Default permissions and Hidden permissions (files, directories) in Linux

Source: Internet
Author: User

A file (or directory) has several properties, including basic properties such as (r/w/x), and whether it is a directory (d) with a file (-) or a connection file (L). In addition, Linux can also set other system security properties, use Chattr to set, to Lsattr to see, most importantly, you can set its non-modifiable features, even if the file owner can not be modified. This attribute is quite important, especially in security mechanisms.


file default permissions: Umask

When a new file or directory is created, its default properties are related to Umask. Typically, umask is specifying the default value of the property when the current user establishes a file or directory. So, how to know and set umask?

There are two ways to view, one is to enter the umask directly, you can see the number type of the permission to set the score, one is to join the-s (symbolic) parameter, rescue in the form of symbolic type display permissions.

On the properties of the default permissions, the directory is not the same as the file. Because we do not want the file to have executable permissions, by default, the file does not have enforceable (x) permissions. So:

1. If the user establishes a "file", then the default does not have the executable (x) permission, and only the RW two permissions, that is, the maximum is 666, the default property:-rw-rw-rw-;

2. If the user establishes a "directory", then because X is related to whether it can enter this directory, the default all permissions are open, that is, 777, the default property: Drwxrwxrwx.


UMASK Specifies the permissions that the default value needs to be lost. Because r/w/x are 4/2/1 respectively, that is, when you want to remove the Write permission, enter 2, to remove the Read permission, enter 4, to remove the read and Write permissions, enter 6. So, in 0022, the attribute of group and others is removed by 2, then when the user:

1. When creating the file: (-rw-rw-rw-)-(-----w--w-) è-rw-r--r--

2. When creating the catalogue: (DRWXRWXRWX)-(d----w--w-) èdrwxr-x-r-x

If we just want to cancel the group's W permissions, that is, we want to write the file should have-rw-rw-r--permissions, all, Umask should be 002. Enter 002 directly behind the umask.


By default, root Umask removes more properties, and Root's umask defaults to 022, which is based on security considerations. General identity users typically have a umask of 002 and retain write access to the same user group.

File Hidden Properties

The file has hidden properties, and the hidden property is very helpful to the system, especially for system security.

1. Chattr (set file hidden properties)

On this property setting, it is more common to set the value of a and I, and the vicious setting must be rooted to be set.

This command is important, especially in terms of the security of the system. Because these properties are hidden, you need to use lsattr to view them. The most important is the +i property, which allows a file to be changed. If it is a login file, it is more necessary to +a the parameter so that it can increase but cannot modify and delete the original data.

2, Lsattr (Show hidden properties of the file)


After you use the CHATTR setting, you can use Lsattr to view hidden properties.


File Special permissions: Suid/sgid/stickybit 1. Set UID

The S and T permissions are created so that the general user can temporarily have permission to the owner of the program when executing certain programs. For example, the account and password files are actually/etc/passwd and/etc/shadow, and their owners are root. In this permission, only root can force the write. An ordinary user webgod to update their password, use is/USR/BIN/PASSWD program, but can update success, and/USR/BIN/PASSWD owner is root. So, that means webgod this ordinary user can access the/etc/shadow password file.??? This is both because of the help of the S permission. When the S permission is at User X (note the related property of/USR/BIN/PASSWD), here is-rwsr-xr-x, called set UID, referred to as SUID, which represents the ID of the user, and user represents the program (/usr/ BIN/PASSWD) (Root). So, when the Webgod user executes/sur/bin/passwd, he temporarily gets the permissions of the file owner root.

Note: SUID is available only in binary files, and is not valid for directories.

2. Set GID

If the permission of S is in the user group, then it is set GID, referred to as SGID. Sgid can be used in two ways:

1 file: If Sgid is set on a binary file, no matter who the user is, when executing the program, its effective user group will become the user group owner of the program;

2 directory: If Sgid is set to a directory, then the user group of the file or directory created within that directory will be the user group of this a directory.

3. Sticky Bit

sbit generally used in the directory, the meaning of the file is not small. Sbit the role of the directory is: in the directory with Sbit, if the user has the W and x permissions in the directory, then when the user in the directory to establish a file or directory, only the file owner and Root have the right to delete. Sbit can be understood as anti-delete bits. If you want users to be able to add files but cannot delete files at the same time, you can use the Sbit bit for the files. When this bit is set, the file cannot be deleted even if the user has write access to the file's parent directory.

4. Suid/sgid/sbit Permission Settings

Using numbers to change permissions is a combination of "3 numbers", so if you precede these 3 numbers with a number, the first number represents a combination of the several properties: 4 is suid,2 for sgid,1 and sticky Bit.

The system stipulates that if there is an X on that bit, these special flags are lowercase letters (s/s/t), otherwise, they are shown in uppercase letters (S/S/T).


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.