shell script
Posted nayike
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了shell script相关的知识,希望对你有一定的参考价值。
权限管理---ACL权限
一 ACL权限简介与开启
#root用户新建文件,属主有rw,属组和其他人有 r权限。此时,tom用户x权限。单凭ugo权限,不能实现这种操作。
这时。便有了ACL权限。
dumpe2fs :Centos7并不适合!!!
现在大多都开启(如有例外,手动设置开启)
## fstab 是系统开启自动挂载文件
二 查看与设定ACL权限
#1.查看ACL权限 getfacl 文件名
[root@localhost ~]# mkdir /project [root@localhost ~]# useradd bimm [root@localhost ~]# useradd cangls [root@localhost ~]# groupadd tgroup [root@localhost ~]# gpasswd -a bimm tgroup Adding user bimm to group tgroup [root@localhost ~]# gpasswd -a cangls tgroup Adding user cangls to group tgroup [root@localhost ~]# chown root:tgroup /project/ #改属主和属组 [root@localhost ~]# chmod 770 /project/ [root@localhost ~]# ll -d /project/ drwxrwx--- 2 root tgroup 6 Feb 7 23:26 /project/ [root@localhost ~]# useradd st [root@localhost ~]# passwd st Changing password for user st. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@localhost ~]# setfacl -m u:st:rx /project/ [root@localhost ~]# ll -d /project/ drwxrwx---+ 2 root tgroup 6 Feb 7 23:26 /project/ #多了个 加号 [root@localhost ~]# [root@localhost ~]# getfacl /project/ getfacl: Removing leading \'/\' from absolute path names #这个报错可以忽略 # file: project/ # owner: root # group: tgroup user::rwx user:st:r-x #它既不是 属主,也不是 属组,但它有 r和x 权限 group::rwx mask::rwx other::--- ##----- 进行测试 是否还可 w权限 [root@localhost ~]# su - st [st@localhost ~]$ cd /project/ [st@localhost project]$ ls [st@localhost project]$ touch abc touch: cannot touch ‘abc’: Permission denied #并不具有
[root@localhost ~]# groupadd tgroup2 [root@localhost ~]# setfacl -m g:tgroup2:rwx /project/ [root@localhost ~]# getfacl /project/ getfacl: Removing leading \'/\' from absolute path names # file: project/ # owner: root # group: tgroup user::rwx user:st:r-x group::rwx group:tgroup2:rwx #已完成设置 mask::rwx other::---
三 最大有效权限与删除ACL权限
1.最大有效权限mask
#mask是用来指定最大有效权限的。如果我给用户赋予了ACL权限,是需要和mask的权限“相与”才能得到
用户的真正权限
2.修改最大有效权限
[root@localhost ~]# setfacl -m m:rx 文件名 #设定mask权限为r-x。使用“m:权限”格式
示例:
[root@localhost ~]# getfacl /project/ getfacl: Removing leading \'/\' from absolute path names # file: project/ # owner: root # group: tgroup user::rwx user:st:r-x group::rwx group:tgroup2:rwx mask::rwx #此时mask:rwx other::--- [root@localhost ~]# setfacl -m m:rx /project/ #修改mask权限为:rx [root@localhost ~]# getfacl /project/ getfacl: Removing leading \'/\' from absolute path names # file: project/ # owner: root # group: tgroup user::rwx user:st:r-x group::rwx #effective:r-x group:tgroup2:rwx #effective:r-x mask::r-x other::--- ##修改mask,只会影响:st 和 group
[root@localhost ~]# getfacl /project/ #未删除前 getfacl: Removing leading \'/\' from absolute path names # file: project/ # owner: root # group: tgroup user::rwx user:st:r-x group::rwx #effective:r-x group:tgroup2:rwx #effective:r-x mask::r-x other::--- #---删除 用户 st [root@localhost ~]# setfacl -x u:st /project/ [root@localhost ~]# getfacl /project/ getfacl: Removing leading \'/\' from absolute path names # file: project/ # owner: root # group: tgroup user::rwx group::rwx group:tgroup2:rwx mask::rwx other::--- #--- 删除用户组 tgroup2 [root@localhost ~]# setfacl -x g:tgroup2 /project/ [root@localhost ~]# [root@localhost ~]# getfacl /project/ getfacl: Removing leading \'/\' from absolute path names # file: project/ # owner: root # group: tgroup user::rwx group::rwx mask::rwx other::---
[root@localhost ~]# getfacl /project/ getfacl: Removing leading \'/\' from absolute path names # file: project/ # owner: root # group: tgroup user::rwx group::rwx mask::rwx other::--- [root@localhost ~]# setfacl -b /project/ #使用 -b [root@localhost ~]# getfacl /project/ getfacl: Removing leading \'/\' from absolute path names # file: project/ # owner: root # group: tgroup user::rwx group::rwx other::---
[root@localhost tmp]# getfacl /project/ getfacl: Removing leading \'/\' from absolute path names # file: project/ # owner: root # group: tgroup3 user::rwx user:st:r-x #st group::r-x group:tgtest:rwx #tgtest mask::rwx #mask other::r-x [root@localhost tmp]# setfacl -b /project/ [root@localhost tmp]# getfacl /procject/ getfacl: /procject/: No such file or directory [root@localhost tmp]# getfacl /project/ getfacl: Removing leading \'/\' from absolute path names # file: project/ # owner: root # group: tgroup3 user::rwx group::r-x other::r-x
四 默认ACL权限和递归ACL权限
[root@localhost tmp]# cd /project/ [root@localhost project]# touch abc #创建abc,bcd文件 [root@localhost project]# touch bcd [root@localhost project]# setfacl -m u:st:rx /project/ [root@localhost project]# ls abc bcd [root@localhost project]# ll total 0 -rw-r--r-- 1 root root 0 Feb 8 10:29 abc #此时文件并没有 + -rw-r--r-- 1 root root 0 Feb 8 10:29 bcd [root@localhost project]# ll -d /project/ drwxr-xr-x+ 2 root tgroup3 28 Feb 8 10:29 /project/ [root@localhost project]# setfacl -m u:st:rx -R /project/ #递归ACL权限 [root@localhost project]# ll total 0 -rw-r-xr--+ 1 root root 0 Feb 8 10:29 abc # 有了 + -rw-r-xr--+ 1 root root 0 Feb 8 10:29 bcd
权限管理---文件特殊权限
一 SetUID
## SetUID:只能针对文件
二 SetGID
过程:
#用的不过
三 Sticky BIT
[tom@localhost /]$ cd /tmp #现在是 tom用户 [tom@localhost tmp]$ touch tom-test #tom下,创建文件 tom-test [tom@localhost tmp]$ ls tom-test [tom@localhost tmp]$ [tom@localhost tmp]$ su - jack #切换用户 jack Password: [jack@localhost ~]$ whoami jack [jack@localhost ~]$ cd /tmp/ #切换到 /tmp/下。删除 tom创建的 tom-test [jack@localhost tmp]$ ls tom-test [jack@localhost tmp]$ ll total 0 -rw-rw-r-- 1 tom tom 0 Feb 8 22:48 tom-test [jack@localhost tmp]$ rm -rf tom-test rm: cannot remove ‘tom-test’: Operation not permitted #会报错误信息 (不能删除“tomtest”:不允许操作。)
#谁在 /tmp/下创建的文件,谁能删除。(root 除外)
权限管理---文件系统属性chattr权限
#----------------- i
#-----针对文件 [root@localhost ~]# touch abc #在root下,创建文件abc [root@localhost ~]# ll total 20 -rw-r--r-- 1 root root 0 Feb 8 23:23 abc [root@localhost ~]# echo 111 >> abc [root@localhost ~]# cat abc 111 [root@localhost ~]# chattr +i abc [root@localhost ~]# lsattr -a abc ----i----------- abc [root@localhost ~]# echo 222 >> abc #添加内容不可以,即使是root 也不可以 -bash: abc: Permission denied [root@localhost ~]# rm -rf abc #删除也不可以 rm: cannot remove ‘abc’: Operation not permitted [root@localhost ~]# cat abc #只能查看 111 #---- 针对目录 [root@localhost ~]# mkdir /test #创建目录 [root@localhost ~]# touch /test/bcd [root@localhost ~]# chattr +i /test/ #赋予权限 [root@localhost ~]# lsattr -a /test/ ----i----------- /test/. ---------------- /test/.. ---------------- /test/bcd [root@localhost ~]# [root@localhost ~]# echo 333 >> /test/bcd #只能修改 [root@localhost ~]# cat /test/bcd 333 [root@localhost ~]# rm -rf /test/bcd #不能建立和删除 rm: cannot remove ‘/test/bcd’: Permission denied [root@localhost ~]# touch /test/cde touch: cannot touch ‘/test/cde’: Permission denied
[root@localhost ~]# chattr -i /test/ [root@localhost ~]# rm -rf /test/bcd [root@localhost ~]# rm -rf /test/
#----------------- a #----- 针对文件 [root@localhost ~]# touch cde [root@localhost ~]# vi cde #这时可以 vi 以及 echo [root@localhost ~]# echo 222 >> cde [root@localhost ~]# cat cde 111 222 [root@localhost ~]# chattr +a cde #赋予权限 +a [root@localhost ~]# echo 333 >> cde #只能 echo追加 [root@localhost ~]# vi cde #不能 vi [root@localhost ~]# echo 000 >> cde [root@localhost ~]# cat cde 111 222 333 000 [root@localhost ~]# chattr -a cde #取消 [root@localhost ~]# vi cde
[root@localhost tmp]# mkdir test [root@localhost tmp]# touch test/a.txt [root@localhost tmp]# ls test [root@localhost tmp]# cd test [root@localhost test]# ls a.txt [root@localhost test]# cd /tmp [root@localhost tmp]# chattr +i test #赋予权限 +i [root@localhost tmp]# chattr +i test/a.txt [root@localhost tmp]# lsattr -a test #查看 -a ----i----------- test/. ---------------- test/.. ----i----------- test/a.txt [root@localhost tmp]# [root@localhost tmp]# [root@localhost tmp]# lsattr -d test #查看 -d ----i----------- test
权限管理---系统命令sudo权限
下图来自命令: man 5 sudoers
jack CSNETS = ALL The user jack may run any command on the machines in the CSNETS alias (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those net‐ works, only 128.138.204.0 has an explicit netmask (in CIDR notation) indicating it is a class C net‐ work. For the other networks in CSNETS, the local machine\'s netmask will be used during matching. lisa CUNETS = ALL The user lisa may run any command on any host in the CUNETS alias (the class B network 128.138.0.0). 这个网段怎么来的? 来自它的上面: # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anch or :\\ SGI = grolsch, dandelion, black :\\ ALPHA = widget, thalamus, foobar :\\ HPPA = boa, nag, python Host_Alias CUNETS = 128.138.0.0/255.255.0.0 #这个!!! Host_Alias CSNETS = 128.138.243.0, 128.138.204. 0/24, 128.138.242.0 Host_Alias SERVERS = master, mail, www, ns Host_Alias CDROM = orion, perseus, hercules
以上是关于shell script的主要内容,如果未能解决你的问题,请参考以下文章
用于确保在任何给定时间仅运行一个 shell 脚本的 shell 片段 [重复]