Shell basics: Chapter 1 file security and permissions

Article title: Shell basics: Chapter 1 file security and permissions. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Author: Unknown
Sorting: lanlingsheng
To prevent unauthorized users from accessing your files, you can set the permission limit on the files and directories. You can also set the default permissions of files when they are created: these are only a small part of the overall system security issues. Here we do not want to fully discuss all aspects of system security, but just to introduce the security issues related to files and directories.
This chapter includes the following content:
• File and directory permissions.
• Setuid.
• Chown and chgrp.
• Umask.
• Symbolic link.
The user who creates the file and the group that he or she belongs to owns the file. The owner of an object can set who has the permission to read, write, and execute the object. Of course, the root user or system administrator can change the settings of any common user. Once a file is created, there are three access methods:
1) read to display the content of the file.
2) write, which can be edited or deleted.
3) execute the command if the file is a shell script or program.
According to the target user, file permissions can be divided into three types:
1) file owner, the user who creates the file.
2) users in the same group, any user in the user group that owns the file.
3) other users, that is, a user who does not belong to the user group that owns the file.
1.1 files
When you create a file, the system saves all information about the file, including:
• File location.
• File type.
• File length.
• Which user owns the file and which user can access the file.
• I node.
• File modification time.
• File permission bit.
Let's use the ls-l command to see a typical file:
Part 1 shell
Next, let's analyze the first two lines of the command result to see what information is contained:
$ Ls total 4232
-Rwxr-xr-x 1 root 3756 Oct 14 04-44 dmesg
-R-xr-x 1 root 12708 Oct 3 05:40 ps
-Rwxr-xr-x 1 root 5388 Aug 5 1998 pwd
　　
Total 4232: This line shows the space occupied by all the files in the directory.
-Rwxr-xr-x: The permission bit of the file. If the front horizontal bar is removed, there are 9 characters in total, and they correspond to 9 permission bits respectively. With these permission bits, you can set the user's access permissions to files. The nine characters can be divided into three groups:
R w x: file owner permission, which is the first three
R-x: The user permissions in the same group are three in the middle.
R-x: other user permissions, which are the last three
We will introduce these permission bits in more detail later. The horizontal bars on r, w, and x indicate that the access permission is forbidden.
1. number of hard links to the file.
Root File owner.
The default group (also called root) of the root file owner root ).
3578 indicates the length of the file in bytes. Remember, it is not K bytes!
Oct 14 file update time.
Dmesg file name.
1.2 file type
Do you still remember the character before the file permission bit mentioned in the previous section? Now let's explain what this horizontal bar means. There are seven file types, which can be seen from the first result listed by the ls-l command:
D directory.
L symbolic link (pointing to another file ).
S socket file.
Block B device files.
C character device file.
P name the MPs queue file.
-Common files, or more accurately, do not belong to the above types of files.
1.3 permissions
Let's use the touch command to create a file:
$ Touch myfile
Now use the ls-l command for this directory:
$ Ls-l
-Rw-r -- 1 dave admin 0 Feb 19 22:05 myfile
We have created an empty file. as we hope, the first horizontal bar tells us that the file is a common file. You will find that most of the created files are normal files or symbolic link files (more symbolic link files will appear later ).
File owner permission group user permission other user permissions
Rw-r -- r-
The next three permission bits are the permissions of the file owner, and the next three are the permissions of users in the same group as you. here is the admin group; the last three are the permissions of other users. In the result of this command, the default group that I belong to is also displayed. The following is a precise description of the permissions of the file:
Table 1-1 meaning of ls-l command output
(First character)-common file
(The next three characters) rw-file owner permissions
(The next three characters) r-permissions of users in the same group
(Last three characters) r -- permissions of other users
Therefore, the three groups of characters (except the first character) are defined respectively:
1) permissions of the file owner.
2) permissions of the file owner default group (a user can belong to many groups.
3) permissions of other users in the system.
Each character group contains three permission bits:
R read permission
W write/change permissions
X permission to execute the script or program
Here we use another method to indicate the file permissions of the myfile just listed:
-Rw-r --
The file type is normal. the file owner can read and write the same group of users. other users can read the file.
You may have noticed that the execution permission is not granted to the owner during myfile creation. when a user creates a file, the system does not automatically set the execution permission limit. This is to enhance system security. You must manually modify this permission bit:
When talking about the umask command later, you will understand why you have not obtained the execution permission. However, you can configure
This is different from the file execution limit, which will be discussed later.
The content about the permission bit in the above section may not be easy to understand. let's look at several examples (see Table 1-2 ). Even more confusing is that the file owner can still write data to the file through file redirection if only the read permission bit is set. After a while, we will see whether a file can be deleted depends on the permission settings of the directory where the file is located.
Table 1-2 file permissions and definitions, meaning of permissions
R -- --- the file owner is readable, but cannot be written or executed.
R -- --- text file owner and users in the same group (generally, it is the default group where the file owner is located)
R -- r-any user can read, but cannot write or execute
Rwx r -- r-file owner is readable, written, and executed. users in the same group and other users are only readable.
Rwx r-x --- the file owner can read, write, and execute it, and the same group of users can read and execute it.
　　
Meaning of permissions
Rwx r-x files are read, written, and executed by the owner, and are readable and executed by users in the same group and other users.
Rw---- text file owner and the same group of users can read and write
Rw-r-file owner and users in the same group can read and write files, while other users can read files.
Rw---- the owner of the file and the users in the same group and other users can read and write the file. use this permission with caution.
Settings, because any user can write the file
1.4 Change the permission bit
For files that belong to you, you can change the permission limit settings as needed. Before changing the file permission settings, think carefully about which users need to access your files (including your directories ). You can use the chmod command to change the file permission settings. This command has a short absolute mode and a longer symbolic mode. Let's take a look at the symbol mode.
1.4.1 symbol mode
The general format of the chmod command is:
Chmod [who] operator [permission] filename
Who indicates:
U file owner permission.
G.
O other user permissions.
A. all users (file owner, users in the same group, and other users ).
Operator meaning:
+ Add permissions.
-Cancel the permission.
= Set permissions.
Permission:
R read permission.
W write permission.
X execution permission.
S File owner and group s e t-I D.
T viscosity position *.
L lock the file to make it inaccessible to other users.
U, g, o operations on file owners, users in the same group, and other users.
* In a column file or directory, the "t" bit is sometimes encountered. "T" represents the sticky bit. If
"T", which means that only the owner of the files in the directory can be deleted, even if a user in the same group has
The same permissions. However, some systems are not very strict with this rule.
If "t" is displayed in the file list, this means that the script or program will be placed in the swap zone during execution (Virtual
). However, because the current memory price is so low, you don't have to worry about the usage of the file "t.
1.4.2 Examples of chmod commands
Now let's look at some examples of using the chmod command.
Assume that the myfile file initially has the following permissions: rwx:
Command result meaning
Chmod a-x myfile rw-revoke the execution permissions of all users
Chmod og-w myfile rw-r -- r-revoke the write permissions of the same group of users and other users
Chmod g + w myfile rw-r--Grant write permission to users in the same group
Chmod u + x myfile rwx rw-r-Grant the file owner the execution permission
Chmod go + x myfile rwx rrwx r-x grant the same group of users and other users the execution permission
　　
When creating a myfile file, it has the following permissions:
　　
-Rw-r -- dave admin 0 Feb 19 22: 05 myfile
　　
If this is a script I wrote, I want to have the execution permission and cancel the write permission of other users (all other users), you can use:
$ Chmod u + x o-w myfile
In this way, the permission for this file is changed:
-Rwx r -- --- dave admin 0 Feb 19 22: 05 myfile
　　
Now the file owner has the read and write permissions on the myfile file, while the admin group has the read permission on the file. If you want a script file to be executable by yourself, and you are comfortable with the default permissions for the file, you just need to grant it the execution permission to you.
$ Chmod u + x dt
1.4.3 absolute mode
The general form of the absolute mode of the chmod command is:
Chmod [mode] file
The mode is an octal number.
In absolute mode, the permission part has different meanings. Each permission bit is represented by an octal number, for example, table 1? 3. The following uses the octal directory/file permission. the octal number indicates the octal number as follows:
　　
Meaning of the octal number
0 4 0 0 file owner readable
0 2 0 0 file owner writable
0 1 0 0 file owner executable
　　
0 0 4 0 Same Group User readable
0 0 2 0 users in the same group can write
0 0 1 0 users in the same group can execute