shell script

Posted 2020-09-06 nayike

 

                                                     权限管理---ACL权限

 

 

一 ACL权限简介与开启

 

#root用户新建文件，属主有rw，属组和其他人有 r权限。此时，tom用户x权限。单凭ugo权限，不能实现这种操作。
这时。便有了ACL权限。

 

 

 

 

 

dumpe2fs :Centos7并不适合！！！

 

 

 

 

 

现在大多都开启（如有例外，手动设置开启）

 

## fstab 是系统开启自动挂载文件

 

 

二 查看与设定ACL权限

 

#1.查看ACL权限    getfacl 文件名

 

 

 

 

[root@localhost ~]# mkdir /project    
[root@localhost ~]# useradd bimm
[root@localhost ~]# useradd cangls
[root@localhost ~]# groupadd tgroup
[root@localhost ~]# gpasswd -a bimm tgroup
Adding user bimm to group tgroup
[root@localhost ~]# gpasswd -a cangls tgroup
Adding user cangls to group tgroup

[root@localhost ~]# chown root:tgroup /project/   #改属主和属组
[root@localhost ~]# chmod 770 /project/
[root@localhost ~]# ll -d /project/
drwxrwx--- 2 root tgroup 6 Feb  7 23:26 /project/


[root@localhost ~]# useradd st
[root@localhost ~]# passwd st
Changing password for user st.
New password: 
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@localhost ~]# setfacl -m u:st:rx /project/
[root@localhost ~]# ll -d /project/
drwxrwx---+ 2 root tgroup 6 Feb  7 23:26 /project/   #多了个 加号
[root@localhost ~]# 
[root@localhost ~]# getfacl /project/
getfacl: Removing leading \'/\' from absolute path names  #这个报错可以忽略
# file: project/
# owner: root
# group: tgroup
user::rwx
user:st:r-x       #它既不是 属主，也不是 属组，但它有 r和x 权限
group::rwx
mask::rwx
other::---


##----- 进行测试 是否还可 w权限
[root@localhost ~]# su - st
[st@localhost ~]$ cd /project/
[st@localhost project]$ ls
[st@localhost project]$ touch abc
touch: cannot touch ‘abc’: Permission denied   #并不具有

 

 

 

[root@localhost ~]# groupadd tgroup2
[root@localhost ~]# setfacl -m g:tgroup2:rwx /project/
[root@localhost ~]# getfacl /project/
getfacl: Removing leading \'/\' from absolute path names
# file: project/
# owner: root
# group: tgroup
user::rwx
user:st:r-x
group::rwx
group:tgroup2:rwx     #已完成设置
mask::rwx
other::---

 

 

三 最大有效权限与删除ACL权限

 

1.最大有效权限mask

 

#mask是用来指定最大有效权限的。如果我给用户赋予了ACL权限，是需要和mask的权限“相与”才能得到
用户的真正权限

 

 

2.修改最大有效权限

 

[root@localhost ~]# setfacl -m m:rx 文件名
#设定mask权限为r-x。使用“m:权限”格式

 

示例：

[root@localhost ~]# getfacl /project/
getfacl: Removing leading \'/\' from absolute path names
# file: project/
# owner: root
# group: tgroup
user::rwx
user:st:r-x
group::rwx
group:tgroup2:rwx
mask::rwx            #此时mask:rwx
other::---

[root@localhost ~]# setfacl -m m:rx /project/     #修改mask权限为：rx
[root@localhost ~]# getfacl /project/
getfacl: Removing leading \'/\' from absolute path names
# file: project/
# owner: root
# group: tgroup
user::rwx
user:st:r-x
group::rwx            #effective:r-x
group:tgroup2:rwx        #effective:r-x
mask::r-x
other::---

##修改mask，只会影响：st 和 group

 

 

[root@localhost ~]# getfacl /project/    #未删除前
getfacl: Removing leading \'/\' from absolute path names
# file: project/
# owner: root
# group: tgroup
user::rwx
user:st:r-x                                               
group::rwx            #effective:r-x
group:tgroup2:rwx        #effective:r-x
mask::r-x
other::---

#---删除 用户 st
[root@localhost ~]# setfacl -x u:st /project/
[root@localhost ~]# getfacl /project/
getfacl: Removing leading \'/\' from absolute path names
# file: project/
# owner: root
# group: tgroup
user::rwx
group::rwx
group:tgroup2:rwx
mask::rwx
other::---

#--- 删除用户组 tgroup2
[root@localhost ~]# setfacl -x g:tgroup2 /project/
[root@localhost ~]# 
[root@localhost ~]# getfacl /project/
getfacl: Removing leading \'/\' from absolute path names
# file: project/
# owner: root
# group: tgroup
user::rwx
group::rwx
mask::rwx
other::---

 

 

[root@localhost ~]# getfacl /project/
getfacl: Removing leading \'/\' from absolute path names
# file: project/
# owner: root
# group: tgroup
user::rwx
group::rwx
mask::rwx
other::---
[root@localhost ~]# setfacl -b /project/     #使用 -b 
[root@localhost ~]# getfacl /project/
getfacl: Removing leading \'/\' from absolute path names
# file: project/
# owner: root
# group: tgroup
user::rwx
group::rwx
other::---

 

[root@localhost tmp]# getfacl /project/
getfacl: Removing leading \'/\' from absolute path names
# file: project/
# owner: root
# group: tgroup3
user::rwx
user:st:r-x                 #st
group::r-x
group:tgtest:rwx           #tgtest
mask::rwx                  #mask
other::r-x

[root@localhost tmp]# setfacl -b /project/
[root@localhost tmp]# getfacl /procject/
getfacl: /procject/: No such file or directory
[root@localhost tmp]# getfacl /project/
getfacl: Removing leading \'/\' from absolute path names
# file: project/
# owner: root
# group: tgroup3
user::rwx
group::r-x
other::r-x

 

 

 

四 默认ACL权限和递归ACL权限

 

[root@localhost tmp]# cd /project/
[root@localhost project]# touch abc     #创建abc,bcd文件
[root@localhost project]# touch bcd
[root@localhost project]# setfacl -m u:st:rx /project/
[root@localhost project]# ls
abc  bcd
[root@localhost project]# ll
total 0
-rw-r--r-- 1 root root 0 Feb  8 10:29 abc      #此时文件并没有 +
-rw-r--r-- 1 root root 0 Feb  8 10:29 bcd

[root@localhost project]# ll -d /project/
drwxr-xr-x+ 2 root tgroup3 28 Feb  8 10:29 /project/
[root@localhost project]# setfacl -m u:st:rx -R /project/  #递归ACL权限
[root@localhost project]# ll
total 0
-rw-r-xr--+ 1 root root 0 Feb  8 10:29 abc          # 有了 +
-rw-r-xr--+ 1 root root 0 Feb  8 10:29 bcd

 

 

 

 

 

                                                      权限管理---文件特殊权限

 

一 SetUID

 

 

 

 

 

 ## SetUID:只能针对文件

 

 

 

 

 

 

 

二 SetGID

 

 

过程：

 

 

 

 

 

 

 

 

 

 

#用的不过

 

 

三 Sticky BIT     

 

[tom@localhost /]$ cd /tmp              #现在是 tom用户
[tom@localhost tmp]$ touch tom-test     #tom下，创建文件 tom-test
[tom@localhost tmp]$ ls
tom-test
[tom@localhost tmp]$ 
[tom@localhost tmp]$ su - jack        #切换用户 jack
Password: 
[jack@localhost ~]$ whoami
jack
[jack@localhost ~]$ cd /tmp/    #切换到 /tmp/下。删除 tom创建的 tom-test
[jack@localhost tmp]$ ls
tom-test
[jack@localhost tmp]$ ll
total 0
-rw-rw-r-- 1 tom tom 0 Feb  8 22:48 tom-test
[jack@localhost tmp]$ rm -rf tom-test                  
rm: cannot remove ‘tom-test’: Operation not permitted     #会报错误信息
(不能删除“tomtest”:不允许操作。)

#谁在 /tmp/下创建的文件，谁能删除。（root 除外）

 

 

   

 

 

 

                                      权限管理---文件系统属性chattr权限

 

 

  

#----------------- i
#-----针对文件 
[root@localhost ~]# touch abc       #在root下，创建文件abc
[root@localhost ~]# ll
total 20
-rw-r--r--  1 root root    0 Feb  8 23:23 abc
[root@localhost ~]# echo 111 >> abc
[root@localhost ~]# cat abc
111
[root@localhost ~]# chattr +i abc    
[root@localhost ~]# lsattr -a abc
----i----------- abc
[root@localhost ~]# echo 222 >> abc  #添加内容不可以，即使是root 也不可以
-bash: abc: Permission denied
[root@localhost ~]# rm -rf abc            #删除也不可以
rm: cannot remove ‘abc’: Operation not permitted
[root@localhost ~]# cat abc                #只能查看
111


#---- 针对目录
[root@localhost ~]# mkdir /test             #创建目录
[root@localhost ~]# touch /test/bcd
[root@localhost ~]# chattr +i /test/         #赋予权限
[root@localhost ~]# lsattr -a /test/
----i----------- /test/.
---------------- /test/..
---------------- /test/bcd
[root@localhost ~]# 
[root@localhost ~]# echo 333 >> /test/bcd     #只能修改
[root@localhost ~]# cat /test/bcd
333
[root@localhost ~]# rm -rf /test/bcd           #不能建立和删除
rm: cannot remove ‘/test/bcd’: Permission denied
[root@localhost ~]# touch /test/cde
touch: cannot touch ‘/test/cde’: Permission denied

[root@localhost ~]# chattr -i /test/
[root@localhost ~]# rm -rf /test/bcd
[root@localhost ~]# rm -rf /test/

 

#----------------- a
#----- 针对文件

[root@localhost ~]# touch cde
[root@localhost ~]# vi cde      #这时可以 vi 以及 echo
[root@localhost ~]# echo 222 >> cde
[root@localhost ~]# cat cde
111
222
[root@localhost ~]# chattr +a cde       #赋予权限  +a
[root@localhost ~]# echo 333 >> cde  #只能 echo追加
[root@localhost ~]# vi cde                  #不能 vi
[root@localhost ~]# echo 000 >> cde
[root@localhost ~]# cat cde
111
222
333
000

[root@localhost ~]# chattr -a cde  #取消
[root@localhost ~]# vi cde

 

 

[root@localhost tmp]# mkdir test
[root@localhost tmp]# touch test/a.txt
[root@localhost tmp]# ls
test
[root@localhost tmp]# cd test
[root@localhost test]# ls
a.txt
[root@localhost test]# cd /tmp
[root@localhost tmp]# chattr +i test            #赋予权限 +i
[root@localhost tmp]# chattr +i test/a.txt
[root@localhost tmp]# lsattr -a test            #查看 -a
----i----------- test/.
---------------- test/..
----i----------- test/a.txt
[root@localhost tmp]# 
[root@localhost tmp]# 
[root@localhost tmp]# lsattr -d test           #查看 -d
----i----------- test

 

                

 

                                                         权限管理---系统命令sudo权限

 

 

 

 

下图来自命令：  man 5 sudoers

 

 

jack            CSNETS = ALL

     The user jack may run any command on the machines
     in the CSNETS alias (the networks 128.138.243.0,
     128.138.204.0, and 128.138.242.0).  Of those net‐
     works, only 128.138.204.0 has an explicit netmask
     (in CIDR notation) indicating it is a class C net‐
     work.  For the other networks in CSNETS, the local
     machine\'s netmask will be used during matching.

     lisa            CUNETS = ALL

     The user lisa may run any command on any host in
     the CUNETS alias (the class B network
     128.138.0.0). 这个网段怎么来的？

来自它的上面：

 # Host alias specification
     Host_Alias      SPARC = bigtime, eclipse, moet, anch
or :\\
                     SGI = grolsch, dandelion, black :\\
                     ALPHA = widget, thalamus, foobar :\\
                     HPPA = boa, nag, python
     Host_Alias      CUNETS = 128.138.0.0/255.255.0.0     #这个！！！
     Host_Alias      CSNETS = 128.138.243.0, 128.138.204.
0/24, 128.138.242.0
     Host_Alias      SERVERS = master, mail, www, ns
     Host_Alias      CDROM = orion, perseus, hercules

英文