File permissions under Linux

Properties of the file

Types of files under Linux

• -: normal file
• d: catalog file
• b: Block device
• C: character device
• L: Symbolic Link file
• p: piping file pipe
• s: socket file Socket
  ......

In the file permissions, a common cross character, the first character is the type of file. The following characters are divided into three groups, the file owner, the owning group, and others.
Each group is composed of three parameters, respectively, by rwx . whereR stands for readable (read),W for Writable (write),x for executable (execute)
The location of the three permissions will not change, and if there is no permission, a minus sign will appear.

• > file owner: because Linux is a multi-tasking system, everyone has their own privacy, always do not want to be seen by others! The role of the file owner seems very important.

• > Owning group: is a collection of multiple users * *

• > Others: not an owner and not a member of the group.

Permissions for rights-managed files under Linux

对于二进制文件来说，r和w没有任何意义，但x是非常危险的对于普通文件来说：文件对应的是文件的内容。

R can read only the contents of the file. You can also copy the contents of a file, and the directory to which it is copied must have WX permissions.

W: Ability to edit file contents. Deleting a file, moving, renaming, and creating a new file is determined by the directory in which it resides. is determined by the directory's WX permissions (because the directory is the list structure of the file and the inode number)

x: is the execution of the file. X is very dangerous for files, especially for executable programs, which is meaningless for text files.

Permissions for the Directory

对目录来说：对应的是文件名的列表

r: can read the list of files in the directory, but cannot read the file attributes .

W: can be mv,cp,rm,mkdir,touch with the file name in this directory to move about, if you have x permission .

x: can enter this directory to become working directory, CD
W no x: Cannot delete, move, change files

x: only give directory x permission, do not give file X permission, if the file itself has X permission, that will also give.

Order of Permission acquisition

get the order of permissions: first See if you are the owner , then see if you belong to the group , and finally see if you are someone else . If it's one of those people, it's not going to look in the back.
For ordinary users, there is no access to the resource
Read and Write permissions are not restricted to the root user. But X permissions are controlled.
It is important to note that for root users, if they do not have X permissions. As long as the permissions of the following groups of people with the X permission, root can be executed. And no ordinary user.

The owning group of the file's owner

• Modify the owner of the file: Chown
  chown [OPTION] ... [OWNER] [: [GROUP]] FILE ...
  Usage:
  OWNER
  Owner:group
  The colon in the command is available. Replace
  -R: Recursive

• Modify the genus Group of files: chgrp
  CHGRP [OPTION] ...--reference=rfile FILE ...
  -R recursion

  Ordinary users are likely to modify their own restructuring, provided that they must be in this group.

  • Permissions to modify files: chmod
    chmod [OPTION] ... Octal-mode FILE ...
    -R: Recursive Modify permissions
    chmod [OPTION] ... Mode[,mode] ... FILE ...
    MODE:
    To modify all permissions for a class of users:
    u= g= o= ug= a= u=,g=
    Modify one or some bit permissions for a class of users
    u+ u-g+ g-o+ o-a+ A-+-
    chmod [OPTION] ...--reference=rfile FILE ...
    Refer to the permissions of the Rfile file, and change file to the same rfile. Only the permissions of the file are changed.

The permissions mentioned above are supported by the XFS file system on the Linux generic System ext series and CentOS 7, and the support for permissions is not for Linux, but for the file system.

Default permissions and Umask for new files and directories

>root用户的默认umask 为022>普通用户的默认umask为002

Umask can take away some permissions, so the appropriate definition of umask helps the system to be secure, because he can use it to establish the default directory or file permissions.

For the directory:
Default=777-umask

For the file:
The default =666-umask again observes the result.
If there are cardinality, the base plus 1. Is the even number is constant

• Non-privileged user umask is 002
• Root Umask is 022.
• Umask: View
• Umask #: Setting
• Umask 002
• Umask–s Mode display
• Umask–p output can be called
• Global Settings:/ETC/BASHRC user settings: ~/.BASHRC

Special permissions for files on Linux systems

SUID, SGID, Sticky
Three common permissions: R, W, x user, group, other

Security context

The process has a group of owners and genera;
(1) Any executable program file can be started as a process, depending on whether the initiator has EXECUTE permission on the program file
(2) After starting as a process, the owner of the process is the initiator, and the group of the process belongs to the initiator
(3) Permissions for the process to access the file, depending on the initiator of the process
(a) initiator of the process, owner of the same document: The application file belongs to the master permission
(b) The initiator of the process, belonging to the group of documents; Apply file group permissions
(c) application file "other" permission

SUID:User, occupying the owner's execution permission bit

• S: Owner has x permission
• S: Owner does not have X permission
• SUID: denoted by the number 4.
  Applies only to binaries that inherit permissions from the owner.

SGID:Group, which occupies the execution permission bit of the genus

• S:group has x permissions
• S:group no x permission
• SGID: denoted by the number 2.
  1) Inherit the permissions of the group to which the binaries belong
  2) acts on the directory, this directory creates a new file that inherits the owning group of the directory.

Sticky:Other, which occupies the execution permission bit of other

• T:other has x permissions
• T:other no x permission
• Sticky: denoted by the number 1
• Sticky: Works on directories, files of this directory can only be deleted by owner and Root
  For ordinary users, in this directory, you cannot overwrite others ' files. To overwrite the group that must belong to this file or have someone else's file W permission.

ACL Access Flexible Rights Management

Set ACL permissions: Setfacl

To view ACL permissions: Getfacl

Syntax: Setfacl [-BKRD] [-m|-x ACL parameter] target file name

Options and Parameters:

• -m: Set subsequent ACL permissions and cannot be used with-X

• -m: Bulk ACL permissions in file

• -x: Remove subsequent ACL permissions and not use with-m

• -X: Bulk Delete ACL permissions with file

• -B: Remove all ACL permissions

• -K: Remove default ACL permissions

• -R: Recursive set ACL permissions

• -D: Set default ACL permissions, only valid for directory

    acl:access control list for flexible permission management in addition to the owner of the file, the group and others, You can set permissions on more users CentOS7 the XFS and Ext4 file systems created by default have ACL functionality CentOS7 Previous versions, default manually created Ext4 file system without ACL functionality, need to manually add Tune2fs–o acl/dev/sdb1mount–o Acl/dev/sdb1/mnt/test  

  ACL Effective Order: Owner, custom user, custom group, others
  Mask

• Mask value: Once a file or directory is defined, the group permission on the Acl,acl file is the value of mask, and the permission to reorganize with chmod is the value of the mask being changed
• Mask only affects the maximum permissions for people and groups other than the owner and other
• mask needs to be logical and operational with the user's permissions before it becomes a limited permission (effective Permission)
• The settings for the user or group must exist within the Mask permission set scope to take effect setfacl-m Mask::rx file

The --set option will remove the original ACL entries, with a new alternative, it is important to note that you must include the Ugo settings, not just add ACLs like-M to
Example:
Setfacl--set u::rw,u:wang:rw,g::r,o::-file1
Getfacl File1 | Setfacl--set-file=-file2 copy file1 ACL permissions to File2

Backup and Restore ACLs

• The main file Operations Command CP and MV both support ACLs, but the CP command needs to be prefixed with the-p parameter. However, common backup tools, such as tar, do not preserve ACL information for directories and files

  getfacl -R /tmp/dir1 > acl.txtsetfacl -R -b /tmp/dir1setfacl -R --set-file=acl.txt /tmp/dir1setfacl --restore acl.txtgetfacl -R /tmp/dir1

File permissions under Linux