文件权限配置
# 查看存在哪些 chattr 命令
$ man -aw chattr
# 查看 chattr 帮助信息,并输出到文本中
$ man chattr | col -bx > chattr.txt
CHATTR(1) General Commands Manual CHATTR(1)
NAME
chattr - change file attributes on a Linux file system
SYNOPSIS
chattr [ -RVf ] [ -v version ] [ mode ] files...
DESCRIPTION
chattr changes the file attributes on a Linux file system.
The format of a symbolic mode is +-=[acdeijstuACDST].
The operator `+' causes the selected attributes to be added to the existing attributes of the files; `-' causes them to be removed; and `='
causes them to be the only attributes that the files have.
The letters `acdeijstuACDST' select the new attributes for the files: append only (a), compressed (c), no dump (d), extent format (e),
immutable (i), data journalling (j), secure deletion (s), no tail-merging (t), undeletable (u), no atime updates (A), no copy on write (C),
synchronous directory updates (D), synchronous updates (S), and top of directory hierarchy (T).
The following attributes are read-only, and may be listed by lsattr(1) but not modified by chattr: huge file (h), compression error (E),
indexed directory (I), compression raw access (X), and compressed dirty file (Z).
OPTIONS
-R Recursively change attributes of directories and their contents.
-V Be verbose with chattr's output and print the program version.
-f Suppress most error messages.
-v version
Set the file's version/generation number.
ATTRIBUTES
When a file with the 'A' attribute set is accessed, its atime record is not modified. This avoids a certain amount of disk I/O for laptop
systems.
A file with the `a' attribute set can only be open in append mode for writing. Only the superuser or a process possessing the
CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
A file with the `c' attribute set is automatically compressed on the disk by the kernel. A read from this file returns uncompressed data.
A write to this file compresses data before storing them on the disk. Note: please make sure to read the bugs and limitations section at
the end of this document.
A file with the 'C' attribute set will not be subject to copy-on-write updates. This flag is only supported on file systems which perform
copy-on-write. (Note: For btrfs, the 'C' flag should be set on new or empty files. If it is set on a file which already has data blocks,
it is undefined when the blocks assigned to the file will be fully stable. If the 'C' flag is set on a directory, it will have no effect on
the directory, but new files created in that directory will the No_COW attribute.)
When a directory with the `D' attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the
`dirsync' mount option applied to a subset of the files.
A file with the `d' attribute set is not candidate for backup when the dump(8) program is run.
The 'E' attribute is used by the experimental compression patches to indicate that a compressed file has a compression error. It may not be
set or reset using chattr(1), although it can be displayed by lsattr(1).
The 'e' attribute indicates that the file is using extents for mapping the blocks on disk. It may not be removed using chattr(1).
The 'I' attribute is used by the htree code to indicate that a directory is being indexed using hashed trees. It may not be set or reset
using chattr(1), although it can be displayed by lsattr(1).
The 'h' attribute indicates the file is storing its blocks in units of the filesystem blocksize instead of in units of sectors, and means
that the file is (or at one time was) larger than 2TB. It may not be set or reset using chattr(1), although it can be displayed by
lsattr(1).
A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be
written to the file. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
A file with the `j' attribute has all of its data written to the ext3 journal before being written to the file itself, if the filesystem is
mounted with the "data=ordered" or "data=writeback" options. When the filesystem is mounted with the "data=journal" option all file data is
already journalled and this attribute has no effect. Only the superuser or a process possessing the CAP_SYS_RESOURCE capability can set or
clear this attribute.
When a file with the `s' attribute set is deleted, its blocks are zeroed and written back to the disk. Note: please make sure to read the
bugs and limitations section at the end of this document.
When a file with the `S' attribute set is modified, the changes are written synchronously on the disk; this is equivalent to the `sync'
mount option applied to a subset of the files.
A directory with the 'T' attribute will be deemed to be the top of directory hierarchies for the purposes of the Orlov block allocator.
This is a hint to the block allocator used by ext3 and ext4 that the subdirectories under this directory are not related, and thus should be
spread apart for allocation purposes. For example it is a very good idea to set the 'T' attribute on the /home directory, so that
/home/john and /home/mary are placed into separate block groups. For directories where this attribute is not set, the Orlov block allocator
will try to group subdirectories closer together where possible.
A file with the 't' attribute will not have a partial block fragment at the end of the file merged with other files (for those filesystems
which support tail-merging). This is necessary for applications such as LILO which read the filesystem directly, and which don't understand
tail-merged files. Note: As of this writing, the ext2 or ext3 filesystems do not (yet, except in very experimental patches) support tail-
merging.
When a file with the `u' attribute set is deleted, its contents are saved. This allows the user to ask for its undeletion. Note: please
make sure to read the bugs and limitations section at the end of this document.
The 'X' attribute is used by the experimental compression patches to indicate that a raw contents of a compressed file can be accessed
directly. It currently may not be set or reset using chattr(1), although it can be displayed by lsattr(1).
The 'Z' attribute is used by the experimental compression patches to indicate a compressed file is dirty. It may not be set or reset using
chattr(1), although it can be displayed by lsattr(1).
AUTHOR
chattr was written by Remy Card <Remy.Card@linux.org>. It is currently being maintained by Theodore Ts'o <tytso@alum.mit.edu>.
BUGS AND LIMITATIONS
The `c', 's', and `u' attributes are not honored by the ext2, ext3, and ext4 filesystems as implemented in the current mainline Linux ker‐
nels.
The `j' option is only useful if the filesystem is mounted as ext3.
The `D' option is only useful on Linux kernel 2.5.19 and later.
AVAILABILITY
chattr is part of the e2fsprogs package and is available from http://e2fsprogs.sourceforge.net.
SEE ALSO
lsattr(1)
E2fsprogs version 1.42.9 February 2014 CHATTR(1)
来源 https://www.runoob.com/linux/linux-comm-chattr.html
Linux chattr命令用于改变文件属性。
这项指令可改变存放在ext2文件系统上的文件或目录属性,这些属性共有以下8种模式:
- a:让文件或目录仅供附加用途。
- b:不更新文件或目录的最后存取时间。
- c:将文件或目录压缩后存放。
- d:将文件或目录排除在倾倒操作之外。
- i:不得任意更动文件或目录。
- s:保密性删除文件或目录。
- S:即时更新文件或目录。
- u:预防意外删除。
语法
chattr [-RV][-v<版本编号>][+/-/=<属性>][文件或目录...]
参数
-R 递归处理,将指定目录下的所有文件及子目录一并处理。
-v<版本编号> 设置文件或目录版本。
-V 显示指令执行过程。
+<属性> 开启文件或目录的该项属性。
-<属性> 关闭文件或目录的该项属性。
=<属性> 指定文件或目录的该项属性。
实例
用chattr命令防止系统中某个关键文件被修改:
chattr +i /etc/resolv.conf
lsattr /etc/resolv.conf
会显示如下属性
----i-------- /etc/resolv.conf
让某个文件只能往里面追加数据,但不能删除,适用于各种日志文件:
chattr +a /var/log/messages
来源 https://www.runoob.com/linux/linux-comm-lsattr.html
Linux lsattr命令用于显示文件属性。
用chattr执行改变文件或目录的属性,可执行lsattr指令查询其属性。
语法
lsattr [-adlRvV][文件或目录...]
参数:
- -a 显示所有文件和目录,包括以"."为名称开头字符的额外内建,现行目录"."与上层目录".."。
- -d 显示,目录名称,而非其内容。
- -l 此参数目前没有任何作用。
- -R 递归处理,将指定目录下的所有文件及子目录一并处理。
- -v 显示文件或目录版本。
- -V 显示版本信息。
实例
1、用chattr命令防止系统中某个关键文件被修改:
# chattr +i /etc/resolv.conf
然后用mv /etc/resolv.conf等命令操作于该文件,都是得到Operation not permitted 的结果。
vim编辑该文件时会提示W10: Warning: Changing a readonly file错误。要想修改此文件就要把i属性去掉:
chattr -i /etc/resolv.conf
使用 lsattr 命令来显示文件属性:
# lsattr /etc/resolv.conf
输出结果为:
----i-------- /etc/resolv.conf
2、让某个文件只能往里面追加数据,但不能删除,适用于各种日志文件:
# chattr +a /var/log/messages
chmod g+s 、chmod o+t 、chmod u+s
来源 https://blog.csdn.net/taiyang1987912/article/details/41121131
Set uid, gid,sticky bit的三个权限的详细说明
一个文件都有一个所有者, 表示该文件是谁创建的. 同时, 该文件还有一个组编号, 表示该文件所属的组, 一般为文件所有者所属的组.
如果是一个可执行文件, 那么在执行时, 一般该文件只拥有调用该文件的用户具有的权限. 而setuid, setgid 可以来改变这种设置.
setuid: 设置使文件在执行阶段具有文件所有者的权限. 典型的文件是 /usr/bin/passwd. 如果一般用户执行该文件, 则在执行过程中, 该文件可以获得root权限, 从而可以更改用户的密码.
setgid: 该权限只对目录有效. 目录被设置该位后, 任何用户在此目录下创建的文件都具有和该目录所属的组相同的组.
sticky bit: 该位可以理解为防删除位. 一个文件是否可以被某用户删除, 主要取决于该文件所属的组是否对该用户具有写权限. 如果没有写权限, 则这个目录下的所有文件都不能被删除, 同时也不能添加新的文件. 如果希望用户能够添加文件但同时不能删除文件, 则可以对文件使用sticky bit位. 设置该位后, 就算用户对目录具有写权限, 也不能删除该文件.
下面说一下如何操作这些标志:
操作这些标志与操作文件权限的命令是一样的, 都是 chmod. 有两种方法来操作,
1) chmod u+s temp — 为temp文件加上setuid标志. (setuid 只对文件有效)
chmod g+s tempdir — 为tempdir目录加上setgid标志 (setgid 只对目录有效)
chmod o+t temp — 为temp文件加上sticky标志 (sticky只对文件有效)
2) 采用八进制方式. 对一般文件通过三组八进制数字来置标志, 如 666, 777, 644等. 如果设置这些特殊标志, 则在这组数字之外外加一组八进制数字. 如
4666, 2777等. 这一组八进制数字三位的意义如下,
abc
a - setuid位, 如果该位为1, 则表示设置setuid
b - setgid位, 如果该位为1, 则表示设置setgid
c - sticky位, 如果该位为1, 则表示设置sticky
设置完这些标志后, 可以用 ls -l 来查看. 如果有这些标志, 则会在原来的执行标志位置上显示. 如
rwsrw-r– 表示有setuid标志
rwxrwsrw- 表示有setgid标志
rwxrw-rwt 表示有sticky标志
那么原来的执行标志x到哪里去了呢? 系统是这样规定的, 如果本来在该位上有x, 则这些特殊标志显示为小写字母 (s, s, t). 否则, 显示为大写字母 (S, S, T)
这三个权限的数字位可以这么理解
[root@server3 test]# 1 1 1
[root@server3 test]# rw s rws rwt
[root@server3 test]#
[root@server3 test]# SUID SGID Sticky
所以,可以得出
chmod 4777是设sid
chmod 2777是设置gid
chmod 1777是设sticky
常用操作
找出所有危险的目录(设置目录所有人可读写却没有设置sticky位的目录)
find / -perm -0007 -type d
找出所有设置了suid的文件
find / -perm -4000 -type f
补充: (angelus)
SGID位,文件也是可以被设置为SGID的,比如一个可执行文件为赋予SGID,它就具有所有组的特权,任意存取所有组所能使用的系统资源,复制到拥有
SGID位目录的文件,只有在复制时加上-p参数,才能保留原来的组群设置
还有sticky-bit权限,简单说就是文件的其他用户即使有写权限也无法删除.移动
等,只能被文件所有者删除,移动等
在系统中典型例子就是/tmp(系统临时文件目录)避免不守法用户恣意乱删其他用户放置的文件
SUID占用属主x(执行)位,SGID占用组x位,sticky-bit占用其他x位,
如果该位有x权限,就用小写s,没有就用大写S
用数值设定特殊权限,需要4位8进制数,第一个表示特殊权限,后三位表示基本权限
只说第一位8进制代表权限
0: 不设置特殊权限
1: 只设置sticky
2 : 只设置SGID
3: 只设置SGID和sticky
4 : 只设置SUID
5 : 只设置SUID和sticky
6 : 只设置SUID和SGID
7 : 设置3种权限
变更文件或目录的权限。
在UNIX系统家族里,文件或目录权限的控制分别以读取,写入,执行3种一般权限来区分,另有3种特殊权限可供运用,再搭配拥有者与所属群组管理权限范围。您可以使用chmod指令去变更文件与目录的权限,设置方式采用文字或数字代号皆可。符号连接的权限无法变更,如果您对符号连接修改权限,其改变会作用在被连接的原始文件。权限范围的表示法如下:
u:User,即文件或目录的拥有者。
g:Group,即文件或目录的所属群组。
o:Other,除了文件或目录拥有者或所属群组之外,其他用户皆属于这个范围。
a:All,即全部的用户,包含拥有者,所属群组以及其他用户。
有关权限代号的部分,列表于下:
r:读取权限,数字代号为"4"。
w:写入权限,数字代号为"2"。
x:执行或切换权限,数字代号为"1"。
-:不具任何权限,数字代号为"0"。
s:特殊?b>功能说明:变更文件或目录的权限。
sudo配置文件 /etc/sudoers
# # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d
修改其中部分内容:
%admin ALL=/usr/sbin/*,/sbin/*,/usr/bin/*,!/usr/sbin/user*!/usr/bin/passwd,!/usr/bin/rm,!/usr/bin/ssh*,!/usr/sbin/visudo,!/usr/sbin/useradd,!/usr/sbin/userdel %sudo ALL=/usr/sbin/*,/sbin/*,/usr/bin/*,!/usr/sbin/user*!/usr/bin/passwd,!/usr/bin/rm,!/usr/bin/ssh*,!/usr/sbin/visudo,!/usr/sbin/useradd,!/usr/sbin/userdel
===================== End