User Tools

Site Tools


accounts-and-permissions

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
accounts-and-permissions [2019/04/12 19:26]
Miroslav Bernát
accounts-and-permissions [2019/09/11 11:05] (current)
Miroslav Bernát
Line 14: Line 14:
 | **pam_tally2** | **-u** <​user>​ prints information about login failures of a specified user (data from ///​var/​log/​faillog//​),​ **--reset** resets the unsuccessful login attempts counter\\ ''#​ pam_tally2 --reset -u jan''​ | | **pam_tally2** | **-u** <​user>​ prints information about login failures of a specified user (data from ///​var/​log/​faillog//​),​ **--reset** resets the unsuccessful login attempts counter\\ ''#​ pam_tally2 --reset -u jan''​ |
 | **id** (<​user>​) | prints the UID and GID of the logged-in or specified user, including all his groups, **-u** only the effective UID, **-g** only the effective GID, **-G** GID of all user groups, **-n** with the "​-u",​ "​-g"​ or "​-G"​ option prints the user or group name instead of the numeric designation | | **id** (<​user>​) | prints the UID and GID of the logged-in or specified user, including all his groups, **-u** only the effective UID, **-g** only the effective GID, **-G** GID of all user groups, **-n** with the "​-u",​ "​-g"​ or "​-G"​ option prints the user or group name instead of the numeric designation |
-| **finger** (<​user>​) | prints the login and real name of the user, his home directory, login shell, last login time and inbox information;​ without ​a parameter ​the login and real names of the logged-in users are displayed, including their terminal, idle time, login time and connection method | +| **lid** (<​user>​) | prints the groups to which the logged-in or specified user is assigned, **-g** <​group>​ prints users in the specified group | 
-| **useradd** <​user>​ | creates a user account including its home directory ///​home/<​user>//​ (copies the contents of ///​etc/​skel//​ directory inside), e-mail spool ///​var/​spool/​mail/<​user>//​ and primary group of the same name; when creating a new accountdata from ///​etc/​default/​useradd//​ and ///​etc/​login.defs// ​are taken into consideration, **-m** creates a home directory, **-d** <​directory>​ specifies a specified home directory, **-g** <​group/​GID>​ assigns an existing group as a primary group, **-G** <​group>​ assigns a user into other, comma separated, supplementary groups, **-u** <UID> assigns a specified UID (otherwise the first available one is used), **-o** assigns a duplicate UID (available with „-u“ option only), **-r** creates a system account (with a lower UID, never expiring password and without a home directory), **-s** <​shell>​ assigns a login shell, **-e** <​YYYY-MM-DD>​ sets an account expiration date, **-f** <DD> sets the number of days after a password expires until the account is permanently disabled, **-c** <​comment>​ provides any information about a user (GECOS field in ///​etc/​passwd//​)\\ ''#​ useradd -c "Jan Novak" -g users -G admins jan''​ |+| **finger** (<​user>​) | prints the login and real name of the user, his home directory, login shell, last login time and inbox information;​ without ​an argument ​the login and real names of the logged-in users are displayed, including their terminal, idle time, login time and connection method | 
 +| **useradd** <​user>​ | creates a user account including its home directory ///​home/<​user>//​ (copies the contents of ///​etc/​skel//​ directory inside), e-mail spool ///​var/​spool/​mail/<​user>//​ and primary group of the same name; creating a new account ​is based on the data provided in ///​etc/​default/​useradd//​ and ///​etc/​login.defs//​, **-D** prints default values, **-m** creates a home directory, **-d** <​directory>​ specifies a specified home directory, **-g** <​group/​GID>​ assigns an existing group as a primary group, **-G** <​group>​ assigns a user into other, comma separated, supplementary groups, **-u** <UID> assigns a specified UID (otherwise the first available one is used), **-o** assigns a duplicate UID (available with „-u“ option only), **-r** creates a system account (with UID in range of 201–999, never expiring password and without a home directory), **-s** <​shell>​ assigns a login shell, **-e** <​YYYY-MM-DD>​ sets an account expiration date, **-f** <DD> sets the number of days after a password expires until the account is permanently disabled, **-c** <​comment>​ provides any information about a user (GECOS field in ///​etc/​passwd//​)\\ ''#​ useradd -c "Jan Novak" -g users -G admins jan''​ |
 | **userdel** <​user>​ | removes a user account, **-r** including a home directory and e-mail spool, **-f** including a home directory and e-mail spool, even if the user is logged in | | **userdel** <​user>​ | removes a user account, **-r** including a home directory and e-mail spool, **-f** including a home directory and e-mail spool, even if the user is logged in |
-| **usermod** <​user>​ | modifies a user account, the same options as for „useradd“ command are used, besides **-a** ​together ​with „-G“ assigns a user into other, comma separated, supplementary groups without having to name also all the previously defined groups (because „-G“ option itself always defines all valid supplementary groups from the beginning, which overwrites the former settings), **-l** <​new_user>​ renames a user account, **-L** locks a user's password (puts a „!“ in front of the encrypted password), **-U** unlocks a user's password (removes a „!“ in front of the encrypted password)\\ ''#​ usermod -l jack -d /home/jack john''​\\ ''#​ usermod -c ""​ kuba''​ |+| **usermod** <​user>​ | modifies a user account, the same options as for „useradd“ command are used, besides **-a** with „-G“ ​option ​assigns a user into other, comma separated, supplementary groups without having to name also all the previously defined groups (because „-G“ option itself always defines all valid supplementary groups from the beginning, which overwrites the former settings), **-l** <​new_user>​ renames a user account, **-L** locks a user's password (puts a „!“ in front of the encrypted password), **-U** unlocks a user's password (removes a „!“ in front of the encrypted password)\\ ''#​ usermod -l jack -d /home/jack john''​\\ ''#​ usermod -c ""​ kuba''​ |
 | **chfn** (<​user>​) | changes GECOS field in ///​etc/​passwd//​ of the logged-in or specified user, **-f** <​name>​ a real name, **-p** <​number>​ office phone number, **-h** <​number>​ private phone number; if no option is specified, it works interactively (none = empty field) | | **chfn** (<​user>​) | changes GECOS field in ///​etc/​passwd//​ of the logged-in or specified user, **-f** <​name>​ a real name, **-p** <​number>​ office phone number, **-h** <​number>​ private phone number; if no option is specified, it works interactively (none = empty field) |
 | **chsh** (<​user>​) | (**-s** <​shell>​) changes a login shell of the logged-in or specified user, **-l** prints a list of available shells from ///​etc/​shells//;​ if no option is specified, it works interactively | | **chsh** (<​user>​) | (**-s** <​shell>​) changes a login shell of the logged-in or specified user, **-l** prints a list of available shells from ///​etc/​shells//;​ if no option is specified, it works interactively |
-| **chage** <​user>​ | changes a user's account and password lifetime settings, **-d** <DD> sets the number of days since January 1st, 1970 when the password was last changed, **-E** <​YYYY-MM-DD>​ sets an account expiration date („-1” = unlimited account expiration),​ **-I** <DD> sets the number of days of inactivity after a password has expired before the account is locked, **-l** prints information about an account and password expiration settings, **-m** <DD> sets the minimum number of days between password changes („0” = the user may change the password at any time), **-M** <DD> sets the maximum number of days during which a password is valid („-1” = unlimited password expiration),​ **-W** <DD> sets the number of days of warning before a password change is required; if no option is specified, it works interactively;​ the default password expiration settings can be found in ///​etc/​login.defs//​\\ ''#​ chage -d 0 james''​\\ (changes the user's password expiration date, forcing ​him to change it on first log in) |+| **chage** <​user>​ | changes a user's account and password lifetime settings, **-d** <DD> sets the number of days since January 1st, 1970 when the password was last changed, **-E** <​YYYY-MM-DD>​ sets an account expiration date („-1” = unlimited account expiration),​ **-I** <DD> sets the number of days of inactivity after a password has expired before the account is locked, **-l** prints information about an account and password expiration settings, **-m** <DD> sets the minimum number of days between password changes („0” = the user may change the password at any time), **-M** <DD> sets the maximum number of days during which a password is valid („-1” = unlimited password expiration),​ **-W** <DD> sets the number of days of warning before a password change is required; if no option is specified, it works interactively;​ the default password expiration settings can be found in ///​etc/​login.defs//​\\ ''#​ chage -d 0 james''​\\ (changes the user's password expiration date and prompts ​him to change it at the first login) |
 | **passwd** (<​user>​) | sets or changes the password of the logged-in or specified user, **--stdin** reads the password from STDIN (pipe), **-d** sets no password for an account, **-n** <DD> sets the minimum password lifetime in days, **-x** <DD> sets the maximum password lifetime in days, **-w** <DD> sets the number of days in advance the user is warned of the password expiration, **-l** locks a user's password (puts „!!“ in front of the encrypted password), **-u** unlocks a user's password, **-S** <​user>​ prints information about the settings of the user's password (password status: „PS“ = password assigned, „NP“ = no password, „LK" = account locked, the date of the last password'​s change, minimum and maximum lifetime in days, a warning period before the password'​s expiration and a period between the password'​s expiration and the account being locked in days); the default password expiration settings can be found in ///​etc/​login.defs//​\\ ''#​ for user in $(awk -F : '​{print $1}' /​etc/​passwd);​ do passwd -S $user | grep LK; done''​\\ (prints users with locked accounts) | | **passwd** (<​user>​) | sets or changes the password of the logged-in or specified user, **--stdin** reads the password from STDIN (pipe), **-d** sets no password for an account, **-n** <DD> sets the minimum password lifetime in days, **-x** <DD> sets the maximum password lifetime in days, **-w** <DD> sets the number of days in advance the user is warned of the password expiration, **-l** locks a user's password (puts „!!“ in front of the encrypted password), **-u** unlocks a user's password, **-S** <​user>​ prints information about the settings of the user's password (password status: „PS“ = password assigned, „NP“ = no password, „LK" = account locked, the date of the last password'​s change, minimum and maximum lifetime in days, a warning period before the password'​s expiration and a period between the password'​s expiration and the account being locked in days); the default password expiration settings can be found in ///​etc/​login.defs//​\\ ''#​ for user in $(awk -F : '​{print $1}' /​etc/​passwd);​ do passwd -S $user | grep LK; done''​\\ (prints users with locked accounts) |
 | **mkpasswd** | creates a random password, **-l** <n> sets the password'​s length (9 characters by default), **-C** <n> sets the minimum number of capital letters (2 by default), **-c** <n> sets the minimum number of small letters (2 by default), **-d** <n> sets the minimum number of digits (2 by default), **-s** <n> sets the minimum number of special characters (1 by default) | | **mkpasswd** | creates a random password, **-l** <n> sets the password'​s length (9 characters by default), **-C** <n> sets the minimum number of capital letters (2 by default), **-c** <n> sets the minimum number of small letters (2 by default), **-d** <n> sets the minimum number of digits (2 by default), **-s** <n> sets the minimum number of special characters (1 by default) |
 | **chpasswd** <​user>​**:​**<​password>​| modifies a specified user's password and encrypts it by algorithm defined in ///​etc/​login.defs//,​ **-c** <​NONE%%|%%DES%%|%%MD5%%|%%SHA256%%|%%SHA512>​ specifies a different encryption algorithm, **-e** indicates the newly submitted passwords are in encrypted form (by default they are specified in clear-text)\\ ''#​ for user in $(awk -F ":"​ '{if (length($2) > 2 && $2 !~ /​^(!!)?​(\$[1256]\$)/​) print $1":"​$2 }' /​etc/​shadow);​ do echo "​$user"​ | chpasswd -c SHA512; done''​\\ (encrypts clear passwords of all users) | | **chpasswd** <​user>​**:​**<​password>​| modifies a specified user's password and encrypts it by algorithm defined in ///​etc/​login.defs//,​ **-c** <​NONE%%|%%DES%%|%%MD5%%|%%SHA256%%|%%SHA512>​ specifies a different encryption algorithm, **-e** indicates the newly submitted passwords are in encrypted form (by default they are specified in clear-text)\\ ''#​ for user in $(awk -F ":"​ '{if (length($2) > 2 && $2 !~ /​^(!!)?​(\$[1256]\$)/​) print $1":"​$2 }' /​etc/​shadow);​ do echo "​$user"​ | chpasswd -c SHA512; done''​\\ (encrypts clear passwords of all users) |
-| **cat /​etc/​passwd** | prints existing users, their encrypted password (character „*” means that an account is locked) or an „x" character (the password is in ///​etc/​shadow//​),​ UID, primary GID, comment field (GECOS), home directory and login shell\\ ''​$ grep 501 /​etc/​passwd''​\\ (prints all users in the group whose GID is „501"​) | +| **cat /​etc/​passwd** | prints existing ​local users, their encrypted password (character „*” means that an account is locked) or an „x" character (the password is in ///​etc/​shadow//​),​ UID, primary GID, comment field (GECOS), home directory and login shell\\ ''​$ grep 501 /​etc/​passwd''​\\ (prints all users in the group whose GID is „501"​) | 
-| **cat /​etc/​shadow** | prints existing users, their encrypted password (if the field is empty the account is without a password; character „*”, „!“ or „!!" before the password means that the account is locked; by default, the „useradd” command creates a locked user account – i.e. only „!!" characters are present instead of a password), last password change in days since January 1st, 1970, the minimum number of days between password changes („0” = the user may change the password at any time), the maximum number of days during which a password is valid („-1” = unlimited password expiration),​ the number of days of warning before a password change is required, the number of days of inactivity after a password has expired before the account is locked and the number of days since January 1st, 1970 the account has been locked | +| **cat /​etc/​shadow** | prints existing ​local users, their encrypted password (if the field is empty the account is without a password; character „*”, „!“ or „!!" before the password means that the account is locked; by default, the „useradd” command creates a locked user account – i.e. only „!!" characters are present instead of a password), last password change in days since January 1st, 1970, the minimum number of days between password changes („0” = the user may change the password at any time), the maximum number of days during which a password is valid („-1” = unlimited password expiration),​ the number of days of warning before a password change is required, the number of days of inactivity after a password has expired before the account is locked and the number of days since January 1st, 1970 the account has been locked | 
-| **groupadd** <​group>​ | creates a group account, **-g** <GID> assigns a specified GID (otherwise the first available one is used), **-o** assigns a duplicate GID (available with „-g“ option only), **-r** creates a system group (with GID in range of 101499) |+| **groupadd** <​group>​ | creates a group account, **-g** <GID> assigns a specified GID (otherwise the first available one is used), **-o** assigns a duplicate GID (available with „-g“ option only), **-r** creates a system group (with GID in range of 201999) |
 | **groupdel** <​group>​ | removes a group account (it is not possible to remove an existing ​ user's primary group, the user has to be removed as first) | | **groupdel** <​group>​ | removes a group account (it is not possible to remove an existing ​ user's primary group, the user has to be removed as first) |
 | **groupmod** <​group>​ | modifies a group account, the same options as for „groupadd“ command, besides these exist: **-n** <​new_group>​ renames a group account | | **groupmod** <​group>​ | modifies a group account, the same options as for „groupadd“ command, besides these exist: **-n** <​new_group>​ renames a group account |
 | **groups** (<​user>​) | prints the groups to which the logged-in or specified user is assigned (identical to „id -nG“ command) | | **groups** (<​user>​) | prints the groups to which the logged-in or specified user is assigned (identical to „id -nG“ command) |
-| **newgrp** <​group>​ | logs a user into one of the groups available in ///​etc/​group//;​ without ​a parameter ​the primary GID is assigned (used especially when creating new files) | +| **newgrp** <​group>​ | logs a user into one of the groups available in ///​etc/​group//;​ without ​an argument ​the primary GID is assigned (used especially when creating new files) | 
-| **cat /​etc/​group** | prints existing groups, their encrypted password (character „*” means that an account is locked) or an „x" character (the password is in ///​etc/​gshadow//​),​ GID and a list of comma separated secondary members\\ ''​$ grep admin /​etc/​group''​\\ (prints GID of „admin” group) | +| **cat /​etc/​group** | prints existing ​local groups, their encrypted password (character „*” means that an account is locked) or an „x" character (the password is in ///​etc/​gshadow//​),​ GID and a list of comma separated secondary members\\ ''​$ grep admin /​etc/​group''​\\ (prints GID of „admin” group) | 
-| **cat /​etc/​gshadow** | prints existing groups, their encrypted password (character „*” means that an account is locked) or „!” character (a passwordless account), a list of comma separated administrators and a list of comma separated secondary mebers |+| **cat /​etc/​gshadow** | prints existing ​local groups, their encrypted password (character „*” means that an account is locked) or „!” character (a passwordless account), a list of comma separated administrators and a list of comma separated secondary mebers |
 | **vipw** | edits ///​etc/​passwd//​ file (the same as „vi /​etc/​passwd”) | | **vipw** | edits ///​etc/​passwd//​ file (the same as „vi /​etc/​passwd”) |
 | **vigr** | edits ///​etc/​group//​ file (the same as „vi /​etc/​group”) | | **vigr** | edits ///​etc/​group//​ file (the same as „vi /​etc/​group”) |
Line 43: Line 44:
 \\ \\
 ^ PERMISSIONS ^ ^ ^ PERMISSIONS ^ ^
-| **chown** <​owner>​ <​file/​directory>​ | changes the user and/or group ownership of a file/​directory,​ **-R** recursively,​ **-c** prints the files whose ownership is being changed; if the user name or UID is followed by a colon or dot and a group name or GID, the group ownership of the files is changed as well; if no group follows a colon or dot (//chown user: /tmp /​var/​tmp//​),​ the user's primary group is considered; if a colon or dot and group are given, but the user is omitted (//chown :group /tmp /​var/​tmp//​),​ only the group ownership of the files is changed (the same as „chgrp” command)\\ ''#​ chown user:group /tmp /​var/​tmp''​ |+| **chown** <​owner>​ <​file/​directory>​ | changes the user and/or group ownership of a file/​directory,​ **-R** recursively,​ **-c** prints the files whose ownership is being changed; if the user name or UID is followed by a colon or dot and a group name or GID, the group ownership of the files is changed as well; if no group follows a colon or dot (//chown user: /tmp /​var/​tmp//​),​ the user's primary group is considered; if a colon or dot and group are specified, but the user is omitted (//chown :group /tmp /​var/​tmp//​),​ only the group ownership of the files is changed (the same as „chgrp” command)\\ ''#​ chown user:group /tmp /​var/​tmp''​ |
 | **chgrp** <​group>​ <​file/​directory>​ | changes the group ownership of a file/​directory;​ the group is specified by its name or GID, **-R** recursively,​ **-c** prints the files whose ownership is being changed | | **chgrp** <​group>​ <​file/​directory>​ | changes the group ownership of a file/​directory;​ the group is specified by its name or GID, **-R** recursively,​ **-c** prints the files whose ownership is being changed |
-| **chmod** <​permissions>​ <​file/​directory>​ | changes a file/​directory access permissions\\ 1) in a symbolic expression\\ in the following order – user definition (**u** = user (owner), **g** = group, **o** = others, **a** = all), operator (**+** adds permissions,​ **-** removes permissions and **=** sets permissions) and permission specification (**r** = read, **w** = write, **x** = execute a file / access a directory, **s** = SUID or SGID bit, **t** = sticky bit)\\ ''#​ chmod +x script.sh''​\\ (for all by default)\\ ''#​ chmod ug=rw,o-w text.txt''​\\ 2) in a numeric (octal) expression\\ in the following order – (special attribute) - user (owner) - group - others (**4** = read permission, **2** = write permission, **1** = file execute ​permission ​/ access ​to a directory); the values are summed\\ ''​$ chmod 660 text.txt''​\\ ''#​ chmod 700 /​usr/​bin/​top''​\\ with both the expressions it is possible to use option **-R** for recursive mode and **-c** to see the files whose permissions are being changed; a directory must always have an access permission set\\ ''#​ chmod -R 755 /​home/​user/​xxx''​\\ special attributes concern mostly executable files (programs and scripts) or directories and have these values: **4** = SUID bit (an executed process runs with the permissions of the owner of the file, not with the permissions of the user who executed it), **2** = SGID bit (an executed process runs with the permissions of the group of the file, not with the permissions of the user who executed it; if the SGID bit is set for a directory, ​ it ensures that its new contents will be owned by the same group of owners who  own the  directory), **1** = sticky bit (used for directories ​to ensure that only the owner of file or directory ​inside them can rename or delete his items, not any user with write and access permissions for the directory)\\ ''#​ chmod 4755 /​usr/​bin/​passwd''​\\ ''#​ chmod 2770 /​web''​\\ ''#​ chmod +t /​usr/​local/​tmp''​ | +| **chmod** <​permissions>​ <​file/​directory>​ | changes a file/​directory access permissions\\ 1) in a symbolic expression\\ in the following order – user definition (**u** = user (owner), **g** = group, **o** = others, **a** = all), operator (**+** adds permissions,​ **-** removes permissions and **=** sets permissions) and permission specification (**r** = read a file / list contents of a directory (file or directory names only), **w** = write to a file / write to a directory (creating, deleting and renaming any files or directories), **x** = execute a file / access a directory ​and make its contents available for reading and writing, **s** = SUID or SGID bit, **t** = sticky bit)\\ ''#​ chmod +x script.sh''​\\ (for all by default)\\ ''#​ chmod ug=rw,o-w text.txt''​\\ 2) in a numeric (octal) expression\\ in the following order – (special attribute) - user (owner) - group - others (**4** = read a file / list contents of a directory (file or directory names only), **2** = write to a file / write to a directory (creating, deleting and renaming any files or directories), **1** = execute ​a file / access a directory ​and make its contents available for reading and writing); the values are summed\\ ''​$ chmod 660 text.txt''​\\ ''#​ chmod 700 /​usr/​bin/​top''​\\ with both the expressions it is possible to use option **-R** for recursive mode and **-c** to see the files whose permissions are being changed; a directory must always have an access permission set\\ ''#​ chmod -R 755 /​home/​user/​xxx''​\\ special attributes concern mostly executable files (programs and scripts) or directories and have these values: **4** = SUID bit (an executed process runs with the permissions of the owner of the file, not with the permissions of the user who executed it), **2** = SGID bit (an executed process runs with the permissions of the group of the file, not with the permissions of the user who executed it; if the SGID bit is set for a directory, ​ it ensures that its new contents will be owned by the same group of owners who  own the  directory), **1** = sticky bit (used for directories ​whose content can be deleted or renamed ​only by the owner of the file or directory, not by any user with write and access permissions for the directory)\\ ''#​ chmod 4755 /​usr/​bin/​passwd''​\\ ''#​ chmod 2770 /​web''​\\ ''#​ chmod +t /​usr/​local/​tmp''​ | 
-| **setfacl** <​option>​ (**:​**<​permissions>​) <​file/​directory>​ | **-m** sets ACL permissions to a file/​directory ​according to the given options (**u:​**(<​user>​) for a specified ​single ​user, if it is not specified, the settings are valid for all users, **g:​**(<​group>​) for a specified group, if it is not specified, the settings are valid for all groups, **o** for others, **d:** ensures inheriting of the ACL permissions from a directory to its newly created contents, **m:​** ​changes ​the mask), **-x** removes ACL permissions from a file / directory ​according to the given options (**u:**(<​user>​for a specified ​single ​user, if it is not specified, the settings are valid for all users, **g:**(<​group>​for a specified group, if it is not specified, the settings are valid for all groups), **-b** removes all ACL permissions from a file / directory, **-R** recursively\\ ''#​ setfacl -m u:kuba:rw /​home/​dookie/​soubor.txt''​\\ ''#​ setfacl -x g:users /​home/​dookie/​soubor.txt''​\\ ''#​ setfacl -m d:​u:​david:​rwx /​home/​dookie''​\\ ''#​ setfacl -m o:000 /​web''​\\ ''#​ setfacl -m u::​rwx,​g::​rx,​o::​rx /​bin/​chmod''​\\ ''#​ setfacl -m m::rwx /​web/​logs''​\\ ''#​ setfacl -bR /​home/​dookie''​ |+| **setfacl** <​option> ​%%((%%<​user>​)(**:​**<​permissions>​%%))%% <​file/​directory>​ | **-m** sets ACL permissions to a file/​directory ​depending on the specified ​options (**u:​**(<​user/UID>) for a specified user, if it is not specified, the settings are valid for the owner of the file/​directory, **g:​**(<​group/GID>) for a specified group, if it is not specified, the settings are valid for the group owner of the file/​directory, **o** for others, **d:** ensures inheriting of the ACL permissions from a directory to its newly created contents, **m:​** ​sets the mask – specifies maximum permissions possible for all named users and groups), **-x** removes ACL permissions from a file/​directory ​depending on the specified ​options (**u:​**<​user/UID> for a specified user, **g:​**<​group/GID> for a specified group), **-b** removes all ACL permissions from a file/​directory,​ **-R** recursively, **--set-file** <​file/​directory>​ sets ACL permissions based on the specified ​ file/​directory\\ ''#​ setfacl -m u:kuba:rw /​home/​dookie/​file.txt''​\\ ''#​ setfacl -x g:users /​home/​dookie/​file.txt''​\\ ''#​ setfacl -m d:​u:​david:​rwx /​home/​dookie''​\\ ''#​ setfacl -m o:000 /​web''​\\ ''#​ setfacl -m u::​rwx,​g::​rx,​o::​rx /​bin/​chmod''​\\ ''#​ setfacl -m m:rwx /​web/​logs''​\\ ''#​ setfacl -bR /​home/​dookie''​\\ ''#​ getfacl file1 | setfacl --set-file - file2''​\\ (sets file "​file2"​ the same ACL permissions as "​file1"​) ​|
 | **getfacl** <​file/​directory>​ | prints ACL permissions to a file/​directory for specified single users or groups (provided they are set up), **-n** prints UID and GID instead of an account name, **-R** recursively,​ **-s** skips files with basic permission entries | | **getfacl** <​file/​directory>​ | prints ACL permissions to a file/​directory for specified single users or groups (provided they are set up), **-n** prints UID and GID instead of an account name, **-R** recursively,​ **-s** skips files with basic permission entries |
 | **chattr** <​operator><​attribute>​ <​file/​directory>​ | changes attributes of a specified file/​directory on ext2, ext3 or ext4 file system; operator **+** adds, **-** removes and **=** sets an attribute; attribute **a** prevents from removing and modifying a file (applicable even for root), permits appending new data to the file only, **d** prevents from backup by „dump“ program, **i** prevents from removing and any kind of modifying a file (applicable even for root); **-R** recursively\\ ''#​ chattr +i /​etc/​inittab''​ | | **chattr** <​operator><​attribute>​ <​file/​directory>​ | changes attributes of a specified file/​directory on ext2, ext3 or ext4 file system; operator **+** adds, **-** removes and **=** sets an attribute; attribute **a** prevents from removing and modifying a file (applicable even for root), permits appending new data to the file only, **d** prevents from backup by „dump“ program, **i** prevents from removing and any kind of modifying a file (applicable even for root); **-R** recursively\\ ''#​ chattr +i /​etc/​inittab''​ |
 | **lsattr** (<​file/​directory>​) | prints attributes of the contents of the working directory or a specified file or the contents a specified directory on ext2, ext3 or ext4 file system, **-a** prints hidden files as well, **-d** directory itself, without its contents, **-R** recursively | | **lsattr** (<​file/​directory>​) | prints attributes of the contents of the working directory or a specified file or the contents a specified directory on ext2, ext3 or ext4 file system, **-a** prints hidden files as well, **-d** directory itself, without its contents, **-R** recursively |
-| **su** (<​user>​) | logs in under root (system administrator) or under a specified user (changes the effective UID and GID), **-** or **-l** including the user's environment (initializes HOME, SHELL, USER, LOGNAME and PATH variables), **-c** <​command>​ only executes the command under another user | +| **su** (<​user>​) | switches to root (system administrator) or a specified user account ​(changes the effective UID and GID), **-** or **-l** including the user's environment (initializes HOME, SHELL, USER, LOGNAME and PATH variables), **-c** <​command>​ only executes the command under another user | 
-| **sudo** (<​parameter>​) (<​command>​) | allows a permitted user to execute a command as root or another user (without knowing the password) as specified in ///​etc/​sudoers//​ in the following order: <​user>​ <​host>​ = (<​original_user>​) (<​verification>:​) <​command>​ (in absolute form); at the beginning of the file it is possible to define by capital letters aliases representing the permitted users, original users, hosts and commands, considering that „ALL“ expression represents any value in the mentioned items:\\ //dookie ALL = (root) /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom, NOPASSWD: /bin/umount /​mnt/​cdrom//​\\ (dookie is allowed to mount cdrom and unmount it without a password requirement)\\ //tim localhost = /bin/su [!-]*, !/bin/su *root*//\\ (tim is allowed to switch to any user except root on the particular host without loading the user's environment)\\ //%admin ALL = SERVICES, PROCESSES, STORAGE//\\ (the members of „admin“ group  are allowed to execute all the commands represented by the particular aliases on all hosts)\\ **-b** runs the given command in the background, **-l** prints information whether the logged-in user is allowed to use „sudo“ and possible commands ​he may execute on the current host, **-u** <​user>​ runs the specified command as a user other than root; only root is allowed to edit ///​etc/​sudoers//​ by „visudo“ command; the usage of „sudo“ is logged to ///​var/​log/​secure//​\\ ''​$ sudo /​sbin/​shutdown -h now''​\\ ''​$ sudo -u tom ls ~tom''​\\ ''​$ sudo sh -c "cd /home ; du -s * | sort -rn > usage"''​\\ ''​$ sudo su - root -c /​bin/​bash''​ |+| **sudo** (<​parameter>​) (<​command>​) | allows a permitted user to execute a command as root or another user (without knowing the password) as specified in ///​etc/​sudoers//​ in the following order: <​user>​ <​host>​ = (<​original_user>​) (<​verification>:​) <​command>​ (in absolute form); at the beginning of the file it is possible to define by capital letters aliases representing the permitted users, original users, hosts and commands, considering that „ALL“ expression represents any value in the mentioned items:\\ //dookie ALL = (root) /bin/mount -t iso9660 /dev/cdrom /mnt/cdrom, NOPASSWD: /bin/umount /​mnt/​cdrom//​\\ (dookie is allowed to mount cdrom and unmount it without a password requirement)\\ //tim localhost = /bin/su [!-]*, !/bin/su *root*//\\ (tim is allowed to switch to any user except root on the particular host without loading the user's environment)\\ //%admin ALL = SERVICES, PROCESSES, STORAGE//\\ (the members of „admin“ group  are allowed to execute all the commands represented by the particular aliases on all hosts)\\ **-b** runs a specified ​command in the background, **-l** prints information whether the logged-in user is allowed to use „sudo“ and lists possible commands ​that can be executed, **-i** switches to root account, **-u** <​user>​ runs the specified command as a user other than root; only root is allowed to edit ///​etc/​sudoers//​ by „visudo“ command; the usage of „sudo“ is logged to ///​var/​log/​secure//​\\ ''​$ sudo /​sbin/​shutdown -h now''​\\ ''​$ sudo -u tom ls ~tom''​\\ ''​$ sudo sh -c "cd /home ; du -s * | sort -rn > usage"''​\\ ''​$ sudo su - root -c /​bin/​bash''​ |
 | **visudo** | edits ///​etc/​sudoers//,​ **-c** verifies the integrity of the file, **-f** <​file>​ specifies an alternative sudoers file instead of ///​etc/​sudoers//​ | | **visudo** | edits ///​etc/​sudoers//,​ **-c** verifies the integrity of the file, **-f** <​file>​ specifies an alternative sudoers file instead of ///​etc/​sudoers//​ |
-| **umask** (<​permissions>​) | prints or sets default permissions for newly created files and directories in the following order: user (owner) - group - others in a numeric (octal) expression, however the digits stand for the permissions that are to be taken from the given system value 666 for files and 777 for directories,​ **-S** symbolic expression; (permanent setup in //​~/​.bashrc// ​or //​~/​.bash_profile//,​ the default global value is 002 for ordinary users and 022 for root in ///​etc/​bashrc//​)\\ ''​$ umask 0027''​ / ''​umask 27''​\\ (the owner has all permissions,​ the group has read permissions and access to directories and others have no permissions) |+| **umask** (<​permissions>​) | prints or sets default permissions for newly created files and directories in the following order: user (owner) - group - others in a numeric (octal) expression, however the digits stand for the permissions that are to be taken from the system value 666 for files and 777 for directories,​ **-S** symbolic expression; (permanent setup in //​~/​.bashrc// ​and //​~/​.bash_profile//,​ the default global value is 002 for ordinary users and 022 for root in ///​etc/​profile//​ and ///​etc/​bashrc//​)\\ ''​$ umask 0027''​ / ''​umask 27''​\\ (the owner has all permissions,​ the group has read permissions and access to directories and others have no permissions) |
Last modified: 2019/04/12 19:26 by Miroslav Bernát

visits: