In Linux, we often encounter Permisson denied errors.Whether sudo or switching root users continue execution without understanding the logic behind it.Today we'll break and tear Linux's Discretionary Access Control.
Tips: Key terms and content categorization referenced in this article may differ from the standard.Please understand flexibly
Permisson denied is frequently encountered during the use of Nginx or execution of certain commands (rm-f).This annoys me, even if I understand the default rwx common permissions, I still encounter these kinds of problems.That is, the problem is beyond my knowledge, and I need to explore it further.
Common permissions are divided into: rwx, represented by 421.4 for r (readable), 2 for w (write), and 1 for x (execute).There are three groups of rwx.The first group indicates the rights of the owner.The second group indicates the permissions of the group to which they belong.The third group indicates the privileges of other users. rwx works differently on files and folders.
|file||Represents the contents of a file that can be read||Indicates that the contents of a file can be added or modified||Indicates that the file can be executed|
|Folder||You can view the directory structure under the folder||Files and folders can be added, modified, moved, and deleted||Indicates that a user can enter a folder|
[root@VM_0_10_centos ~]# su work bash-4.1$ ll bash: ll: command not found bash-4.1$ ls ls: Unable to open directory.: insufficient privilege bash-4.1$ pwd /root bash-4.1$ ls -ahld /root dr-xr-x---. 18 root root 4.0K 3 January 1913:39 /root
The / root directory shows the Owner: root, permission: r-x, Owning group is: root, permissions are: r-x, Other permissions are:
It can be understood as: (Of course root super administrators can ignore permissions, it's on top of the DAC)
- 1.root users can read the contents of the / root directory, ls command.Can enter / root directory, cd command
- 2. Users of the root group can enjoy the same rights.
- 3. Other users do not have rights to / root for anything
Change directory, file permissions.
|chown||Primary User Modifies the Owner of Files and Directories||chown [-R] work /home/work/test|
|chgrp||The group to which files and directories are modified||chgrp [-R] work /home/work/demo|
|chmod||Permission range can be modified||chmod [-R] 755 /home/work/temp|
Whether the system will grant certain permissions to files and directories when they are created.Here is the default permission at work.
New File Permission= 666 (Maximum Default Permission for Files) - umask New Directory Permission= 777 (Maximum Default Permission for Directories) - umask
[root@VM_0_10_centos test]# umask 0022 # The first 0 represents a special privilege (next), and 022 represents a basic privilege.Use the knowledge above [root@VM_0_10_centos test]# touch demo.txt # new file [root@VM_0_10_centos test]# mkdir temp # new directory [root@VM_0_10_centos test]# ls -al //Total usage 4 -rw-r--r-- 1 root root 0 3 January 19 14:05 demo.txt drwxr-xr-x 2 root root 4096 3 January 19 14:05 temp demo.txt = 666 - 022 => rw-rw-rw- - ----w--w- => rw-r--r-- temp = 777 - 022 => rwxrwxrwx - ----w--w- => rwxr-xr-x
- The purpose of umask is to mask the maximum permissions, removing the permissions that are within the maximum permissions.Cannot void more permissions than maximum permissions.
- Umask=033, 666-033=633 This is an incorrect understanding.
- demo.txt = 666 - 033 => rw-rw-rw- - ----wx-wx => rw-r--r-- => 644
- There is no x privilege in the maximum privilege, the privilege can only be reduced, not promoted.
Why can other users of the / etc/passwd file manipulate the data inside the passwd command instead of having write rights?
[root@VM_0_10_centos test]# ll /usr/bin/passwd -rwsr-xr-x. 1 root root 30768 2 February 22, 2012 /usr/bin/passwd [root@VM_0_10_centos test]# ll /etc/passwd -rw-r--r-- 1 root root 1191 12 23/13:32 /etc/passwd
This is because/usr/bin/passwd has special permissions, rwsr-xr-x.
- Acts on files: s here means that the command was run as root
- Add suid to the file, for example: chown u+s/home/work/temp.sh
[root@VM_0_10_centos test]# chmod g+s temp [root@VM_0_10_centos test]# ll //Total usage 4 -rw-r--r-- 1 root root 0 3 January 19 14:05 demo.txt drwxr-sr-x 2 root root 4096 3 January 19 14:05 temp
- Act on files: Indicates that the user's right to execute this file is elevated to the file owner's right Act on folders: here s means that the user's access to this directory is elevated to the group to which the folder belongs
bash-4.1$ ls -ahl /tmp //Total usage 52K drwxrwxrwt. 9 root root 4.0K 3 January 1913:35 . dr-xr-xr-x. 24 root root 4.0K 3 January 19 14:44 .. srwxrwxrwx 1 root root 0 12 April 4, 2015 agent_cmd.sock drwxr-xr-x 3 root root 4.0K 4 Month 3, 2019 falcon-plus drwxr-xr-x 2 logstash logstash 4.0K 3 January 13, 10:33 hsperfdata_logstash drwxrwxrwt 2 root root 4.0K 3 January 1210:25 .ICE-unix drwxrwxrwx 2 logstash logstash 4.0K 3 January 13, 10:29 jruby-24492 drwxr-xr-x 2 logstash logstash 4.0K 3 January 13, 10:29 jruby-24573 drwxr-xr-x 2 logstash logstash 4.0K 3 January 13, 10:30 jruby-24708 drwxr-xr-x 2 logstash logstash 4.0K 3 January 13, 10:30 jruby-24828 srwxrwxrwx 1 mysql mysql 0 3 January 1210:25 mysql.sock -rw-r--r-- 1 root root 140 3 January 1210:25 net_affinity.log -rw-r--r-- 1 root root 14 3 January 19 14:44 .PATH -rw-r--r-- 1 root root 178 3 January 1210:25 setRps.log bash-4.1$ rm -rf /tmp/jruby-24492/ rm: Cannot Delete"/tmp/jruby-24492": Operation not allowed
Look carefully. The permissions of a directory (the current directory) are: rwxrwt, which means that only the user to whom the file belongs can delete or modify the file or folder. So even if the permission of the / tmp/jruby-24492 file is rwxrwx (777), it cannot be deleted
- 1.Linux ACL privilege control
- 2.SELinux MAC privilege control