8.3_linux file system permissions and special permissions analysis

Source: Internet
Author: User

What is Linux file system permissions?

in L each file or directory in the Inux contains access rights that determine who can access and how to access those files and directories.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/85/6A/wKioL1ei3azCaF2ZAADE04Yn9RM128.png "title=" 7.png " alt= "Wkiol1ei3azcaf2zaade04yn9rm128.png"/>

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/85/6B/wKiom1ei5S6wmdqyAABoBt3l_ZM867.png "title=" 8.png " alt= "Wkiom1ei5s6wmdqyaabobt3l_zm867.png"/>

Classification of Linux File system permissions

Permissions in Linux are divided into: Read (read), write (write), Execut (execute) Three kinds of permissions

Files and directories represent different permissions.

The meaning of permissions for a file:

R: Use the File View class tool to get its contents

W: Can modify content, can destroy content, but can't delete the file itself

x: For binary executable programs or scripts, this file can be drawn to the kernel to start a process, ordinary files do not need to execute permissions

The meaning of permissions for a directory:

R: You can use the LS command to view file information for directory contents

W: can create, delete files

X: You can use the Ls-l command to view file information for directory contents, and you can use the CD command to switch this directory to the working directory

Special symbol Capital X

If the permission is set, it is similar to the meaning of the big X in Chmod-r a=rwx dir/

To the meaning of the file:

Large x execution permissions, if the sub-recursive as an example to increase the permissions of all directories and files, because there is no need to increase the number of small x permissions, with x, the original file without X permission will not have X permission after the increase of permissions, only those who already have X permission of the file, After using the large x will still add x permissions to the file.

To the meaning of the directory:

For the directory, x and X are the same meaning, the directory requires the X permission of course with a large X will also add permissions.


x: Just give directory x permission, do not give file x permission, do not give file X permission, is because of security angle consideration!

Octal numeric Meaning of permissions

User does not own a certain permission, then use-placeholder

---000 0 without any permissions

--x 001 1 Only Execute permissions

-w-010 2 Only Write permission

-WX 011 3 Write and Execute permissions

r--100 4 Read-only permissions

R-x 101 5 Read and Execute permissions

rw-110 6 Read and Write permissions

RWX 111 7 Read and write execution permissions (All rights)

These permissions are stored in the file's metadata

Permissions to control files

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/85/6C/wKiom1ei6CSiipPGAAAO8yU8IHY366.png "title=" 9.png " alt= "Wkiom1ei6csiippgaaao8yu8ihy366.png"/>

When we create a file, if we want to modify the permissions of the file, then we will use the chmod command ·

chmod: Modify File permissions

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/85/6C/wKiom1ei6K7RAD6vAAAb-5NlvJo106.png "title=" 9.1. PNG "alt=" Wkiom1ei6k7rad6vaaab-5nlvjo106.png "/>

Permission to operate three types of users: using 8 binary form

chmod [-R] Octal-mode (8 binary) file ...

Invalid link file, 0 on left

EX. Modify the master to read and write, belong to the group read-only, others do not have permission

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/85/6C/wKiom1ei6evgMHjxAAAV4OOmaQc355.png "title=" 9.2. PNG "alt=" Wkiom1ei6evgmhjxaaav4oomaqc355.png "/>

ACTION Specifies the permissions of the category User: Use U,g,o,a to assign weights, with = or +/-

U: Owner

G: Genus Group

O: Other

A: All

EX. Use = CONTROL permission, modify permission is master read and write, belong to group read and write, other read-only.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/6C/wKiom1ei61uAP1JtAAANnhsx95k685.png "style=" float: none; "title=" 9.3.png "alt=" Wkiom1ei61uap1jtaaannhsx95k685.png "/>

EX. Use +/-control permissions, modify permissions for the group to remove write permissions, and other remove Read permissions.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/85/6B/wKioL1ei61yCZp99AAARecYzuzo231.png "style=" float: none; "title=" 9.4.png "alt=" Wkiol1ei61yczp99aaarecyzuzo231.png "/>

The chmod command also allows you to set permissions by referencing the permissions of other files.

EX. Refer to the permissions of file B to modify the permissions of file a

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/85/6C/wKioL1ei7HTSIjlWAAAabPaRBPM177.png "title=" 9.5. PNG "alt=" Wkiol1ei7htsijlwaaaabparbpm177.png "/>

Umask value

In the above experiment, we found that when we created a file there was a corresponding default permission for the

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/85/6C/wKiom1ei6CSiipPGAAAO8yU8IHY366.png "title=" 9.png " alt= "Wkiom1ei6csiippgaaao8yu8ihy366.png"/>

Note that the default permissions for administrators and the default permissions for normal users are different

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/85/6C/wKiom1ei7u_yzCIVAAAMYwIJvCs382.png "style=" float: none; "title=" 10.png "alt=" Wkiom1ei7u_yzcivaaamywijvcs382.png "/>

So where does the default permissions control?

Answer: This is controlled by Umask.

Direct input umask to view the user's Umask value

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/85/6C/wKiom1ei8Oix7rtFAAAG3YJ8fgE828.png "style=" float: none; "title=" 10.1.png "alt=" Wkiom1ei8oix7rtfaaag3yj8fge828.png "/>

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/85/6C/wKioL1ei8OigqzVgAAAGgiGvrG8640.png "style=" float: none; "title=" 10.2.png "alt=" Wkiol1ei8oigqzvgaaaggigvrg8640.png "/>

We can see that the default value of Umask for administrators and ordinary users is different, and this is why the administrator creates files and the permissions of ordinary users to create files are different.

The umask of these values: the initial permission system of the user's file (directory) can be obtained by umask value and calculating the default value of the file (directory).

For the default permission value, here is a small formula for the calculation

umask+ Default permission values

Default permission value = File Permissions 666/directory Permissions 777

File: 666-umask= with Odd +1, even reserved

Catalog: 777-umask

New file Permission: 666-umask

If the resulting result has an execute (odd) permission on a bit, its permissions +1

Why the permissions of the file is 666 instead of 777?rwx plus should be 7, this is due to security considerations, because the default to some files have execute permission, which means that if the person is willing to execute some file words, can cause system problems. And when the calculation, encountered an odd position needs +1, is because there are some cases of the result of the calculation, will allow permission to execute the permissions with X, in order to avoid this situation, so the result after +1 is always an even number, you can avoid this situation.

So, Root umask is 022, with 666-022=644=rw-r--r--, so the file created by default is this permission

New DIR Permission: 777-umask

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/85/6F/wKioL1ejGDqDoFfwAAALhR30FYE210.png "title=" 10.3. PNG "alt=" Wkiol1ejgdqdoffwaaalhr30fye210.png "/>

Take this diagram as an example, 777-022=755=rwxrw-rw-, so the case of the directory file is also used 777-umask value can be calculated to promote back

Umask Essence: Block out the corresponding bits of the maximum permissions, thus drawing the default permissions

If you need to set the Umask value temporarily, you can output umask=xxx

If you need to set a permanent Umask value can enter the home directory ~/.BASHRC or. bash_profile inside add umask xxx

If you need to set the global Umask value, you can enter the/etc/profile or/ETE/BRSHRC inside the settings, but it is not recommended

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/6F/wKioL1ejGjminK5vAAA3NRms65c408.png "title=" 11.png "alt=" Wkiol1ejgjmink5vaaa3nrms65c408.png "/>

From this figure we can also see why the root account umask value is 022, and the umask of the normal account is 022

There are two ways to set the Umask value representation:

(1) The Umask value setting can only be an octal number, or 0-7

(2) You can use Umask u=rw,g=r,o=r this way to set

Tips for using other umask

[[email protected] ~]# umask-s #显示对应权限, if it is a file, then subtract the permissions of X


Umask-p >> BASHRC or. Bash_profile #此命令输出直接追加到环境变量文件里面就可以偷懒进去修改了, that is, the output can be called directly

Special permissions for Linux file systems

Three special privileges: SUID SGID STICKY

Perform special permission Prerequisites: The process has a group of owners and groups;

(1) Any executable program file can be started as a process: depending on whether the initiator has EXECUTE permission on the program file

(2) After initiating as a process, the owner of the process is the initiator, and the group of the process belongs to the initiator

(3) Permissions for the process to access the file, depending on the initiator of the process

(a) initiator of the process, owner of the same document: The application file belongs to the master permission

(b) The initiator of the process, belonging to the group of documents; Apply file group permissions

(c) application file "other" permission

These three special permissions can also be expressed in octal, and in different bits, as follows:

SUID 4 SGID 2 STICKY 1 4+2+1=7

User group Other

SUID (s): When a user goes to run the program, the user inherits the owner's permissions.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/85/6F/wKiom1ejIO6D2zhMAAAKc6u_jkg980.png "title=" 12.png "alt=" Wkiom1ejio6d2zhmaaakc6u_jkg980.png "/>

Can see a program some user bit has a s, instead of the original x, the permissions on behalf of SUID has been added, and generally we see the red bottom white file information

SUID permission settings

chmod 4XXX FILE, 4 means suid

Chmodu+sfile ...

Chmodu-s FILE ...

Note: Suid:user, occupying the owner's execution permission bit

S: Owner has x permission

S: Owner does not have X permission

Note: Suid can only be used in binary programs, not on the directory, this command can not be arbitrarily added, too dangerous.

The role of UID:

When other users execute SUID permissions of the binary program, in the PS aux display user, also will be the suid binary program belongs to, most of the situation below is the root

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/85/6F/wKioL1ejJUnAQr3iAAArNW2B7dg412.png "style=" float: none; "title=" 13.png "alt=" Wkiol1ejjunaqr3iaaarnw2b7dg412.png "/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/85/6F/wKiom1ejJYqx4nQcAAATx0hIb2o780.png "title=" 13.2. PNG "alt=" Wkiom1ejjyqx4nqcaaatx0hib2o780.png "/>

The role of SGID

(1) If the application in the binary program, after the start of the process, the owner of its process is the original program file belonging to the group, this situation is similar to the SUID function

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/85/70/wKiom1ejKX_jDwUvAAANCZmY6c0069.png "title=" 14.png "alt=" Wkiom1ejkx_jdwuvaaanczmy6c0069.png "/>

When the file has the SIG's permission, in the group bit there will be a s, instead of the original x, the permissions on behalf of Sgid has been added, and generally we see the yellow bottom black word of the file information

Sgid permission settings

chmod 2XXX FILE ... 2 means GUID


Chmodg-sfile ...

(2) If applied to the directory, all users created under this directory file (including subdirectories) of the group is consistent with the directory of the genus. This effect is typically used to create a collaboration directory.

Sgid permission settings


Chmodg-s DIR ...

Note: Sgid:group, which occupies the group's execution permission bit

S:group has x permissions

S:group no x permission

Note: The root account is different from the root group, and the root group only belongs to a normal group.

This is not the same as the meaning of the Administrators group inside the Windows operating system.

The effect of STICKY sticky position

Directories with Write permissions typically users can delete any file in the directory, regardless of the permissions or ownership of the file, in the directory settings sticky bit, only the file owner or root can delete the file. (Note that the sticky bit is useless on the file)

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/85/70/wKiom1ejMYXjd8yuAAAUOM84Icg288.png "title=" 15.png "alt=" Wkiom1ejmyxjd8yuaaauom84icg288.png "/>

When the directory has sticky permissions, there will be a T in the other bit, instead of the original x, the permissions on behalf of sticky have been added, and generally we see the green bottom black Word of the file information

chmod 1XXX FILE, 1 means sticky

chmod o+t

Note: Sticky:other, which occupies the execution permission bit of other

T:other has x permissions

T:other no x permission

The above suid,sgid, and sticky must be matched with the permission of X.

Delete these 3 must use chmod u-s,g-s,o-t FILE such a command, can not be modified with 0777 such as the command.

ACLs for special permissions on Linux file systems

What is an ACL?

Acl:access control List, for flexible permissions management, in addition to the owner of the file, the group and others, the ACL is unique to the single user can achieve the permissions of the file and directory control.


CentOS7.0 the XFS and Ext4 file systems created by default have ACL capabilities.

centos7.x Previous versions, the default manually created Ext4 file system has no ACL functionality. Manual Increase Required:

Tune2fs–o ACL/DEV/SDB1

Mount–o acl/dev/sdb1/mnt

A file with ACL permissions will have a +, and we can use the Getfacl file command to see the ACL permissions for the files, as shown in.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/85/70/wKiom1ejOUXSzRIaAAA3b6Z8i-U357.png "title=" 16.png "alt=" Wkiom1ejouxszriaaaa3b6z8i-u357.png "/>

Below we give permissions to the ACL for WAN user RW that would not have any operation on a file

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/85/70/wKiom1ejOI7Ra9WMAABXD90m1zo366.png "title=" 17.png "alt=" Wkiom1ejoi7ra9wmaabxd90m1zo366.png "/>

We can find that after giving the ACL permissions to the WAN user rw, the user WAN can read and write to the a file, but then after we remove the ACL permissions, the WAN user does not have permission to read and write the A file, which is the role of the ACL.

Through, we can also find the ACL has a mask permission

The function of this permission is:

Mask affects the maximum permissions for people and groups other than the owner and other

Mask needs to be logical and operational with the user's permissions before it becomes a limited permission (effective Permission)

The settings for a user or group must exist within the Mask permission setting to take effect.

Let's show you how to use mask:

First, add rwx permissions to the user Wan

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/85/70/wKiom1ejPI2C_DCsAAA2LGc0nHc348.png "title=" 18.png "alt=" Wkiom1ejpi2c_dcsaaa2lgc0nhc348.png "/>

Through, we can see: The value of mask is rwx, and the user WAN permissions are the same,

Also do not know that everyone noticed that the group's permissions would have been---, but when the file is displayed, now is the RWX permission, what is the matter? Let us continue with the demonstration.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/85/70/wKioL1ejPZriUu-HAAA6KIABt40662.png "title=" 18.2. PNG "alt=" Wkiol1ejpzriuu-haaa6kiabt40662.png "/>

This sets the mask value to R, at which point the permissions of the group that observes the a file become R--, the user Wan has a #effective:r--behind it.

, a WAN user writes data to a file and finds that the data is not written at this time. Through this experiment, we can find that

The value of mask can limit the user's maximum permissions, and the file is now a group of permissions, after the addition of ACLs, the display of this value, is actually the value of mask. It is important to note that the modification of the mask value affects only the maximum permissions of people and groups other than the owner and other.

Note that in the case of an ACL, changing the permissions of the (group) is actually the right to change the mask, and the actual (group) permissions are not affected but do not work.

Common options for Setfacl

Getfacl file |directory to view ACL information

Setfacl-m Mask::rx file uses the mask value to restrict the permission to be Rx

Setfacl-m U:USERNAME:RW FILE to increase ACL permissions for the user's RW

Setfacl-x U:username FILE | DIR remove ACL permissions for a user

Setfacl-B FILE completely clears all ACL permissions

setfacl-M FILE | DIR import ACL configuration in specified format

SETFACL-RM g:sales:rwx directory recursion add ACL permissions for group groups under directory

Setfacl-m G:SALESGROUP:RW file| Directory increases ACL permissions for group groups

Setfacl-m D:u:username:rx Directory set users to have recursive RX permissions on files created under this directory

(setfacl-m D:u:wang:rx Directory This inside of the D option, that is, the impact of the subsequent creation of files under the folder when the default also with the permissions of the original ACL)

Setfacl-k dir clear default ACL permissions

Setfacl-x File.acl Directory

Getfacl File1 | Setfacl--set-file=-file2 copy file1 ACL permissions to File2

(The--set option will remove the original ACL entries, with a new alternative, it is important to note that you must include the Ugo settings,

You can't just add ACLs like-m)

such as: Setfacl--set u::rw,u:wang:rw,g::r,o::-file1

The main file Operations Command CP and MV both support ACLs, but the CP command needs to be prefixed with the-p parameter. However, common backup tools, such as tar, do not preserve ACL information for directories and files

How to back up and restore permissions for ACLs

Backup: Getfacl-r * Directory/path/* >/root/acl.bak (back to the specified file)

Recovery: Setfacl-r--set-file=/root/acl.bak *

Finally explained: said several kinds of permission, here to everyone to speak, the authority is only for the file system, if the file system into such as the Windows operating system inside the Vfat file system, file permissions will not necessarily be able to support.

This article is from the "~ Breeze ~" blog, please be sure to keep this source http://wanweifeng.blog.51cto.com/1957995/1834505

8.3_linux file system permissions and special permissions analysis

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.