Linux Basic permissions and special rights Management

Basic Permissions Ugo

You belong to the primary G-owned group O other people

R (4) reads read W (2) writes write X (1) executes execute

For files:

? R Read allows you to view the contents of a file

? W Write can modify or delete the contents of the file

? x executes whether the file can be executed

Whether a user can delete a file based on whether the user has write permission to the directory where the file resides

For directory:

? R Read allows you to view the list in the directory

? W Write whether can delete, rename files under directory and modify properties of files under directory etc.

? X execution can enter into the directory

Normal operation of a directory, at least should ensure that r-x

?

Modify Permissions

chmod, modify the permissions of the file-R (recursive modification) changes the directory and all child objects in the directory
Grammar:
Modify permissions for one location individually

chmod u-x filename----Subtract the user's access or execution rights

chmod [u|g|o|a]+-=rwx filename

[[email protected] ~]# chmod g=rwx /shared/sysadmin[[email protected] ~]# chmod o=--- /share/sysadmin

Modify FILE Permission syntax
chmod [-R] <a|u|g|o> +-= rwx-/<path>/filename
chmod [-R] 755/<path>/filename

[[email protected] ~]# chmod 750 /home/harry[[email protected] ~]# chmod 510 /home/harry/test -R[[email protected] ~]# chmod 770 /shared/sysadmin

Modify file properties

Chown Effect: Modify file owner and owning group

Syntax format:
1:chown user:group/<path>/filename----Modify user and genus Group
Chown User/<path>/filename----Modify users individually
Chown:group/<path>/filename----individually modified genus Group

? 2:chown USER. Group/<path>/filename----Modify users and genera
Chown. Group/<path>/filename----individually modified genus

-R option: Recursive (all content changes in the directory, otherwise only directories are modified)

[[email protected] Desktop]# chown harry:harry /root/Desktop/test        ----修改用户和组drwxr-xrwx  2 harry harry   4096 7月  13 14:32 test[[email protected] Desktop]# chown root /root/Desktop/test               ----修改用户drwxr-xrwx  2 root harry   4096 7月  13 14:32 test[[email protected] Desktop]# chown :root /root/Desktop/test              ----修改组drwxr-xrwx  2 root root    4096 7月  13 14:32 test[[email protected] Desktop]# chown .test /root/Desktop/test              ----修改组

Umask Default permissions (Matte permissions)

The default permission created by the user to create the object is determined by Umask.

Root User: #umask 0022
Normal User: #umask 0002

Directory default permissions are 777

Default permissions for ordinary users to create a directory: 777-002 = 775

Default permissions for the root user to create a directory: 777-022 = 755

File default permissions maximum permission is 666

Starting permissions for normal user-created files: 666-002 = 664

Root user-created file start permissions: 666-022 = 644

umask + 权限= 临时在当前 终端下更改umask值修改 ~/.bashrc 只针对当前用户永久修改 umask值修改 /etc/bashrc 针对所有所用户永久修改umask值

Special permissions

Adventure Bit (SETUID) u+s 4000 temporary ownership of the owner of the authority, the role of the Lord, for the command

chmod u+s filename
chmod 4755 filename

[[email protected] ~]# chmod u+s /sbin/shutdown[[email protected] ~]# ll /sbin/shutdown-rwsr-xr-x. 1 root root 60400 5月  28 2013 /sbin/shutdown

Force bit (setgid) G+s 2000 Any file or directory created by anyone in this directory will force inheritance of the parent directory's group permissions, for the directory.

chmod g+s /shared/sysadminchmod 2770 /shared/sysadmin[[email protected] sysadmin]$ ll /shared/sysadmin/ -ddrwxrws---. 2 root sysadmin 4096 7月  13 12:19 /shared/sysadmin/

Sticky bit (stick bit) o+t 1000 for public directory, this directory under the file, only root and creator can be deleted.

chmod 777 /share/sysadminchmod o+t /share/sysadmin chmod 1777 /share/sysadmin

Access Control List ACL

ACLs are used only when normal permissions, special permissions, and default permissions are not implemented.

ACL is an abbreviation for access Control list

ACLs can be r,w,x for individual users, individual files, or directories, especially for use where special permissions are required.

Getfacl: View ACL permissions for files/directories

Setfacl: Setting ACL permissions for files/directories

语法：setfacl [-bkRd][{-m|-x} acl参数] 文件名例：setfacl -R -m u：huangbing：rwx hb/ --(-R一定要在-m前面，表示目录下所有文件）

Option:-M: Set subsequent ACL parameters

? -x: Remove subsequent ACL parameters

? -B: Remove all ACL setting parameters

? -r: Recursively setting ACL parameters

? -D: Sets the default ACL parameter (valid only for the directory, which is also used by the new file in the directory)

? -K: Delete the default ACL parameters

例：setfacl  -x u:huangbing  hb/  --删除用户ACL:  例：setfacl  -b  hb/  --删除所以用户ACL

Note: File settings ACL maximum permissions depend on the value of Umask

File System Extended Properties

chattr--settings file cannot be deleted (including root)

Syntax: chattr + options + file

Options:

? +a can only append content

? +i cannot be modified

Lsattr viewing File extension properties

Linux Basic permissions and special rights Management