1.3. Special case: setuid and setgid
The setuid and setgid are two attributes that modify the rights of the process created by executing the file. If setuid is enabled when the file is executed by a user, the process has the same rights as the owner of the file during the execution. For the setgid, you have guessed it was a legacy of group rights, not the owner of the file.
To activate, you simply add or remove the flag "s" on the owner or group.
ls-l myfile-rwsrw-r - 1 sl 200 friends myfile Sep 23 4:44 p.m.
chmod g + s myfile2
1.4. Limit System
ls-l-myfile2 rwxrwsr - 1 sl 200 friends myfile2 Sep 23 4:44 p.m.
This simple and effective solution contains a large limit, the management of rights by user or group.
2. ACLs on Linux (POSIX)
Take a hard case with the soluble system generic rights to illustrate:
Suppose I have a file example.txt, which includes gift ideas for birthdays:
Here are the permission
Unfortunately, this belongs to the group "friends". I can not afford to remove the group just for a file, it will exist primarily impacts on other files. Create another group without it? What complications! The solution lies in the addition of users and / or groups with basic rights (rwx). Thus, I can specify an ACL that will remove his right to this users reading, even if it belongs to friends
example.txt ls-sl ---- 1 rwxrw 120 friends example.txt Sep 23 5:44 p.m
There are two prerequisites:
- The kernel supports ACLs.
- The file system is mounted with the acl option:
from / etc / fstab / Dev/hda6 / home ext3 defaults, acl 0 2
2.2. Attributing LCD
There are two basic commands to manage ACL: setfacl and getfacl
For all examples, we start from a following file:
setfacl allows you to edit the list of rights monitor. You can withdraw as add. First and foremost, you must initialize a "mask". If the mask does not exist, you can not add ACL rules . Only operations allowed in this mask will be active. So if you put a mask -rw, no person may conduct the execution, even if you allow it. Conversely, if the mask is "rwx" and want to prevent all persons affected by the Write right to perform a write operation, you simply change the mask rx.
sl @ testuser: / home / TEST $ ls-lrt total 4-rwxr-x --- 1 sl sl 209 2009-11-30 4:59 p.m. test.xml
Adding a mask total
Let this command to examine the syntax of setfacl. The argument-m allows you to add an LCD, unlike x-removal.
setfacl-mm:: rwx myfile
Moreover, the second argument holds that structure, there are 2 types of people (outside of the mask "m"): "u" for user and "g" for a group. So to add the user, rights Reading and writing a file:
'Type of person': 'someperson': 'right rwx'
When you change the permissions of a directory and you want all files in that it has the same rights, use the-R option (for recursive). When I do a ls-l of my file, I realize a small change:
setfacl-mu: pm:-rw myfile
The small + indicates that the file has ACL rights. To view the human ACL, use the command getfacl.
sl @ testuser: / home / TEST $ ls-lrt total 4-rwxr-x --- + 1 sl sl 209 2009-11-30 4:59 p.m. test.xml
Lines user:: rwx, sauf ::--- and group:: rx correspond to the usual Unix rights.
sl @ testuser: / home / Test $ getfacl test.xml # file: test.xml # owner: sl # group sl user:: rwx user: pm: rw-group:: rx mask:: rwx other:: - -
You also find your mask: mask:: rwx user and one pm: rw-
Let's see the interest mask. My desire to delete all users (besides me, the owner), the law in writing. I remove the write permission in the mask.
Note the actual line #, which tells us that after applying the mask, the real rights of pm are right: reading. Without the mask, I should be removed for each user right in writing. If I want to remove LCD pm straight on this file:
sl @ testuser: / home / Test $ setfacl-mm:: rx test.xml sl @ testuser: / home / Test $ getfacl test.xml # file: test.xml
# owner: sl # group sl user:: rwx user pm: rw-# effective r - group:: rx mask:: rx Other ::---
Deleting a user
And it becomes a regular user subjects to classical rules. You can also delete all of the rights of an ACL file.
sl @ testuser: / home / TEST $ setfacl-xu pm test.xml sl @ testuser: / home / TEST $ getfacl test.xml getfacl test.xml # file: # test.xml owner: sl # group sl user: : rwx group:: rx mask:: rx Other ::---
sl @ usr: / home / TEST $ setfacl-b @ sl test.xml usr: / home / TEST $ getfacl test.xml # file: # test.xml owner: sl # group sl user:: rwx group:: rx Other ::---
Rights Management Unix generic form should be well known to all, first for security issues but also privacy, partly because it is fundamental in the handling / using files. Today it is used in Linux and even other UNIX ACLs are yet to implement a simple and quite at hand to bring any administrator or user. I strongly advise you to put in place at least initially at the / home, what kind of rights is often appreciated by users.