Linux warning: Permison denied thought

In Linux, we often encounter Permisson denied errors.Whether sudo or switching root users continue execution without understanding the logic behind it.Today we'll break and tear Linux's Discretionary Access Control.

Tips: Key terms and content categorization referenced in this article may differ from the standard.Please understand flexibly

Permisson denied is frequently encountered during the use of Nginx or execution of certain commands (rm-f).This annoys me, even if I understand the default rwx common permissions, I still encounter these kinds of problems.That is, the problem is beyond my knowledge, and I need to explore it further.

General permissions

Common permissions are divided into: rwx, represented by 421.4 for r (readable), 2 for w (write), and 1 for x (execute).There are three groups of rwx.The first group indicates the rights of the owner.The second group indicates the permissions of the group to which they belong.The third group indicates the privileges of other users. rwx works differently on files and folders.

r w x
file Represents the contents of a file that can be read Indicates that the contents of a file can be added or modified Indicates that the file can be executed
Folder You can view the directory structure under the folder Files and folders can be added, modified, moved, and deleted Indicates that a user can enter a folder

For instance:

[root@VM_0_10_centos ~]# su work
bash-4.1$ ll
bash: ll: command not found
bash-4.1$ ls
ls: Unable to open directory.: insufficient privilege
bash-4.1$ pwd
/root
bash-4.1$ ls -ahld /root
dr-xr-x---. 18 root root 4.0K 3 January 1913:39 /root

The / root directory shows the Owner: root, permission: r-x, Owning group is: root, permissions are: r-x, Other permissions are:

It can be understood as: (Of course root super administrators can ignore permissions, it's on top of the DAC)

  • 1.root users can read the contents of the / root directory, ls command.Can enter / root directory, cd command
  • 2. Users of the root group can enjoy the same rights.
  • 3. Other users do not have rights to / root for anything

Change directory, file permissions.

command Meaning Example
chown Primary User Modifies the Owner of Files and Directories chown [-R] work /home/work/test
chgrp The group to which files and directories are modified chgrp [-R] work /home/work/demo
chmod Permission range can be modified chmod [-R] 755 /home/work/temp

Default permissions

Whether the system will grant certain permissions to files and directories when they are created.Here is the default permission at work.

New File Permission= 666 (Maximum Default Permission for Files) - umask New Directory Permission= 777 (Maximum Default Permission for Directories) - umask

[root@VM_0_10_centos test]# umask
0022
# The first 0 represents a special privilege (next), and 022 represents a basic privilege.Use the knowledge above
[root@VM_0_10_centos test]# touch demo.txt # new file
[root@VM_0_10_centos test]# mkdir temp # new directory
[root@VM_0_10_centos test]# ls -al
//Total usage 4
-rw-r--r-- 1 root root    0 3 January 19 14:05 demo.txt
drwxr-xr-x 2 root root 4096 3 January 19 14:05 temp
demo.txt = 666 - 022 => rw-rw-rw- - ----w--w- => rw-r--r--
temp     = 777 - 022 => rwxrwxrwx - ----w--w- => rwxr-xr-x

Tips:

  • The purpose of umask is to mask the maximum permissions, removing the permissions that are within the maximum permissions.Cannot void more permissions than maximum permissions.
  • Umask=033, 666-033=633 This is an incorrect understanding.
  • demo.txt = 666 - 033 => rw-rw-rw- - ----wx-wx => rw-r--r-- => 644
  • There is no x privilege in the maximum privilege, the privilege can only be reduced, not promoted.

special competencies

Why can other users of the / etc/passwd file manipulate the data inside the passwd command instead of having write rights?

SUID

[root@VM_0_10_centos test]# ll /usr/bin/passwd
-rwsr-xr-x. 1 root root 30768 2 February 22, 2012 /usr/bin/passwd
[root@VM_0_10_centos test]# ll /etc/passwd
-rw-r--r-- 1 root root 1191 12 23/13:32 /etc/passwd

This is because/usr/bin/passwd has special permissions, rwsr-xr-x.

  • Acts on files: s here means that the command was run as root
  • Add suid to the file, for example: chown u+s/home/work/temp.sh

SGID


[root@VM_0_10_centos test]# chmod g+s temp
[root@VM_0_10_centos test]# ll
//Total usage 4
-rw-r--r-- 1 root root    0 3 January 19 14:05 demo.txt
drwxr-sr-x 2 root root 4096 3 January 19 14:05 temp

rwxr-sr-x,

  • Act on files: Indicates that the user's right to execute this file is elevated to the file owner's right Act on folders: here s means that the user's access to this directory is elevated to the group to which the folder belongs

SBIT

bash-4.1$ ls -ahl /tmp
//Total usage 52K
drwxrwxrwt.  9 root     root     4.0K 3 January 1913:35 .
dr-xr-xr-x. 24 root     root     4.0K 3 January 19 14:44 ..
srwxrwxrwx   1 root     root        0 12 April 4, 2015 agent_cmd.sock
drwxr-xr-x   3 root     root     4.0K 4 Month 3, 2019 falcon-plus
drwxr-xr-x   2 logstash logstash 4.0K 3 January 13, 10:33 hsperfdata_logstash
drwxrwxrwt   2 root     root     4.0K 3 January 1210:25 .ICE-unix
drwxrwxrwx   2 logstash logstash 4.0K 3 January 13, 10:29 jruby-24492
drwxr-xr-x   2 logstash logstash 4.0K 3 January 13, 10:29 jruby-24573
drwxr-xr-x   2 logstash logstash 4.0K 3 January 13, 10:30 jruby-24708
drwxr-xr-x   2 logstash logstash 4.0K 3 January 13, 10:30 jruby-24828
srwxrwxrwx   1 mysql    mysql       0 3 January 1210:25 mysql.sock
-rw-r--r--   1 root     root      140 3 January 1210:25 net_affinity.log
-rw-r--r--   1 root     root       14 3 January 19 14:44 .PATH
-rw-r--r--   1 root     root      178 3 January 1210:25 setRps.log
bash-4.1$ rm -rf /tmp/jruby-24492/
rm: Cannot Delete"/tmp/jruby-24492": Operation not allowed

Look carefully. The permissions of a directory (the current directory) are: rwxrwt, which means that only the user to whom the file belongs can delete or modify the file or folder. So even if the permission of the / tmp/jruby-24492 file is rwxrwx (777), it cannot be deleted

Extended reading:

  • 1.Linux ACL privilege control
  • 2.SELinux MAC privilege control

Tags: Programming Linux MySQL sudo Nginx

Posted on Thu, 19 Mar 2020 03:55:39 -0400 by Joshua F