Basic file permissions in Linux

Source: Internet
Author: User
Tags bit set

Basic file permissions in Linux every file in Linux is associated with multiple permission types. Among these permissions, we mainly deal with three types of permissions: user, user group, and other users (others ). A user is the owner of a file. A user group is a collection of multiple users in the same group as the file owner. Other users are all users except users or user groups. The ls-l command can list object permissions, for example: -rw-r -- 1 lfqy 529 June 11 20:21 file-authority.txt-rw-rw-r -- 1 lfqy 0 June 11 19:02 helloworlddrwxrwxr-x 2 lfqy 4096 June 11 20:21 try can be seen, each line of output represents a file. The first 10 characters output in each row indicate the permission information of the file. The first character indicates the file type (-indicates a common file, d indicates a directory, c indicates a character device, and B indicates a block device, l indicates the symbolic link, s indicates the socket, p indicates the pipeline), and the rest can be divided into three groups (three characters in the first group correspond to user permissions, the three characters in the second group correspond to the user group permissions, and the three characters in the third group correspond to the permissions of other users. Each character in the nine characters indicates whether a certain permission is set. If a permission is set, a character will appear at the corresponding position, otherwise, a '-' indicates that no corresponding permission is set ). Rstands for the read permission, W stands for the write permission, and X stands for the execution permission. For example, if the file-authority.txt file in the first line belongs to the user lfqy, the user has the read and write permission but does not have the execution permission. Other users in the same group also have read, other users have only the read permission on it. 1. File Permission 1.1 The basic permissions of the file rwx correspond to the read, write, and executable permissions of the file respectively. However, these three permissions have different meanings for directories. The read permission of the Directory allows you to read the list of files and subdirectories in the directory. The write permission of the Directory allows you to create or delete files or directories in the directory, the executable permission of the Directory indicates whether files and subdirectories in the directory can be accessed. 1.2 setuid, setgid, and sticky bit in fact, apart from the basic read, write, and execution permissions, there are three permissions in Linux: setuid, setgid, and sticky bit. The three permissions are described below. The interpretation of setuid and setgid on Wikipedia is as follows: setuid and setgid (short for "set user ID upon execution" and "set group ID upon execution", respectively) are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group respectively and to change behaviour in directories. they are often used to allow users on a computer system to run programs with temporarily ele Vated privileges in order to perform a specific task. the setuid and setgid flags, when set on a directory, have an entirely different meaning. setting the setgid permission on a directory (chmod g + s) causes new files and subdirectories created within it to inherit its group ID, rather than the primary group ID of the user who created the file (the owner ID is never affected, only the group ID ). new Ly created subdirectories inherit the setgid bit. thus, this enables a shared workspace for a group without the inconvenience of requiring group members to explicitly change their current group before creating new files or directories. note that setting the setgid permission on a directory only affects the group ID of new files and subdirectories created after the setgid bit is set, and is not app Lied to existing entities. setting the setgid bit on existing subdirectories must be done manually, with a command such as the following: [root @ foo] # find/path/to/directory-type d-exec chmod g + s {}\; the setuid permission set on a directory is ignored on UNIX and Linux systems. freeBSD can be configured to interpret it analogously to setgid, namely, to force all files and sub-directories to be o Wned by the top directory owner.1.2.1 setuid permission setuid can be set to grant the file owner permissions during execution. The setuid attribute is usually represented by the third character of the user permission. If the third character of the user permission is s, it indicates that the owner of the file has executable permissions for the file, the file also has the setuid permission. If the third character of the user permission is S, it indicates that the owner of the file does not have the executable permission for the file, but the file has the setuid permission (in fact, as can be seen from the following, in this case, there is no executable permission, only the setuid permission does not make any sense ). The setuid permission allows users to execute executable files with the permissions of their file owner, even if the executable file is run by other users. The following example shows the meaning of the setuid permission. Linux passwords are usually stored in the "/etc/paswd" and "/etc/shadow" files. These two files are critical to system security, therefore, only the Root user can perform read/write operations on it. Log on to the system as an administrator and run the "ls/etc/passwd/etc/shadow" command at a Linux prompt, in the returned information, we can see that normal users do not have the write permission for these two files. Therefore, from the perspective of file attributes, when a common user changes his/her password, it is impossible to write the password information into the above file. Which of the following statements can be used to change the password? In fact, the key to the problem is not the password file, but the password change command "passwd ". Run the "ls/usr/bin/passwd" command at the prompt. The "s" text is displayed on the execution permission limit of the file owner in the returned message, indicating that the "passwd" command has the setuid permission, its owner is root. In this way, when a common user executes the "passwd" command, it actually executes the command as a valid user root, and has the corresponding permissions (including the permission to read and write passwd and shadow files) to write the new password to the "/etc/passwd" and "/etc/shadow" files, after the command is executed, the user's identity disappears immediately. In this way, with the setuid permission, common users can also obtain the same permissions as the root of the passwd program when executing the passwd Program (or read and write the file passwd and shadow ). In this way, common users can also use the passwd tool to modify their own passwords. 1.2.2 setgid permission the setgid permission is similar to the setuid permission. It allows users to execute executable files with the permissions of their owner's group. The setgid attribute is usually represented by the third character of the user group permission. If the third character of the user permission is s, it indicates that the owner of the file has executable permissions on the file, the file also has the setgid permission. If the third character of the user group permission is S, the owner of the file does not have the executable permission for the file, but the file has the setgid permission (in fact, as can be seen from the following, in this case, there is no executable permission, only the setuid permission does not make any sense ). The setgid permission allows the user to execute executable files based on the permissions of the group where the file owner is located, even if the executable file is run by other users. 1.2.3 sticky bit: In computing, the sticky bit is a user ownership access-right flag that can be assigned to files and directories on Unix systems. the most common use of the sticky bit today is on directories. when the sticky bit is set, only the item's owner, the directory's owner, or the superuser can rename or delete files. without the sticky bit set, any user with write and ex Ecute permissions for the directory can rename or delete contained files, regardless of owner. typically this is set on the/tmp directory to prevent ordinary users from deleting or moving other users 'files. this feature was introduced in 4.3BSD in 1986 and today it is found in most modern Unix systems. after sticky-bit, even if other users have the write permission, the owner must perform operations such as Delete and move. After sticky-bit is set for a directory, only the owner of the files stored in the directory can perform operations such as deleting and moving. The execution permission (x) of sticky bit that appears in other user permissions is represented by t or T. T indicates that both the executable permission and sticky bit are set. T indicates that only the sticky bit is set, but the executable permission is not set. 2. File Management permissions 2.1 set basic permissions 2.1.1 you can use "chmod u = rwx g = rw o = r filename" to set basic permissions for a file in the form of a notebook. U indicates the permissions of the user, g indicates the permissions of the Group that the user carries, and o indicates the permissions of other users. To add permissions, you can "chmod a + x filename" (add executable permissions to all users) and "chmod o + x filename" add executable permissions to other users. If you want to delete the corresponding permissions, you can "chmod a-x filename" (delete the executable permissions of all users ). 2.1.2 you can set the basic permissions of an object in octal mode. The read, write, and execute permissions correspond to the unique Octal numbers: r (4), w (2), and x (1 ). We can add the octal values of the permission sequence to obtain the required permission combinations: rwx (4 + 2 + 1 = 7), rw-(4 + 2 = 6 ), r-x (4 + 1 = 5. Therefore, the "chmod 765 filename" command is used to set the permission in octal ". 2.2 set setuid, setgid and sticky bit2.2.1 chmod u + s temp with a mnemonic -- add the setuid mark chmod g + s tempdir to the temp file -- add the setgid mark chmod o + t temp to the tempdir directory -- temp add the sticky flag to the file 2.2.2 set the flag to a common file using three Octal numbers, for example 666,777,644. if these special characters are set, a group of Octal numbers is added to this group of numbers. such as 4666,277 7. the meaning of the three octal digits in this group is as follows: abca-setuid bit. If this bit is 1, it indicates setting setuid 4 xxxb-setgid bit. If this bit is 1, setgid 2 xxxc-sticky bits are set. If this bit is 1, it indicates that after sticky 1xxx is set, you can use ls -L to view. if these labels are available, they will be displayed in the original execution mark position. for example, rwsrw-r -- indicates that the setuid mark rwxrwsrw-indicates that the setgid mark rwxrw-rwt indicates that the sticky mark is used for setuid, setgid, and sticky bit, if the number of characters with the write permission is x, these special characters are displayed as lowercase letters (s, s, t). If no execution permission is available, these characters are displayed as uppercase letters (S, s, T ). 3. permissions for other files are set for security and convenience. Understanding the meaning of this write permission can make it easier for us to use Linux, prevent security problems caused by poor file permission management. In fact, you should be careful when setting file permissions, especially when using permissions such as setuid, setgid, and sticky bit.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.