Linux_7/(chattr, lsattr), (setfacl, getfacl),su
----------------------------------------------------------------------------------------------------------------------------
lsattr 查看隐藏权限
chattr 设置隐藏权限
----------------------------------------------------------------------------------------------------------------------------
命令 | 说明 | |
1 | lsattr file | 查看file的特殊权限 |
2 | chattr file | 修改file的特殊权限 |
参数 +/- | ||
3 | a | 仅允许补充(追加)内容,无法覆盖/删除内容(Append Only) |
4 | i | 无法对文件进行任何修改;若对目录设置了该参数,则仅能修改其中的子文件内容而不能新建或删除文件 |
[root@localhost ~]# lsattr initial-setup-ks.cf
---------------- initial-setup-ks.cf
[root@localhost ~]# chattr +a initial-setup-ks.cf
[root@localhost ~]# lsattr initial-setup-ks.cf
-----a---------- initial-setup-ks.cf
[root@localhost ~]# echo "TEST123456" > initial-setup-ks.cf
-bash: initial-setup-ks.cf: Operation not permitted
[root@localhost ~]# echo "TEST123456" >> initial-setup-ks.cf
[root@localhost ~]# tail initial-setup-ks.cf
Testetsad;gjlninaaaaa
TEST123456
[root@localhost ~]#
[root@localhost ~]# lsattr anaconda-ks.cfg
---------------- anaconda-ks.cfg
[root@localhost ~]# chattr +i anaconda-ks.cfg
[root@localhost ~]# lsattr anaconda-ks.cfg
----i----------- anaconda-ks.cfg
[root@localhost ~]#
[root@localhost ~]# echo "TEST123456" >> anaconda-ks.cfg
-bash: anaconda-ks.cfg: Permission denied
[root@localhost ~]# echo "TEST123456" > anaconda-ks.cfg
-bash: anaconda-ks.cfg: Permission denied
[root@localhost ~]# rm anaconda-ks.cfg
rm: remove regular file ‘anaconda-ks.cfg’? y
rm: cannot remove ‘anaconda-ks.cfg’: Operation not permitted
[root@localhost ~]#
[root@localhost ~]# lsattr anaconda-ks.cfg
----i----------- anaconda-ks.cfg
[root@localhost ~]# chattr -i anaconda-ks.cfg
[root@localhost ~]# lsattr anaconda-ks.cfg
---------------- anaconda-ks.cfg
[root@localhost ~]# rm anaconda-ks.cfg
rm: remove regular file ‘anaconda-ks.cfg’? y
[root@localhost ~]# ls
Desktop Downloads initial-setup-ks.cfg initial-setup-ks.cfz~ Pictures Templates
Documents initial-setup-ks.cf initial-setup-ks.cfg~ Music Public Videos
[root@localhost ~]#
----------------------------------------------------------------------------------------------------------------------------
getfacl 获取文件访问控制列表
setfacl 设置文件访问控制列表
----------------------------------------------------------------------------------------------------------------------------
[root@localhost home]# ll
total 8
drwxr-xr-x. 2 root root 6 Nov 26 21:42 public
drwx------. 5 zhangsan zhangsan 4096 Nov 26 21:00 zhangsan
drwx------. 14 zhxu zhxu 4096 Nov 26 20:42 zhxu
[root@localhost home]#
[root@localhost home]# chmod -Rf 000 public/
[root@localhost home]# setfacl -Rm u:zhxu:rwx public/
[root@localhost home]# ls -ld public/
d---rwx---+ 2 root root 6 Nov 26 21:42 public/
[root@localhost home]#
[root@localhost home]# getfacl public/
# file: public/
# owner: root
# group: root
user::---
user:zhxu:rwx
group::---
mask::rwx
other::---
[root@localhost home]#
----------------------------------------------------------------------------------------------------------------------------
su
----------------------------------------------------------------------------------------------------------------------------
[root@localhost home]# visudo
谁可以使用 允许使用的主机=(以谁的身份) 可执行命令的列表
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
zhxu ALL=(ALL) /usr/bin/ls,/usr/bin/cat
linuxprobe ALL=NOPASSWD: /usr/sbin/poweroff