Permission commands 權限命令
Previously, you explored file permissions and the commands that you can use to display and change them. In this reading, you’ll review these concepts and also focus on an example of how these commands work together when putting the principle of least privilege into practice.
先前,你已經探索過檔案權限以及可以用來顯示和更改它們的命令。在這篇閱讀中,你將回顧這些概念,並專注於一個範例,說明當實踐最小權限原則時,這些命令如何協同工作。
Reading permissions 閱讀權限
In Linux, permissions are represented with a 10-character string. Permissions include:
在 Linux 中,權限以一個 10 字符的字串表示。權限包括:
read: for files, this is the ability to read the file contents; for directories, this is the ability to read all contents in the directory including both files and subdirectories
讀取:對於檔案,這是讀取檔案內容的能力;對於目錄,這是讀取目錄中所有內容的能力,包括檔案和子目錄write: for files, this is the ability to make modifications on the file contents; for directories, this is the ability to create new files in the directory
寫入:對於檔案,這是指能夠修改檔案內容的能力;對於目錄,這是指能夠在目錄中創建新檔案的能力execute: for files, this is the ability to execute the file if it’s a program; for directories, this is the ability to enter the directory and access its files
執行:對於檔案,這是執行該檔案(如果它是程式)的能力;對於目錄,這是進入目錄並訪問其檔案的能力
These permissions are given to these types of owners:
這些權限被賦予以下類型的擁有者:
user: the owner of the file
user:檔案的擁有者group: a larger group that the owner is a part of
群組:擁有者所屬的一個較大群體other: all other users on the system
其他:系統上所有其他用戶
Each character in the 10-character string conveys different information about these permissions. The following table describes the purpose of each character:
在這個 10 個字符的字串中,每個字符傳達了關於這些權限的不同信息。下表描述了每個字符的用途:
Character 字元 | Example 範例 | Meaning 意義 |
|---|---|---|
1st 第一 | drwxrwxrwx | file type 檔案類型
|
2nd 第二 | drwxrwxrwx | read permissions for the user
|
3rd | drwxrwxrwx | write permissions for the user
|
4th 4 日 | drwxrwxrwx | execute permissions for the user
|
5th 第五 | drwxrwxrwx | read permissions for the group
|
6th 第六 | drwxrwxrwx | write permissions for the group
|
7th 第七 | drwxrwxrwx | execute permissions for the group
|
8th | drwxrwxrwx | read permissions for other
|
9th | drwxrwxrwx | write permissions for other
|
10th 第十 | drwxrwxrwx | execute permissions for other
|
Exploring existing permissions
探索現有權限
You can use the ls command to investigate who has permissions on files and directories. Previously, you learned that ls displays the names of files in directories in the current working directory.
您可以使用 ls 命令調查誰擁有文件和目錄的權限。之前,您已經學習到 ls 顯示當前工作目錄中目錄內文件的名稱。
There are additional options you can add to the ls command to make your command more specific. Some of these options provide details about permissions. Here are a few important ls options for security analysts:
您可以為 ls 命令添加其他選項,以使您的命令更具針對性。其中一些選項提供有關權限的詳細信息。以下是一些安全分析師常用的重要 ls 選項:
ls -a: Displays hidden files. Hidden files start with a period (.) at the beginning.
ls -a:顯示隱藏文件。隱藏文件以句點(.)開頭。ls -l: Displays permissions to files and directories. Also displays other additional information, including owner name, group, file size, and the time of last modification.
ls -l:顯示文件和目錄的權限。還顯示其他附加信息,包括擁有者名稱、群組、文件大小和最後修改時間。ls -la: Displays permissions to files and directories, including hidden files. This is a combination of the other two options.
ls -la:顯示文件和目錄的權限,包括隱藏文件。這是其他兩個選項的組合。
Changing permissions 更改權限
The principle of least privilege is the concept of granting only the minimal access and authorization required to complete a task or function. In other words, users should not have privileges that are beyond what is necessary. Not following the principle of least privilege can create security risks.
最小權限原則是指僅授予完成任務或功能所需的最低限度的訪問和授權。換句話說,用戶不應擁有超出必要的權限。不遵循最小權限原則可能會造成安全風險。
The chmod command can help you manage this authorization. The chmod command changes permissions on files and directories.
chmod 命令可以幫助您管理這個授權。chmod 命令用於更改檔案和目錄的權限。
Using chmod 使用 chmod
The chmod command requires two arguments. The first argument indicates how to change permissions, and the second argument indicates the file or directory that you want to change permissions for. For example, the following command would add all permissions to login_sessions.txt
chmod 命令需要兩個參數。第一個參數表示如何更改權限,第二個參數表示您想要更改權限的檔案或目錄。例如,以下命令將為 login_sessions.txt 添加所有權限。:
chmod u+rwx,g+rwx,o+rwx login_sessions.txt
If you wanted to take all the permissions away, you could use
如果你想移除所有權限,你可以使用
chmod u-rwx,g-rwx,o-rwx login_sessions.txt
Another way to assign these permissions is to use the equals sign (=) in this first argument. Using = with chmod sets, or assigns, the permissions exactly as specified. For example, the following command would set read permissions for login_sessions.txt for user, group, and other:
另一種分配這些權限的方法是在第一個參數中使用等號(=)。使用=與 chmod 一起設置或分配權限,完全按照指定的方式。例如,以下命令將為 login_sessions.txt 設置用戶、群組和其他的讀取權限:
chmod u=r,g=r,o=r login_sessions.txt
This command overwrites existing permissions. For instance, if the user previously had write permissions, these write permissions are removed after you specify only read permissions with =.
此命令會覆蓋現有的權限。例如,如果用戶之前擁有寫入權限,當您僅指定讀取權限時,這些寫入權限將被移除。
The following table reviews how each character is used within the first argument of chmod
下表回顧了每個字符在 chmod 的第一個參數中的使用方式:
Character 字元 | Description 描述 |
|---|---|
u | indicates changes will be made to user permissions |
g | indicates changes will be made to group permissions |
o | indicates changes will be made to other permissions |
+ | adds permissions to the user, group, or other |
- | removes permissions from the user, group, or other |
= | assigns permissions for the user, group, or other |
Note: When there are permission changes to more than one owner type, commas are needed to separate changes for each owner type. You should not add spaces after those commas.
注意:當有多個擁有者類型的權限變更時,需要用逗號分隔每個擁有者類型的變更。這些逗號後不應添加空格。
The principle of least privilege in action
最小權限原則的實踐
As a security analyst, you may encounter a situation like this one: There’s a file called bonuses.txt within a compensation directory. The owner of this file is a member of the Human Resources department with a username of hrrep1. It has been decided that hrrep1 needs access to this file. But, since this file contains confidential information, no one else in the hr group needs access.
作為一名安全分析師,你可能會遇到這樣的情況:在一個名為 compensation 的目錄中有一個名為 bonuses.txt 的文件。該文件的擁有者是人力資源部門的一名成員,使用者名稱為 hrrep1。已經決定 hrrep1 需要訪問這個文件。但是,由於這個文件包含機密信息,hr 群組中的其他人不需要訪問權限。
You run ls -l to check the permissions of files in the compensation directory and discover that the permissions for bonuses.txt are -rw-rw----. The group owner type has read and write permissions that do not align with the principle of least privilege.
你運行 ls -l 來檢查 compensation 目錄中文件的權限,發現 bonuses.txt 的權限是 -rw-rw----。群組擁有者類型具有讀寫權限,這不符合最小特權原則。
To remedy the situation, you input chmod g-rw bonuses.txt. Now, only the user who needs to access this file to carry out their job responsibilities can access this file.
為了解決這個問題,你輸入 chmod g-rw bonuses.txt。現在,只有需要訪問此文件以履行其工作職責的使用者才能訪問此文件。
Key takeaways 關鍵要點
Managing directory and file permissions may be a part of your work as a security analyst. Using ls with the -l and -la options allows you to investigate directory and file permissions. Using chmod allows you to change user permissions and ensure they are aligned with the principle of least privilege.
管理目錄和檔案權限可能是您作為安全分析師工作的一部分。使用 ls 搭配 -l 和 -la 選項可以讓您檢查目錄和檔案的權限。使用 chmod 可以讓您更改使用者權限,並確保它們符合最小權限原則。