Default permissions and hidden permissions for files and directories "Go Vbird"

A file has several attributes, including basic permissions such as read-write Run (R, W, X), and whether it is a directory (d) with a file (-) or a link file (l), and so on! The method to modify the properties is also briefly mentioned (Chgrp, Chown, chmod), and this section will be supplemented!

In addition to the basic R, W, x permissions, in the Linux ext2/ext3 file system, we can also configure other system hidden properties, which can be configured using Chattr, and lsattr to view, the most important property is to configure its non-modifiable features! So that even the owner of the file can not be modified! This attribute is quite important, especially on security!

file default permissions: Umask

Ok! So now we know how to create or change the properties of a directory or file, but do you know what his default permissions will be when you create a new file or directory? Oh! That's about the umask thing! So what's umask doing? Basically, umask is specifying "The user's default permissions when creating files or directories", so how do you know or configure Umask? His specified conditions are specified in the following way:

[[email protected] ~]# umask0022             <== with general permissions is the back three numbers! [Email protected] ~]# Umask-su=rwx,g=rx,o=rx

There are two ways to consult, one can directly enter the Umask, you can see the number of the configuration of the right to configure the score, one is to join the-s (symbolic) this option, will be the symbol type of the way to display the permission! Oddly enough, how do umask have four sets of numbers? Aren't there only three groups? That's right. The first group is special permission to use, we do not talk about him first, so look at the back of the three groups can.

On the properties of the default permissions, the directory is not the same as the file. From the sixth chapter we know that X permissions are very important to the catalogue! However, the creation of general files should not have permission to run, because the general file is usually used in the records of the data! Of course, you don't need permission to run. Therefore, the default is as follows:

• If the user is created as "file" then the default "no operational (x) permissions", that is, only the RW two items, which is the maximum of 666 points, the default permissions are as follows:
  -rw-rw-rw-
  
  
• If the user is created as a "directory", then because X is related to whether it can enter this directory, the default is all permissions are open, that is, 777 points, the default permissions are as follows:
  Drwxrwxrwx

Note that Umask's score refers to the permission that the default value needs to be reduced! "Because R, W, X are 4, 2, 1 points, so lo!" That is, when you want to take off the permission to write, is to enter 2 points, and if you want to take off the ability to read, that is, 4 points, then to take off the read and write permission, that is, 6 points, and to take off the operation and write permissions, that is, 3 points, so understand? May I ask you, what is 5 points? Oh! is the right to read and run!

If the above example is explained, because Umask is 022, so the user is not removed any permissions, but group and others permissions are taken off 2 (that is, w this permission), then when the user:

• When creating the file: (-rw-rw-rw-)-(-----w--w-) ==>-rw-r--r--
• When creating the Catalog: (drwxrwxrwx)-(d----w--w-) ==> drwxr-xr-x

Don't you believe it? Let's Test it out!

[[email protected] ~]# Umask0022[[email protected] ~]# touch Test1[[email protected] ~]# mkdir test2[[email protected] ~]# ll-rw-r--r--1 root root     0 Sep 00:25 test1drwxr-xr-x 2 root root  4096 Sep 00:25 test2

the utilization and importance of Umask: special production

Imagine a situation, if you and your classmates in the same host in the work, because you two are on the same topic, the teacher also help you two accounts to create the same group status, and the/home/class/directory as your two people's thematic directory. Imagine, is there any possibility that the files you have made cannot be edited by your classmates? If so, then it is nerve-racking!

This problem happens very often! In the case of the above, it is good to see the test1 permission is a bit? It's 644! If the umask is set to 022, the new data only the user has the W permission, the same group of people only r this readable permission, and can not be modified Oh! "How do you work together to create the topic Ah!" You say yes!

So, when we need to create a new file for the same group of users to edit together, then the Umask group will not be able to take out 2 of this w permission! So Luo, Umask will have to be 002 or something! So that the new file can be enough to-rw-rw-r--the permissions of the appearance Oh! So how do you configure Umask? Simple very, directly after the Umask input 002 is good!

[[email protected] ~]# umask 002[[email protected] ~]# touch Test3[[email protected] ~]# mkdir test4[[email protected] ~]# ll-rw-rw-r--1 root root     0 Sep 00:36 test3drwxrwxr-x 2 root root  4096 Sep 00:36 test4

So, this umask is very related to the default permissions for new files and directories! This concept can be used on any server, especially in the future when you set up a file server, for example, SAMBA server or FTP server is a very important concept! This involves the question of whether your users will be able to make further use of the files. Don't take it lightly!

In the default case, root umask will take away more properties, root umask default is 022, which is based on security considerations ~ to general identity users, usually their umask is 002, that is, retain the same group of write power! In fact, the configuration of the default Umask can refer to/etc/bashrc the contents of this file, however, it is not recommended to modify the file.

file Hidden properties:

What the? File also has hidden properties? Just those nine permissions are going crazy, and there are hidden properties, really deadly ~ but there is no way, there is a hidden property of the file Ah! However, these hidden properties are really very helpful to the system-especially on the system security, the important tight! However, it is emphasized that the following CHATTR command can only be applied on the Ext2/ext3 file system, and other file systems may not be able to support this command. Let's talk about how to configure and check these hidden properties!

chattr (Profile hide property)

[[[Email protected] ~]# chattr [+-=][asacdistu] file or directory name options and parameters: +: Add a special parameter, other existing parameters will not move. -: Remove a particular parameter, otherwise the original parameter does not move. =: Configuration must be, and only the following parameter a: When you configure a This property, if you have access to this file (or directory), his access time atime will not be modified, to avoid the slow I/O machine over-access disk. This is helpful for a slower computer S: General files are non-synchronous write disk (principle please refer to the fifth chapter of sync), if you add S this property, when you make any file modification, the change will be "synchronously" written to the disk. A: After configuring a, this file will only add data, not delete or modify the data, only root can configure this property. C: After this property is configured, the file will be "compressed" automatically, when read will be automatically decompressed, but in the time of storage, will be compressed and then stored (it seems to be very useful for large files!) D: When the dump program is run, configuring the D property will allow the file (or directory) to not be dump backup I: This I can be very powerful! He can make a file "can not be deleted, renamed, CONFIGURED links can not write or add data!" "It's a great help for system security!" Only the root can configure this property s: When the file is configured with the S property, if the file is deleted, he will be completely removed from the hard disk space, so if deleted by mistake, can not be saved back Oh! U: In contrast to S, when using U to configure a file, if the file is deleted, then the data content actually exists in the disk, you can use to rescue the file Oh! Note: The configuration values of a and I are common in the property configuration, and many configuration values must be root to be configured # Please try to create a file under/tmp and add the parameters of I to try to delete it. [[email protected] ~]# cd/tmp[[email protected] tmp]# touch attrtest <== Create an empty file [[email protected] t        mp]# chattr +i attrtest <== give I properties [[email protected] tmp]# RM attrtest<== try to delete see Rm:remove write-protected regular empty file ' Attrtest '? Yrm:cannot remove ' attrtest ': Operation not permitted <== operation not allowed # see? Whirring Even Root has no way to delete this file! Quickly release the configuration! Please cancel the I property of this file! [[email protected] tmp]# chattr-i attrtest

This command is important, especially on the data security of the system! Because these properties are hidden properties, you need to lsattr to see the property! Among them, the person thinks the most important belongs to +i and +a this attribute. +i can make a file unable to be changed, it is very important for people who need strong system security! There are quite a few properties in it that need root to configure!

In addition, if it is log file such a login, it is more necessary to +a this can be added, but cannot modify the old data and deleted parameters!

lsattr (show file hidden properties)

[[email protected] ~]# lsattr [-adr] file or directory options and Parameters:-A: The properties of the hidden file are also shown;-D: If you are following a directory, list only the properties of the directory itself, not the file name within the directory;-r: The data along with subdirectories are listed as well! [Email protected] tmp]# chattr +aij attrtest[[email protected] tmp]# lsattr attrtest----IA---j---attrtest

With the chattr configuration, you can use lsattr to look up hidden properties. However, these two orders must be used with special care, otherwise it will cause great distress. For example: One day you are in a good mood, suddenly will/etc/shadow this important password record file to him configured to have the attribute of I, then after a few days, you suddenly want to add a user, but has been unable to add! Don't doubt, go ahead and take out the attributes of I!

File Special permissions: SUID, SGID, Sbit

[Email protected] ~]# ls-ld/tmp; Ls-l/USR/BIN/PASSWDDRWXRWXRWT 7 root root 4096 Sep 18:23/tmp-rwsr-xr-x 1 root root 22984 Jan  7  2007/usr/bin /passwd

Isn't it supposed to be just rwx? There are other special privileges (s and t) Ah? Ah ..... The head is beginning to faint again ~ @[email protected] because the meaning of the two permissions of S and T is more relevant to the account and process! The bottom of the instructions to see first, if you do not understand it does not matter, first know where S is placed in the Suid/sgid and how to configure it!

Set UID

When s this flag appears on the file owner's x permission, for example, just mentioned/usr/bin/passwd this file's permission state: "-rwsr-xr-x", at this time is called the Set UID, referred to as the special permission of SUID. So what is the special function of the SUID permission for a file? Basically suid has this limitation and function:

• SUID permissions are valid only for binary program;
• The runner is required to have the operational permission of X for the program;
• This permission is valid only in the course of running the program (RUN-TIME);
• The runner will have the permissions of the program owner (owner).

It's okay to say something so hard that you might have no idea about SUID, but let's give an example to illustrate it. Our Linux system, all account passwords are recorded in/etc/shadow this file, the permissions of this file: "-R--------1 root root", meaning that this file is only root readable and only root can be forced to write. Since this file only has root can be modified, then bird Brother's Vbird This general account user can modify their own password? You can use your own account input "passwd" This command to see, hey! The general user of course can change their password!

Well! There is no conflict ah! Obviously/etc/shadow can not let Vbird this general account to access, why Vbird can also modify the password in this file? This is the function of SUID! With the above functional description, we can know

1. Vbird for/USR/BIN/PASSWD This program is the X-permission, indicating Vbird can run passwd;
2. The owner of the passwd is the root account;
3. Vbird Run the passwd process, will "temporarily" Get root permissions;
4. /etc/shadow can be modified by the passwd run by Vbird.

But if Vbird uses cat to read/etc/shadow, can he read it? Because cat does not have SUID permissions, Vbird cannot read/etc/shadow when it runs "Cat/etc/shadow". We use one to illustrate the following:

Figure 4.4.1, SUID program run process

In addition,SUID can only be used on binary program, not enough on the shell script! This is because shell script just calls in a lot of binary run files to run! So the permissions section of the SUID will have to look at the configuration of the program that the shell script calls in, not the shell script itself. Of course, SUID for the catalogue is also invalid ~ This should pay special attention.

Set GID

When the S flag in the file owner's X project is SUID, that s in group X is called Set GID, SGID ROM! That's right! ^_^. For example, you can use the commands below to observe files with SGID permissions:

[Email protected] ~]# ls-l/usr/bin/locate-rwx--s--x 1 root slocate 23856 Mar  2007/usr/bin/locate

SGID is useful for binary programs; Unlike SUID, SGID can be configured for files or directories! If it is for the file, SGID functions as follows:

• The program runner is required to have X permission for the program;
• The runtime will be supported by the program group during the run!

For example, the above/usr/bin/locate this program can search/var/lib/mlocate/mlocate.db the contents of this file (detailed description will be described in the next section), mlocate.db the following permissions:

[Email protected] ~]# ll/usr/bin/locate/var/lib/mlocate/mlocate.db-rwx--s--x 1 root slocate   23856 Mar  2007 /usr/bin/locate-rw-r-----1 root slocate 3175776 Sep 04:02/var/lib/mlocate/mlocate.db

In addition to binary program, in fact SGID can also be used in the directory, which is also a very common use! When a directory is configured with SGID permissions, he will have the following features: very similar to SUID, if I use Vbird this account to run locate, then Vbird will get slocate group support, so you can read mlocate.db! It's very interesting!

• Users can enter this directory if they have r and X permissions on this directory;
• The user's active group (effective group) in this directory will become a group of that directory;
• Purpose: If the user has permission to W in this directory (can create a new file), the new file created by the consumer will be the same as the group for this directory.

SGID is very important for project development! Because this involves group permissions issues.

Sticky Bit

This Sticky Bit, Sbit is currently only valid for the directory, has no effect on the file. Sbit the role of the directory is:

• When the user has W, x permission, that is, the Write permission for this directory;
• When a user creates a file or directory under that directory, only himself and Root have the right to delete the file

In other words: When a user in a directory is a group or someone else's identity, and has the permission of the directory W, which means that "a user of the directory created by anyone in the directory or file can be" delete/rename/move "and so on. "However, if you add the a directory to the Sbit permission item, you can only delete/rename/move the files or directories you create, and you cannot delete others ' files.

For example, the permissions of our/tmp itself is "DRWXRWXRWT", under such permission content, anyone can add, modify the file in/TMP, but only the file/directory creator and Root can delete their own directories or files. This feature is also very important AH! You can do a simple test like this:

1. Log into the system as root and enter/tmp;
2. Touch test, and change the test permission to become 777;
3. Log in as a general user and enter/tmp;
4. Try to delete test this file!

suid/sgid/sbit Permissions Configuration

Now you should know that the digital type changes permissions in a combination of "three numbers", so if you add a number before these three numbers, the first number represents these permissions!

• 4 for SUID
• 2 for SGID
• 1 for Sbit

Suppose you want to change a file permission to "-rwsr-xr-x", because s in the user's rights, so is SUID, so before the original 755 plus 4, that is: "chmod 4755 filename" to configure! In addition, there are big S and big T produced Oh! Refer to the example below!

[[email protected] ~]# Cd/tmp[[email protected] tmp]# Touch test                  <== Create a test empty file [[email protected] tmp]# chmod 4755 t Est Ls-l Test <== joins the permissions with SUID-rwsr-xr-x 1 root root 0 Sep 03:06 test[[email protected] tmp]# chmod 6755 test; Ls-l Test <== joins the permissions with Suid/sgid-rwsr-sr-x 1 root root 0 Sep 03:06 test[[email protected] tmp]# chmod 1755 test; Ls-l Test <== added sbit features! -rwxr-xr-t 1 root root 0 Sep 03:06 test[[email protected] tmp]# chmod 7666 test; Ls-l test <== has empty Suid/sgid permissions-RWSRWSRWT 1 root root 0 Sep 03:06 test

The last example is to be very careful! How does it appear in uppercase S and T? It's not all lowercase, is it? Because S and T are all substituted for x this permission, but you have not found that, we are issued 7666 Oh! That is, the user, group, and others do not have X as a running flag (because of 666), so this S, T means "empty"! What do you say? SUID is "This file is running, with the permissions of the file owner", but the file owner can not run, where the permissions to other people to use? Of course it's empty! ^_^

In addition to the digital method, you can also use the symbolic method to deal with Oh! Among them SUID is U+s, and SGID is G+s, sbit is O+t luo! Take a look at the following example:

# Configure permissions to become-rws--x--x: [[email protected] tmp]# chmod u=rwxs,go=x test; Ls-l test-rws--x--x 1 root root 0 23:47 test#, plus SGID and sbit in the above file permissions! [Email protected] tmp]# chmod g+s,o+t test; Ls-l test-rws--s--t 1 root root 0 23:47 test

observation file type: Files

If you want to know the basic data of a file, such as an ASCII or data file, or binary, and there is no use of the dynamic function library (share library) and so on, you can use the file command to review Oh! For example:

[[Email protected] ~]# file ~/.bashrc/root/.bashrc:ascii text  <== tells us that ASCII is a text file! [Email protected] ~]# file/usr/bin/passwd/usr/bin/passwd:setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV ), for Gnu/linux 2.6.9, dynamically linked (uses GKFX libs), for Gnu/linux 2.6.9, stripped# run files can be a lot of data! This includes suid permissions for this file, a hardware platform compatible with the Intel 386# level, a dynamic function library link using the Linux core 2.6.9, and so on. [Email protected] ~]# File/var/lib/mlocate/mlocate.db/var/lib/mlocate/mlocate.db:data  <== This is the data file!

Through this command, we can simply first determine the format of the file Oh!

Default permissions and hidden permissions for files and directories "Go Vbird"