我...
    茶點(diǎn)故事閱讀 65,445評(píng)論 5 384
  • 文/花漫 我一把揭開白布。 她就那樣靜靜地躺著分井,像睡著了一般车猬。 火紅的嫁衣襯著肌膚如雪。 梳的紋絲不亂的頭發(fā)上尺锚,一...
    開封第一講書人閱讀 49,772評(píng)論 1 290
  • 那天珠闰,我揣著相機(jī)與錄音,去河邊找鬼瘫辩。 笑死铸磅,一個(gè)胖子當(dāng)著我的面吹牛,可吹牛的內(nèi)容都是我干的杭朱。 我是一名探鬼主播,決...
    沈念sama閱讀 38,921評(píng)論 3 406
  • 文/蒼蘭香墨 我猛地睜開眼吹散,長(zhǎng)吁一口氣:“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼弧械!你這毒婦竟也來(lái)了?” 一聲冷哼從身側(cè)響起空民,我...
    開封第一講書人閱讀 37,688評(píng)論 0 266
  • 序言:老撾萬(wàn)榮一對(duì)情侶失蹤刃唐,失蹤者是張志新(化名)和其女友劉穎,沒(méi)想到半個(gè)月后界轩,有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體画饥,經(jīng)...
    沈念sama閱讀 44,130評(píng)論 1 303
  • 正文 獨(dú)居荒郊野嶺守林人離奇死亡,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 36,467評(píng)論 2 325
  • 正文 我和宋清朗相戀三年浊猾,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了抖甘。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
    茶點(diǎn)故事閱讀 38,617評(píng)論 1 340
  • 序言:一個(gè)原本活蹦亂跳的男人離奇死亡葫慎,死狀恐怖衔彻,靈堂內(nèi)的尸體忽然破棺而出,到底是詐尸還是另有隱情偷办,我是刑警寧澤艰额,帶...
    沈念sama閱讀 34,276評(píng)論 4 329
  • 正文 年R本政府宣布,位于F島的核電站椒涯,受9級(jí)特大地震影響柄沮,放射性物質(zhì)發(fā)生泄漏。R本人自食惡果不足惜,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 39,882評(píng)論 3 312
  • 文/蒙蒙 一祖搓、第九天 我趴在偏房一處隱蔽的房頂上張望狱意。 院中可真熱鬧,春花似錦棕硫、人聲如沸髓涯。這莊子的主人今日做“春日...
    開封第一講書人閱讀 30,740評(píng)論 0 21
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽(yáng)纬纪。三九已至,卻和暖如春滑肉,著一層夾襖步出監(jiān)牢的瞬間包各,已是汗流浹背。 一陣腳步聲響...
    開封第一講書人閱讀 31,967評(píng)論 1 265
  • 我被黑心中介騙來(lái)泰國(guó)打工靶庙, 沒(méi)想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留问畅,地道東北人。 一個(gè)月前我還...
    沈念sama閱讀 46,315評(píng)論 2 360
  • 正文 我出身青樓六荒,卻偏偏與公主長(zhǎng)得像护姆,于是被迫代替她去往敵國(guó)和親。 傳聞我的和親對(duì)象是個(gè)殘疾皇子掏击,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 43,486評(píng)論 2 348

推薦閱讀更多精彩內(nèi)容