6 月 152022
Java Web服务以系统非特权用户deployer运行
查看特定系统命令的默认访问控制权限列表
[deployer@s4 ~]$ cd /usr/bin/ [deployer@s4 bin]$ getfacl curl wget scp sftp telnet # file: curl # owner: root # group: root user::rwx group::r-x other::r-x # file: wget # owner: root # group: root user::rwx group::r-x other::r-x # file: scp # owner: root # group: root user::rwx group::r-x other::r-x # file: sftp # owner: root # group: root user::rwx group::r-x other::r-x # file: telnet # owner: root # group: root user::rwx group::r-x other::r-x [deployer@s4 bin]$
禁用用户deployer对特定命令的访问
[root@s4 ~]# cd /usr/bin/ [root@s4 bin]# setfacl -m u:deployer:--- curl wget scp sftp telnet [root@s4 bin]# getfacl curl wget scp sftp telnet # file: curl # owner: root # group: root user::rwx user:deployer:--- group::r-x mask::r-x other::r-x # file: wget # owner: root # group: root user::rwx user:deployer:--- group::r-x mask::r-x other::r-x # file: scp # owner: root # group: root user::rwx user:deployer:--- group::r-x mask::r-x other::r-x # file: sftp # owner: root # group: root user::rwx user:deployer:--- group::r-x mask::r-x other::r-x # file: telnet # owner: root # group: root user::rwx user:deployer:--- group::r-x mask::r-x other::r-x [root@s4 bin]#
使用非特权用deployer执行特定命令的错误提示
[deployer@s4 bin]$ curl -bash: /usr/bin/curl: Permission denied [deployer@s4 bin]$ wget -bash: /usr/bin/wget: Permission denied [deployer@s4 bin]$ scp -bash: /usr/bin/scp: Permission denied [deployer@s4 bin]$ sftp -bash: /usr/bin/sftp: Permission denied [deployer@s4 bin]$ telnet -bash: /usr/bin/telnet: Permission denied [deployer@s4 bin]$
其他可选命令
chmod chown chgrp