example
Two accounts justmine001 and justmine002 under the same group microsoft need to jointly own the development rights of the directory /microsoft/eshop
in order to work together, but others are not allowed to enter and view the directory.
It can be analyzed from the examples:
Create account related information
groupadd microsoft ; Add new group
useradd -G microsoft justmine001; Add a new account and join the group microsoft
useradd -G microsoft justmine002; Add a new account and join the group microsoft
Check account attributes
id justmine001;
id justmine002;
Building environment
Create development directory
mkdir -p /microsoft/eshop
Inquire
ll -d /microsoft/eshop
Set traditional permissions
As you can see from the picture above, the owner and group of the development directory are root, and the permissions are rwxr-xr-x, so justmine001 and justmine002 can view (ls) and enter (cd) the directory, but neither can Create a file in the directory.
First, set the directory group to microsoft. Secondly, others do not have any permissions on the directory, so the permissions should be set to 770. If you don’t understand, please read the previous article explaining Linux document attributes, owners, groups, permissions, and differences
chgrp microsoft /microsoft/eshop; Assign Group
chmod 770 /microsoft/eshop; Set permissions
First test the permissions of the justmine account (other people), as follows:
Others cannot access ls
and enter cd
this directory, which has achieved the expected effect.
Test the justmine001 and justmine002 accounts in the same group and create the file again, as follows:
In order to show it vividly, I intercepted the entire process of file creation permissions from denial to permission! ! !
As you can see from the above, the owners and groups of files test and test1 are justmine001 and justmine002 respectively. Although user justmine001 can delete the file test1 created by justmine002 (control scope of directory permissions), he cannot edit it (file scope of control of authority). So what should I do? I still can't complete the collaborative work. The first method is to set the permissions of the file test1 to 777, so that the file can be read, written, and edited by anyone. Coupled with the control of directory permissions, others cannot access the file test1, so there is no problem. The second method is to change the file group they created to Microsoft, so that collaborative work can also be achieved. It seems that this method is realistic. However, if the administrator has to do this every time, wouldn't it be too troublesome for him? How embarrassing, hehe. As the saying goes, there must be a road before the road. Using the Linux special permission SGID can perfectly realize that files created by any account under the same group have the same group Microsoft (for details, please read: Understanding the default security mechanism and hidden attributes of Linux documents , special permissions).
Note: Linux document permissions are controlled level by level, so the prerequisite for reading, writing, and editing files is to have permission to enter the directory to which the file belongs.
Set special permissions
Set SGID permissions for directory /microsoft/eshop
chmod 2770 /microsoft/eshop
Use justmine002 account to create files and query file permissions:
As you can see from the picture above, the file group to which justmine002 belongs is automatically changed to microsoft, and the umask defaults to 002. The two of them belong to the same group, so they can naturally modify each other's files! ! !
Summarize
The main task of the Linux system administrator is actually how to manage the system's file system. So for document multi-tenant management, first create a unified group, then set the directory permissions to 2770, and finally add the users who need to collaborate Join this group, it's that easy. Often, the results are very brief, but the process of thinking and analysis is like seeking scriptures from the West. I hope to share the whole process with everyone, not only to know what it is, but also to know why it is so that we can draw inferences from one instance, integrate it, and achieve the purpose of flexible application.
The above is the detailed content of Application of multi-tenant management techniques in Linux file system. For more information, please follow other related articles on the PHP Chinese website!