📄 1075.html
字号:
<tr>
<td noWrap background="images/bgline.gif" tppabs="http://www.linuxhero.com/docs/images/bgline.gif">
<div align=center><font class=normalfont>搜索文章:
<input type=hidden value=result name=action2>
<input type=radio checked value=title name=type>标题
<input type=radio value=content name=type>内容
<input type=image src="images/button_go.gif" tppabs="http://www.linuxhero.com/docs/images/button_go.gif" border=0 name=image2>
</font></div>
</td>
</tr>
<tr>
<td noWrap>
<div align="center">
<input maxlength=100 size=30 name=keyword2>
</div>
</td>
</tr></tbody>
</table>
</form>
</TD>
<TD rowSpan=2><IMG src="images/header_r1_c7.gif" tppabs="http://www.linuxhero.com/docs/images/header_r1_c7.gif" width=26 border=0 name=header_r1_c7></TD>
<TD><IMG height=83 src="images/spacer.gif" tppabs="http://www.linuxhero.com/docs/images/spacer.gif" width=1 border=0></TD></TR>
<TR>
<TD background="images/bgline.gif" tppabs="http://www.linuxhero.com/docs/images/bgline.gif"><IMG height=22
src="images/header_r2_c1.gif" tppabs="http://www.linuxhero.com/docs/images/header_r2_c1.gif" width=296 border=0
name=header_r2_c1></TD>
<TD background="images/bgline.gif" tppabs="http://www.linuxhero.com/docs/images/bgline.gif" colSpan=5>
<DIV align=right><FONT class=normalfont>当前位置:
<A href="index.html" tppabs="http://www.linuxhero.com/docs/index.html">本站首页</A>
<font color="#FF6699">>></font>
<A href="type15.html" tppabs="http://www.linuxhero.com/docs/type15.html">网络安全</A> | <A href="copyright.html" tppabs="http://www.linuxhero.com/docs/copyright.html">版权说明</A></font></DIV>
</TD>
<TD><IMG height=22 src="images/spacer.gif" tppabs="http://www.linuxhero.com/docs/images/spacer.gif" width=1
border=0></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=10 cellPadding=0 width="100%" bgColor=#ffffff
border=0>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=3 width="100%" border=0>
<TR>
<TD vAlign=top align=middle width="60%">
<TABLE cellSpacing=0 cellPadding=0 width="100%"
background="images/back.gif" tppabs="http://www.linuxhero.com/docs/images/back.gif" border=0>
<TBODY>
<TR>
<TD vAlign=top width="80%">
<DIV align=center>
<FORM action="search.html" tppabs="http://www.linuxhero.com/docs/search.html" method=get>
</FORM>
<TABLE cellSpacing=0 cellPadding=0 width="95%"
border=0><TBODY>
<TR>
<TD background="images/bgi.gif" tppabs="http://www.linuxhero.com/docs/images/bgi.gif"
height=30></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=3 width="95%"
align=center border=0>
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=3 width="100%"
border=0>
<TBODY>
<TR>
<TD vAlign=top>
<p><FONT class=normalfont><B><font color=blue>linux对系统用户的控制</font></B></FONT><BR><FONT class=smallfont color=#ff9900>2004-04-23 15:18 pm</FONT><BR><FONT class=normalfont>作者:作者<br>来自:Linux知识宝库<br>联系方式:无名<br><br>linux对系统用户的控制(之一)<br>
最近因为工作需要, 我看了一些有关linux在系统安全上对用户文件授权及系统资源
限额的资料,在这里和大家分享我的体会。<br>
当你使用的linux系统用户有一定数目的时候, 系统对用户在文件系统安全方面和在
系统资源使用方面的控制就变得越来越重要。例如:在文件的权限,文件的属性,文件系
统的限额和系统资源方面,linux都提供相应的控制方法。下面就从这四个方面谈谈Linux。<br>
1. 文件权限<br>
文件权限对于每个linux的使用者来说是最为熟悉了。 它是一种对用户文件访问控制
的机制,能限制用户对文件系统活动范围,能降低用户对系统安全威胁。<br>
来看一个简单的例子:<br>
[chase@lustre doc]$ ls -l<br>
-rw-rw-r-- 1 chase chase 2 Feb 17 00:17 a.txt<br>
这是运行ls -l 的结果。在这里我们可以清楚的看到一些关于文件a.txt的信息。这些
信息主要的含义如下:<br>
-rw-rw-r--(文件权限) 1(文件链接数) chase(拥有者)chase(用户组号) 2(文件大小)<br>
Feb 17 00:17(最后修改日期) a.txt(文件名)<br>
上面的信息表示文件是由chase拥有和属于chase用户组。而在权限位上,我们可以把
它分成四部分:<br>
-(文件类型) rw-(拥有者权限) rw-(用户组权限) r--(其他用户权限)<br>
对于第一部分表示文件的类型,在linux下一共有七种文件类型,包括套接字(s),符
号链接文件(l),普通文件(-),快设备文件(b),目录(d),字符设备(c)和命名管道(P)
(括号中是文件在权限位上的表示符)。其他三部份结构类似,都是用三个字符(rwx)表示。
r对应的是读权限,w对应的是写权限,x对应的是有运行的权限。 对于这三部分我们都可
以用三位二进制或一位八进制数来表示,当某一位使能时就把这一位符值为1,如rw-就表
示读和写位使能,对应的位赋1,所以在这种情况下可以用二进制110或八进制6表示。<br>
当我们要改变文件权限时既可以用字符方式,又可以用八进制数的方式。<br>
改变文件权限的命令是chmod。用字符方式的话,其中u代表拥有者,g代表用户组,
o代表其他用户和a代表所有人。例如当你要把上文件a.txt的权限改变为用户组只能读,
就可以用<br><br>
[chase@lustre doc]$ chmod g-w a.txt<br>
[chase@lustre doc]$ ls -l<br>
-rw-r--r-- 1 chase chase 2 Feb 17 00:35 a.txt<br>
这样用户组就对这个文件只读。如果你运行下面的命令<br><br>
[chase@lustre doc]$ chmod +x a.txt<br>
[chase@lustre doc]$ ls -l<br>
-rwxr-xr-x 1 chase chase 2 Feb 17 00:35 a.txt<br>
所有的可运行位都会使能,但是<br><br>
[chase@lustre doc]$ chmod +w a.txt<br>
[chase@lustre doc]$ ls -l<br>
-rw-rw-r-- 1 chase chase 2 Feb 17 00:35 a.txt<br>
就不会把可写位全部使能,一定要a+w才可以,主要的原因我不太清楚, 可能出于安
全考虑吧。<br>
如果用数字方式,同样按上的权限改变顺序,运行命令如下<br><br>
[chase@lustre doc]$ chmod 644 a.txt<br>
[chase@lustre doc]$ ls -l<br>
-rw-r--r-- 1 chase chase 2 Feb 17 00:35 a.txt<br>
所有运行位使能<br><br>
[chase@lustre doc]$ chmod 755 a.txt<br>
[chase@lustre doc]$ ls -l<br>
-rwxr-xr-x 1 chase chase 2 Feb 17 00:35 a.txt<br><br>
另外还有SUID或SGID,这两个权限位主要是设定用户或用户组的运行ID。SUID功能是
当用户(不一定是该文件的拥有者)执行SUID文件时, 这个文件有效用户号(UID)就会被设
定为该文件拥有者的用户号(UID);对于GUID,类似SUID当用户(不一定是该文件的用户组
成员)这行SGID文件时,这个文件的有效用户组号(GID)就会被设定为该文件的用户组号(GIU)。<br><br>
除了以上说权限位以外,还有一个权限位说一说的,当你运行下面的命令时<br><br>
[chase@lustre doc]$ ls -ld /tmp/<br>
drwxrwxrwt 3 root root 4096 Feb 16 23:42 /tmp/<br><br>
有没有注意到在权限位中第三部份的最后一位竟然是t,这一权限位的名字叫粘着位
(sticky bit)。我见一些书是这么翻译的:这种权限主要是在目录上出现,它是使用户在
这个目录里只能删除属于自己的文件,而不能删除其他人的文件。下面是Practical UNIX
& Internet Security 一书中对粘着位起源的说明:<br><br>
The Origin of "Sticky"<br>
A very long time ago, UNIX ran on machines with much less memory than
today: 64 kilobytes, for instance. This amount of memory was expected to
contain a copy of the operating system, I/O buffers, and running programs.
This memory often wasn't sufficient when there were several large programs
running at the same time.<br>
To make the most of the limited memory, UNIX swapped processes to and
from secondary storage as their turns at the CPU ended. When a program was
started, UNIX would determine the amount of storage that might ultimately
be needed for the program, its stack, and all its data. It then allocated
a set of blocks on the swap partition of the disk or drum attached to the
system. (Many systems still have a /dev/swap, or a swapper process that is
a holdover from these times.)<br>
Each time the process got a turn from the scheduler, UNIX would swap
in the program and data, if needed, execute for a while, and then swap out
the memory copy if the space was needed for the next process. When the
process exited or exec'd another program, the swap space was reclaimed for
use elsewhere. If there was not enough swap space to hold the process's
memory image, the user got a "No memory error " (still possible on many
versions of UNIX if a large stack or heap is involved.)<br>
Obviously, this is a great deal of I/O traffic that could slow
computation. So, one of the eventual steps was development of compiler
technology that constructed executable files with two parts: pure code that
would not change, and everything else. These were indicated with a special
magic number in the header inside the file. When the program was first
executed, the program and data were copied to their swap space on disk
first, then brought into memory to execute. However, when the time comes
to swap out, the code portions were not written to disk - they would not
have changed from what was already on disk! This change was a big savings.<br>
The next obvious step was to stop some of that extra disk-to-disk
copying at start-up time. Programs that were run frequently - such as cc,
ed, and rogue - could share the same program pages. Furthermore, even if
no copy was currently running, we could expect another one to be run soon.
Therefore, keeping the pages in memory and on the swap partition, even
while we weren't using them, made sense. The "sticky bit" was added to
mark those programs as worth saving.<br>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -