本文共 12806 字,大约阅读时间需要 42 分钟。
ls -l
rwxrwxrwx: 左三位:定义user(owner)的权限 中三位:定义group的权限; 右三位:定义other的权限
进程安全上下文:
进程对文件的访问权限应用模型: 进程的属主与文件的属主是否相同;如果相同,则应用属主权限; 否则,则检查进程的属主是否属于文件的属组;如果是,则应用属组权限; 否则,就只能应用other的权限;
权限:
r:readable, 读 w:writable, 写 x:excutable,执行
文件:
r:可获取文件的数据; w: 可修改文件的数据; x:可将此文件运行为进程;
目录:
r:可使用ls命令获取其下的所有文件列表; w: 可修改此目录下的文件列表;即创建或删除文件; x: 可cd至此目录中,且可使用ls -l来获取所有文件的详细属性信息; mode:rwxrwxrwx ownership:user, group
权限组合机制:
--- 000 0 --x 001 1 -w- 010 2 -wx 011 3 r-- 100 4 r-x 101 5 rw- 110 6 rwx 111 7
chmod命令:
chmod [OPTION]... MODE[,MODE]... FILE... chmod [OPTION]... OCTAL-MODE FILE... chmod [OPTION]... --reference=RFILE FILE...
三类用户:
u:属主 g:属组 o:其它 a: 所有
(1) chmod [OPTION]... MODE[,MODE]... FILE...
MODE表示法: 赋权表示法:直接操作一类用户的所有权限位rwx; u= g= o= a= 授权表示法:直接操作一类用户的一个权限位r,w,x; u+, u- g+, g- o+, o- a+, a-
(2) chmod [OPTION]... OCTAL-MODE FILE...
(3) chmod [OPTION]... --reference=RFILE FILE...
选项:
-R, --recursive:递归修改 注意:用户仅能修改属主为自己的那些文件的权限; 从属关系管理命令:chown, chgrp
chown命令:
chown [OPTION]... [OWNER][:[GROUP]] FILE... chown [OPTION]... --reference=RFILE FILE... 选项: -R:递归修改
chgrp命令:
chgrp [OPTION]... GROUP FILE... chgrp [OPTION]... --reference=RFILE FILE... 注意:仅管理员可修改文件的属主和属组;
1、复制/etc/skel目录为/home/tuser1,要求/home/tuser1及其内部文件的属组和其它用户均没有任何访问权限;
cp -r /etc/skel /home/tuser1[root@Pikachu ~]# cp -r /etc/skel /home/tuser1[root@Pikachu ~]# ll /home/total 4drwx------. 15 PIkachu PIkachu 4096 Oct 6 14:57 PIkachudrwx------ 3 60606 50103 78 Oct 15 00:03 PIP2drwx------ 3 60000 60000 78 Oct 15 00:04 PIP6drwx------ 3 60001 1001 78 Oct 15 00:04 PIP61drwx------ 3 50100 50100 78 Oct 15 00:01 PIPIdrwx------ 3 60100 50101 78 Oct 15 00:01 PIPI2drwx------ 3 60500 50102 78 Oct 15 00:02 PIPI3drwxr-xr-x 3 root root 78 Oct 21 21:54 tuser1
2、编辑/etc/group文件,添加组hadoop ;
[root@Pikachu ~]# vim /etc/group 在最后一行按i键进入编辑模式,输入 : hadoop:x:1004 按esc键进入命令行模式 :wq 回车键保存退出[root@Pikachu ~]# grep hadoop /etc/group hadoop:x:1004
3、手动编辑/etc/passwd文件新增一行,添加用户hadoop,其基本组ID为hadoop组的id号其家目录为/home/hadoop ;
[root@Pikachu ~]# vim /etc/passwd 在最后一行按i键进入编辑模式,输入 : hadoop:x:1004:1004::/home/hadoop:/bin/bash 按esc键进入命令行模式 :wq 回车键保存退出 [root@Pikachu ~]# grep hadoop /etc/passwd hadoop:x:1004:1004::/home/hadoop:/bin/bash
4、复制/etc/skel目录为/home/hadoop,要求修改hadoop目录的属组和其它用户没有任何访问权限;
cp -rv /etc/skel /home/hadoop [root@Pikachu ~]# cp -rv /etc/skel /home/hadoop ‘/etc/skel’ -> ‘/home/hadoop’ ‘/etc/skel/.mozilla’ -> ‘/home/hadoop/.mozilla’ ‘/etc/skel/.mozilla/extensions’ -> ‘/home/hadoop/.mozilla/extensions’ ‘/etc/skel/.mozilla/plugins’ -> ‘/home/hadoop/.mozilla/plugins’ ‘/etc/skel/.bash_logout’ -> ‘/home/hadoop/.bash_logout’ ‘/etc/skel/.bash_profile’ -> ‘/home/hadoop/.bash_profile’ ‘/etc/skel/.bashrc’ -> ‘/home/hadoop/.bashrc’ [root@Pikachu ~]# chmod -R 700 /home/hadoop [root@Pikachu ~]# ll -d /home/hadoop drwx------ 3 root root 78 Oct 21 22:06 /home/hadoop
5、修改/home/hadoop目录及其内部所有文件的属主为hadoop,属组为hadoop ;
[root@Pikachu ~]# chown -R hadoop:hadoop /home/hadoop [root@Pikachu ~]# ll -d /home/hadoop drwx------ 3 hadoop hadoop 78 Oct 21 22:06 /home/hadoop
6、显示/proc/meminfo文件中以大写或小写S开头的行;用两种方式;
[root@Pikachu ~]# grep "^[Ss]" /proc/meminfo;grep -i "^s" /proc/meminfo grep: /proc/meminfo;grep: No such file or directory grep: ^s: No such file or directory /proc/meminfo:SwapCached: 0 kB /proc/meminfo:SwapTotal: 2097148 kB /proc/meminfo:SwapFree: 2097148 kB /proc/meminfo:Shmem: 8624 kB /proc/meminfo:Slab: 67024 kB /proc/meminfo:SReclaimable: 28804 kB /proc/meminfo:SUnreclaim: 38220 kB
7、显示/etc/passwd文件中其默认shell为非/sbin/nologin的用户;
[root@Pikachu ~]# grep -v "nologin$" /etc/passwd | cut -d: -f1 root sync shutdown halt PIkachu hadoop
8、显示/etc/passwd文件中其默认shell为/bin/bash的用户;
[root@Pikachu ~]# grep "bash$" /etc/passwd | cut -d: -f1 root PIkachu hadoop
9、找出/etc/passwd文件中的一位数或两位数;
[root@Pikachu ~]# grep "\<[[:digit:]]\{1,2\}\>" /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin saslauth:x:994:76:Saslauthd user:/run/saslauthd:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin radvd:x:75:75:radvd user:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin oprofile:x:16:16:Special user account to be used by OProfile:/var/lib/oprofile:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin 10、显示/boot/grub/grub.conf中以至少一个空白字符开头的行;
[root@Pikachu ~]# grep "^[[:space:]]\+" /boot/grub2/grub.cfg load_env set default="${next_entry}" set next_entry= save_env next_entry set boot_once=true set default="${saved_entry}" menuentry_id_option="--id" menuentry_id_option="" set saved_entry="${prev_saved_entry}" save_env saved_entry set prev_saved_entry= save_env prev_saved_entry set boot_once=true if [ -z "${boot_once}" ]; then saved_entry="${chosen}" save_env saved_entry fi if [ x$feature_all_video_module = xy ]; then insmod all_video else insmod efi_gop insmod efi_uga insmod ieee1275_fb insmod vbe insmod vga insmod video_bochs insmod video_cirrus fi set timeout_style=menu set timeout=5 set timeout=5 source ${prefix}/user.cfg if [ -n "${GRUB2_PASSWORD}" ]; then set superusers="root" export superusers password_pbkdf2 root ${GRUB2_PASSWORD} fi load_video set gfxpayload=keep insmod gzio insmod part_msdos insmod xfs set root='hd0,msdos1' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 6b2e77e3-4807-44d4-a573-1384c6450398 else search --no-floppy --fs-uuid --set=root 6b2e77e3-4807-44d4-a573-1384c6450398 fi linux16 /vmlinuz-3.10.0-862.14.4.el7.x86_64 root=/dev/mapper/centos-root ro rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8 initrd16 /initramfs-3.10.0-862.14.4.el7.x86_64.img load_video set gfxpayload=keep insmod gzio insmod part_msdos insmod xfs set root='hd0,msdos1' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 6b2e77e3-4807-44d4-a573-1384c6450398 else search --no-floppy --fs-uuid --set=root 6b2e77e3-4807-44d4-a573-1384c6450398 fi linux16 /vmlinuz-3.10.0-862.el7.x86_64 root=/dev/mapper/centos-root ro rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8 initrd16 /initramfs-3.10.0-862.el7.x86_64.img load_video insmod gzio insmod part_msdos insmod xfs set root='hd0,msdos1' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 6b2e77e3-4807-44d4-a573-1384c6450398 else search --no-floppy --fs-uuid --set=root 6b2e77e3-4807-44d4-a573-1384c6450398 fi linux16 /vmlinuz-0-rescue-0e35b7e6076043e5aa5f60894ef1010b root=/dev/mapper/centos-root ro rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet initrd16 /initramfs-0-rescue-0e35b7e6076043e5aa5f60894ef1010b.img source ${config_directory}/custom.cfg source $prefix/custom.cfg; 11、显示/etc/rc.d/rc.sysinit文件中以#开头,后面跟至少一个空白字符,而后又有至少一个非空白字符的行;
[root@Pikachu ~]# grep "^#[[:space:]]\+[^[:space:]]\+" /etc/rc.d/rc.local # THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES # It is highly advisable to create own systemd services or udev rules # to run scripts during boot instead of using this file. # In contrast to previous versions due to parallel execution during boot # this script will NOT be run after all other services. # Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure # that this script will be executed during boot.
12、打出netstat -tan命令执行结果中以‘LISTEN’,后或跟空白字符结尾的行;
[root@Pikachu ~]# netstat -tan | grep "LISTEN[[:space:]]*$" tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp6 0 0 ::1:25 :::* LISTEN tcp6 0 0 :::111 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:631 :::* LISTEN
13、添加用户bash, testbash, basher, nologin (此一个用户的shell为/sbin/nologin),而后找出当前系统上其用户名和默认shell相同的用户的信息;
[root@Pikachu ~]# useradd bash [root@Pikachu ~]# useradd testbash [root@Pikachu ~]# useradd basher [root@Pikachu ~]# useradd -s /sbin/nologin nologin [root@Pikachu ~]# grep "\(^[^:]\+\>\).*\1$" /etc/passwd sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt bash:x:1005:1005::/home/bash:/bin/bash nologin:x:1008:1008::/home/nologin:/sbin/nologin
转载于:https://blog.51cto.com/13975143/2307165