Default permissions and hidden permissions for Linux files and directories-umask, chattr, Lsattr, SUID, SGID, sbit, file

File default permissions: Umask

umask0022             <== with general permissions is the back three numbers!  umask-sU=rwx,g=rx,o=rx

The default situation is as follows:

If the user is created as "file" then the default "no operational (x) permissions", that is, only the RW two items, which is the maximum of 666 points, the default permissions are as follows:
-rw-rw-rw-

If the user is created as a "directory", then because X is related to whether it can enter this directory, the default is all permissions are open, that is, 777 points, the default permissions are as follows:
Drwxrwxrwx

[Email protected] ~]#umask0022[[email protected] ~]#Touch Test1[Email protected] ~]#mkdir test2[Email protected] ~]#ll-rw-r--r--1 root root 0 Sep 00:25 test1Drwxr-xr-x2 root root 4096 Sep 00:25 test2

The utilization and importance of umask

[Email protected] ~]#umask 002[Email protected] ~]#Touch Test3[Email protected] ~]#mkdir test4[Email protected] ~]#ll-rw-rw-r--1 root root 0 Sep 00:36 test3Drwxrwxr-x2 root root 4096 Sep 00:36 test4

In the default case, root umask will take away more properties, root umask default is 022, which is based on security considerations ~ to general identity users, usually their umask is 002, that is, retain the same group of write power!

Chattr (Profile Hide property)

[Email protected] ~]#chattr [+-=][asacdistu] file or directory name options and Parameters: + : Add a special parameter, otherwise the existing parameters will not move. -: Remove a particular parameter, otherwise the original parameter does not move. =: Configuration must be, and only the following parameter a: When you configure a This property, if you have access to this file (or directory), his access time atime will not be modified, to avoid the slow I/O machine over-access disk. This is helpful for a slower computer S: General files are non-synchronous write disk (principle please refer to the fifth chapter of sync), if you add S this property, when you make any file modification, the change will be "synchronously" written to the disk. a: After configuring a, this file will only add data, not delete or modify the data, only root can configure this property.  C: After this property is configured, the file will be "compressed" automatically, when read will be automatically decompressed, but when stored, will be compressed and then stored (it seems to be very useful for large files!) D: When the dump program is run, configuring the D property will allow the file (or directory) not to be backed by dump i: This I can be very powerful! He can make a file "can not be deleted, renamed, CONFIGURED links can not write or add data!" "It's a great help for system security!" Only root can configure this property  s: When the file is configured with the S property, if the file is deleted, he will be completely removed from the hard disk space, so if deleted by mistake, can not be saved back Oh! U: In contrast to S, when using U to configure a file, if the file is deleted, then the data content actually exists in the disk, you can use to rescue the file Oh! Note: Property configuration is common with configuration values of a and I, and many configuration values must be root to configure Example: Please try to create a file under/tmp, and add the parameters of I, try to delete the look. [Email protected] ~]#cd/tmp[Email protected] tmp]#Touch Attrtest <== Create an empty file[Email protected] tmp]#chattr +i attrtest <== gives the attribute of I[Email protected] tmp]#RM attrtest <== try to remove seeRm:remove write-protected Regular empty file ' Attrtest '?yRm:cannot remove ' attrtest ': Operation not permitted<== operation not permitted# Did you see it? Whirring Even Root has no way to delete this file! Quickly release the configuration! Example: Please cancel the I property of the file! [Email protected] tmp]#chattr-i attrtest

Lsattr (show file hidden properties)

lsattr [-adr] file or directory  chattr +aij attrtestlsattrattrtest----IA---j---attrtest

Set UID

Basically suid has this limitation and function:

SUID permissions are valid only for binary program;
The runner is required to have the operational permission of X for the program;
This permission is valid only in the course of running the program (RUN-TIME);
The runner will have the permissions of the program owner (owner).

Set GID

Unlike SUID, SGID can be configured for files or directories! If it is for the file, SGID functions as follows:

SGID is useful for binary programs;
The program runner is required to have X permission for the program;
The runtime will be supported by the program group during the run!

When a directory is configured with SGID permissions, he will have the following features:

Users can enter this directory if they have r and X permissions on this directory;
The user's active group (effective group) in this directory will become a group of that directory;
Purpose: If the user has permission to W in this directory (can create a new file), the new file created by the consumer will be the same as the group for this directory.

Suid/sgid/sbit Permissions Configuration

[Email protected] ~]#cd/tmp[Email protected] tmp]#Touch Test <== Creating a test empty file[Email protected] tmp]#chmod 4755 test; ls-l Test <== Adding permissions with SUID-rwsR-xr-x 1 root root 0 Sep 03:06 test[[email protected] tmp]#chmod 6755 test; ls-l Test <== Adding permissions with Suid/sgid-rwsRsR-x 1 root root 0 Sep 03:06 test[[email protected] tmp]#chmod 1755 test; Ls-l Test <== Join the sbit feature! -rwxr-xr-T1 root root 0 Sep 03:06 test[[email protected] tmp]#chmod 7666 test; ls-l Test <== has empty suid/sgid permissions-rwSrwSrwT1 root root 0 Sep 03:06 test

# Configure permissions to become-rws--x--x: chmod u=rwxs,go=x Test ls-l test-rws--x--x 1 root root 0 23:47 Test# cap, plus SGID and sbit in the above File Permissions!  chmod g+s,o+t test; ls-l test-rws--s--t 1 root root 0 23:47 test

Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

Default permissions and hidden permissions for Linux files and directories-umask, chattr, Lsattr, SUID, SGID, sbit, file