以下对linux文件安全策略做一下总结,常读有益提高英文水平,呵呵。
Permissions(权限)
The effect of setting the permissions on a directory (rather than a file) is "one of the most frequently misunderstood file permission issues" (Hatch 2003).对目录(文件夹)设置权限是一件极其容易引起误导的事情,问题在于在Unix系的操作系统下,文件和目录两者的“读”“写”“执行”这三个权限有不同的含义。
There are three specific permissions on Unix-like systems that apply to each class:Unix系的操作系统有如下的三种权限:
1.The read permission(读权限), which grants the ability to read a file(读取文件内容的权限). When set for a directory, this permission grants the ability to read thenames of files in the directory (but not to find out any further information about them, including file type, size, ownership, permissions, etc.)对于目录来讲,读权限授予用户读取目录中文件的文件名(这里强调只能获取文件名)的权利,但是不能获取更多的文件信息,如文件类型,文件大小,所有者,权限等。————————————————————————————2.The write permission(写权限), which grants the ability to modify a file(修改文件的内容). When set for a directory, this permission grants the ability to modify entries in the directory. This includes creating files, deleting files, and renaming files.对于文件夹来讲,写权限授予用户修改目录中条目(entries)的能力,包括创建、删除文件以及修改文件名。 ————————————————————————————3.The execute permission(执行权限), which grants the ability to execute a file. This permission must be set for executable binaries (for example, a compiled c++ program) or shell scripts (for example, a Perl program) in order to allow the operating system to run them. 执行权限授予用户执行文件的能力,这个授权只能设置在可执行二进制文件(如编译过的C++程序)或Shell脚本(如Perl程序)以允许操作系统来运行他们。When set for a directory, this permission grants the ability to traverse its tree in order to access files or subdirectories, but not see files inside the directory (unlessread is set).对于目录a来讲,执行权限授予用户“穿过,横过”(traverse)目录a本身的树(文件、目录树)以访问它下面的文件或子目录,但是不能查看它(指目录a)里面的文件,除非设置了读权限。
补充内容:(来自:《Advanced Programming in the UNIX? Environment: Second Edition》)
The read permission for a file determines whether we can open an existing file for reading: theO_RDONLY andO_RDWR flags for theopen function.The write permission for a file determines whether we can open an existing file for writing: theO_WRONLY andO_RDWR flags for theopen function.We must have write permission for a file to specify the O_TRUNC flag in theopen function.We cannot create a new file in a directory unless we have write permission and execute permission in the directory.(创建文件需要目录的写、执行权限,因为创建文件实际上为目录写入了一个目录项——文件名和i节点号)To delete an existing file, we need write permission and execute permission in the directory containing the file. We do not need read permission or write permission for the file itself. (删除文件需要目录的写、执行权限,而不需要文件本身的读写权限)Executepermission for a file must be on if we want to execute the file using any of the sixexec functions (Section 8.10). The file also has to be a regular file.
When
How
文件的读写执行权限
见我的上一篇文章:Linux C学习小总结(二)- 文件与目录(文件夹)权限的区别
The file access tests that the kernel performs each time a process opens, creates, or deletes a file(右边为进程打开、创建、删除文件时,系统内核进行的权限检验步骤)
1.If the effective user ID of the processis 0 (the superuser), access is allowed. This gives the superuser free rein throughout the entire file system.
2.If the effective user ID of the processequals the owner ID of the file (i.e., the process owns the file), access is allowedif the appropriate user access permission bitis set. Otherwise, permission is denied. Byappropriate access permission bit, we mean that if the process is opening the file for reading, the user-read bit must be on. If the process is opening the file for writing, the user-write bit must be on. If the process is executing the file, the user-execute bit must be on.
3.If the effective group ID of the processor one of the supplementary group IDs of the processequals the group ID of the file, access is allowedif the appropriate group access permission bitis set. Otherwise, permission is denied.
4.If the appropriate other access permission bitis set, access is allowed. Otherwise, permission is denied.
These four steps are tried in sequence. Note that if the process owns the file (step 2), access is granted or denied based only on the user access permissions; the group permissions are never looked at. Similarly, if the process does not own the file, but belongs to an appropriate group, access is granted or denied based only on the group access permissions; the other permissions are not looked at.
(1.是否为超级管理员
2.是否为文件所有者,且文件设置有相应的(User)读写执行bit
3.是否属于文件所在的组,且文件设置有相应的(Group)读写执行bit
4. 文件设置有相应的其他用户(other)读写执行bit
上述四个步骤只要满足一个就可以成功返回了。)
When creating of a new file using either open orcreat(新文件的创建)
The user ID of a new file is set to theeffective user ID of the process. POSIX.1 allows an implementation to choose one of the following options to determine the group ID of a new file.
1.The group ID of a new file can be the effective group ID of the process.
2.The group ID of a new file can be the group ID of the directory in which the file is being created.
(新文件的组ID根据系统实现而决定,为以下两种情况:
1.新文件的组ID=进程的有效组ID
2.新文件的组ID=新文件所在目录的组ID)
chmod and fchmod Functions(修改文件的访问权限)
To change the permission bits of a file, the effective user ID of the processmust be equal to the owner ID of the file,or the process must havesuperuser permissions.(此函数用于修改文件的访问权限bit,进程必须具有超级管理员或文件所有者权限。)
The chmod functions automatically clear two of the permission bits under the following conditions(chmod函数会清除文件的两个bit):
1.On systems, such as Solaris, that place special meaning on the sticky bit when used with regular files, if we try to set thesticky bit (S_ISVTX) on a regular file and do not have superuser privileges, thesticky bit in the mode is automatically turned off. (We describe the sticky bit in the next section.) This means that only the superuser can set the sticky bit of a regular file. The reason is to prevent malicious users from setting the sticky bit and adversely affecting system performance.(当要设置sticky bit,且没有超级管理员权限时,sticky bit自动关闭)
2.It is possible that the group ID of a newly created file is a group that the calling process does not belong to. Recall from Section 4.6 that it’s possible for the group ID of the new file to be the group ID of the parent directory. Specifically, if the group ID of the new filedoes not equal either the effective group ID of the process or one of the process’s supplementary group IDs and if the process does not havesuperuser privileges, then the set-group-ID bit is automaticallyturned off. This prevents a user from creating a set-group-ID file owned by a group that the user doesn’t belong to.(如上面“新文件的创建”所述,新创建文件的组I D可能不是调用进程所属的组——新文件的组I D可能是父目录的组I D。特别地,如果新文件的组I D不等于进程的有效组I D或者进程添加组I D中的一个,以及进程没有超级用户的权限,那么set-group-ID位自动被关闭。这就防止了用户创建一个set-group-ID文件,而该文件是由并非该用户所属的组拥有的。)
chown, fchown和lchown函数(修改文件的所有者ID或所属组ID)
Historically, BSD-based systems have enforced the restriction that only the superuser can change the ownership of a file.This is to prevent users from giving away their files to others, thereby defeating any disk space quota restrictions. System V, however, has allowed any user to change the ownership of any files they own.(基于BSD的系统一直规定只有超级用户才能更改一个文件的所有者。这样做的原因是防止用户改变其文件的所有者从而摆脱磁盘空间限额对他们的限制。系统 V则允许任一用户更改他们所拥有的文件的所有者。)
POSIX.1 allows either form of operation, depending on the value of _POSIX_CHOWN_RESTRICTED.(POSIX.1标准允许以上两种形式的任意一种,取决于 _POSIX_CHOWN_RESTRICTED)
With Solaris 9, this functionality is a configuration option, whose default value is to enforce the restriction(在Solaris 9中,这是可设置的,默认值是启动限制——即_POSIX_CHOWN_RESTRICTED). FreeBSD 5.2.1, Linux 2.4.22, and Mac OS X 10.3 always enforce the chown restriction(FreeBSD 5.2.1, Linux 2.4.22, and Mac OS X 10.3总是执行这种限制).
If _POSIX_CHOWN_RESTRICTED is in effect for the specified file, then
1.Only a superuser process canchange the user ID of the file.(只有超级管理员可以改变文件的所有者ID)
2.A nonsuperuser process canchange the group ID of the file if the process owns the file (theeffective user ID equals the user ID of the file), owner is specified as1 or equals the user ID of the file,and group equals either the effective group ID of the processor one of the process’s supplementary group IDs.(非超级管理员进程能够改变文件的组ID的情况为:只要进程拥有该文件,即进程的有效用户ID等于文件所有者ID,owner参数被指定为1或者等于文件所有者ID,group参数等于有效组ID或补充组ID中的一个。)
This means that when _POSIX_CHOWN_RESTRICTED is in effect, you can’t change the user ID of other users’ files. Youcan change the group ID of files that you own,but only to groups that you belong to.(这表示当指定了_POSIX_CHOWN_RESTRICTED时,你不能修改别人的文件的所有者ID。你可以修改你拥有的文件的组ID,但仅限于你所属的组)
If these functions are called by a process other than a superuser process, on successful return, both the set-user-ID and the set-group-ID bits are cleared.
(如果两个函数被没有超级管理员权限的进程调用,当返回的时候set-user-ID和set-group-ID会被清空)
unlink Functions(解除文件连接函数,后面称文件删除)
We’ve mentioned before that to unlink a file, we must havewrite permission and execute permission in the directory containing the directory entry, as it is the directory entry that we will be removing.
(一、一般的删除文件的情况,只要有目录的写、执行权限就可以了,由于要删除目录中的目录项)
Also, we mentioned in Section 4.10 that if thesticky bit is set in this directory wemust have write permission for the directoryand one of the following:
1.Own the file
2.Own the directory
3.Have superuser privileges
(二、sticky bit被设置的情况下删除文件,必须拥有文件所在目录的写权限,而且还应具有以下三个权限中的一个:
1.拥有该文件
2.拥有该文件所在的目录
3.拥有超级管理员权限)
utime Function(一个文件的存取和修改时间可以用u t i m e函数更改。)
The operation of this function, and the privileges required to execute it, depend on whether thetimes argument is NULL.(这个函数的所需要的权限,是根据times参数是否为NULL来决定)
1.If times is anull pointer, the access time and the modification time are both set to the current time. To do this,either the effective user ID of the processmust equal the owner ID of the file,or the process must havewrite permission for the file.(当times为空时,文件的access time和modification time均被设置为当前时间。为了执行此操作必须满足下列两条件之一:( a )进程的有效用户I D必须等于该文件的所有者I D,( b )进程对该文件必须具有写许可权。)
2.If times is anon-null pointer, the access time and the modification time are set to the values in the structure pointed to bytimes. For this case, the effective user ID of the processmust equal the owner ID of the file,or the process must bea superuser process. Merely having write permission for the file is not adequate.(当times不为空时,文件的access time和modification time被设置成times结构体中所指定的值。此时,进程的有效用户I D必须等于该文件的所有者I D,或者进程必须是一个超级用户进程。对文件只具有写许可权是不够的。)
Note that we are unable to specify a value for the changed-status time, st_ctimethe time the i-node was last changedas this field is automatically updated when theutime function is called.
(注意,我们不能对更改状态时间st_ctime指定一个值,当调用utime函数时,此字段被自动更新。)
出门走好路,出口说好话,出手做好事。
