Linux (fedora) File Permission Management

Linux (fedora) File Permission management linux permission management 1. linux basic permissions (1) File Permission Object Classification: Owner: group: Other system users. Owner: the user account that owns the file. The owner of most files has the permission to read, write, and execute the file. You can set the owner group and other user permissions for the file. The root user of the system administrator can change the owner of the file and obtain the ownership. Command chown format: chown owner: group file or directory // change the owner and group of the file or simultaneously, for example: [root @ centOS ~] # Ls-lh 123-rw-r -- r --. 1 root 0 April 28 05:33 123 [root @ centOS ~] # Chown baobao: baobao 123 [root @ centOS ~] # Ls-lh 123-rw-r -- r --. 1 baobao Bao 0 April 28 05:33 123 chown main file or directory // change the owner of the file or directory [root @ centOS ~] # Chown root 123 [root @ centOS ~] # Ls-lh 123-rw-r -- r --. 1 root baobao 0 April 28 05:33 123 chown: group file or directory // change file or directory owner root @ centOS ~] # Chown: root 123 [root @ centOS ~] # Ls-lh 123-rw-r -- r --. 1 root 0 April 28 05:33 123 parameter-R: this parameter is generally used for modifying the owner of files and directories in the directory itself and in the directory recursively, group [root @ centOS ~] # Ls-ld 234 // 234 directory itself drwxr-xr-x. 2 root 4096 April 28 05:38 234 [root @ centOS ~] # Ls-lh 234 total usage 0-rw-r -- r --. 1 root 0 April 28 05:38 a // file-rw-r -- In the 234 directory --. 1 root 0 April 28 05:38 B-rw-r --. 1 root 0 April 28 05:38 c [root @ centOS ~] # Chown-R baobao: baobao 234 [root @ centOS ~] # Ls-ld 234drwxr-xr-x. 2 baobao Bao 4096 April 28 05:38 234 [root @ centOS ~] # Ls-lh 234 total usage 0-rw-r -- r --. 1 baobao 0 April 28 05:38 a-rw-r --. 1 baobao 0 April 28 05:38 B-rw-r --. 1 baobao 0 April 28 05:38 c (2) file basic permissions classification: Read (4), write (2), execute (1) Read: A user account with this permission can read information about files and directories. Write: a user account with this permission can modify, add, and delete files. Execute: users with this permission have the execution permission on executable files in the system. Note: permissions on user files or directories are sometimes affected by upper-level directories. For example, the owner group of/root/123/file is baobao which has the write permission, but does not have the write permission for the parent/root/directory of the file. [root @ centOS ~] # Ls-lh 123-rw-rw ----. 1 root baobao 30 Aug 17 05:56 123 [root @ centOS ~] # Ls-ld/root/dr-xr-x ---. 35 root 4096 05:56/root/[root @ centOS ~] # Su-baobao [baobao @ centOS ~] $ Cat/root/123 cat:/root/123: insufficient permissions [baobao @ centOS ~] $ Vim/root/123 "/root/123"/root/123 "E212: the file cannot be opened and written. Press ENTER or another command to continue. Conclusion: The file is read or written, the user may not be able to operate the file because it may be affected by the upper-level directory. Special permissions in linux: setuid, setgid, stick bit (1) setuid) execute with the owner's permissions. The number 4 indicates that the file owner's execution permission limit will be s. /Usr/bin/passwd file [root @ centOS tmp] # ls-lh/usr/bin/passwd-rwsr-xr-x. 1 root 26 K 2012/usr/bin/passwd as we all know, the account and password information of each user stored in the/etc/passwd file, /usr/bin/passwd is the Program for modifying and viewing the file. However, from the perspective of permission,/etc/passwd only has the write (w) Permission of root, in fact, every user can use the/usr/bin/passwd command to modify this file. Therefore, this involves the special permissions of setuid in linux, as in-rwsr-xr-x, s setuid is: this grants normal users special permissions to execute "only root permissions can be executed". As normal users do not have the permission to modify the/etc/passwd file, however, after the setuid permission is granted to/usr/bin/passwd, normal users can execute The passwd command temporarily grants root permission to modify the/etc/passwd file (2) setgid: file (or directory) with this permission) users who do not have the execution permission in the system can obtain the permissions to execute files (or directories) in groups, represented by numbers 2 and letters s, the owner execution permission limit for files will be changed to s (3) stick bit (paste bit). The tmp directory is a Temporary Folder shared by all users, and all users have read and write permissions, in this case, A user creates file a in/tmp. file. At this time, user B is uncomfortable. In/tmp, delete the file (because it has the read and write permissions. In fact, this is not the case, because you have the special permission stick bit (paste bit), just as the last t stick bit (paste bit) in drwxrwxrwt is: unless the owner and root user of the Directory have the permission to delete it, other users cannot delete or modify this directory. 2. linux permission extension ACL permission ACL is an extension of permissions in linux. In the actual working environment, we may need a large majority of members in the file or directory group to have certain permissions (members in the group have rw for files and directories). A user in the group has rwx permissions, you can use ACL permission extension to fine-tune permissions without changing the permissions of the file owner and other groups. If you need to create such a file or directory, you need to set the basic permissions (rwx) of the file. When you set the fine-tuned ACL permission, the file or directory that already has this permission must be adjusted. If you need to adjust the basic permissions (rwx ), you must first clear the ACL extension permissions for files and directories. related commands: getfacl, setfacl, chacl getfacl command: view the ACL setting information of a file or directory. Format: getfacl select the parameter-a, -- access: display the access control list of a file or directory. -D, -- default: displays the default (default) access control list of files or directories. -C, -- omit-header: the default access control list is not displayed. -R, -- recursive: recursive operation to sub-directory. -T, -- tabular: uses the List format to output ACL settings. -N, -- numeric: displays the UID and GID of the user and group in the ACL information. -P, -- absolute-names:-v, -- version: displays command version information-h, -- help: displays Command help information. Command setfacl-m, -- modify = acl: modify the extended ACL settings of a file or directory. -M, -- modify-file = file: Read ACL settings from a file and modify the extended ACL settings of the current file or directory as a template. -X, -- remove = acl: deletes an extended ACL setting from a file or directory. -X, -- remove-file = file: Read ACL settings from a file and delete the ACL settings of the current file or directory as a template. -B, -- remove-all: deletes all extended ACL settings. -K, -- remove-default: deletes the default acl settings. -- Set = acl: sets the ACL settings of the current file. -- Set-file = file: Read ACL settings from a file to set ACL settings for the current file or directory. -- Mask: recalculate valid permissions, even if the ACL mask is explicitly specified. -N, -- no-mask: Do not recalculate valid permissions. By default, setfacl recalculates the ACL mask unless it is explicitly specified. -D, -- default: Set the default ACL settings (only valid for directories ). -R, -- recursive: The operation is recursive to all subdirectories and files. -L, -- logical: trace symbolic links. By default, only symbolic link files are tracked, skipping the symbolic link directory. -P, -- physical: skips all symbolic links, including symbolic link files. -- Restore = file: restore the acl settings of the backup from the file (these files can be generated by getfacl-R <--- for directories ). This mechanism can be used to restore the acl settings of the entire directory tree. This parameter cannot be executed together with any other parameter except -- test. -- Test: The test mode does not change the ACL settings. -V, -- version: displays the version information of a program. -H, -- help: displays help information. Ges baolinchuan :!!: 501: baobao, baolinabrt: x: 478: wbpriv: x: 88: squidvboxusers: x: 502: named: x: 25: mysql: x: 503: squid: x: 23: baobao: x: 504: baolin: x: 505: [root @ fedora tmp] # mkdir 123 // create the 123 directory for testing [root @ fedora tmp] # ls-ld 123 drwxr-xr-x 2 root 4096 April 28 10:30 123 drwxr-xr-x 2 root 4096 April 28 10:30 123 [root @ fedora tmp] # chown: baolinchuan 123 // modify the directory group to the baolinchuan Group, which contains baobao and baolin. baolinchuan3 users [root @ fedora tmp] # l S-ld 123drwxr-xr-x 2 root baolinchuan 4096 April 28 10:30 123 [root @ fedora tmp] # chmod 760 123 // modify the directory permission and set the owner group to have the (rw) permission, the information is as follows [root @ fedora tmp] # ls-ld 123/drwxrw ---- 2 root baolinchuan 4096 April 28 10:30 123/[root @ fedora tmp] # setfacl-m u: baolin: rwx 123 // modify the baolin in the group to have the rwx permission on directory 123 [root @ fedora tmp] # getfacl Usage: getfacl [-aceEsRLPtpndvh] file... try 'getfacl -- help' for more information. [root @ fedor A tmp] # getfacl 123/# file: 123/# owner: root # group: baolinchuanuser: rwxuser: baolin: rwxgroup: rw-mask: rwxother :: --- [root @ fedora tmp] # su-baolin // switch the logon user to baolin [baolin @ fedora ~] $ Cd/tmp/123 // baolin can go to the 123 directory [baolin @ fedora 123] $ touch baolin // baolin can create files in the 123 directory [baolin @ fedora 123] $ lsbaolin baolin @ fedora 123] $ su-baobao // switch the password of the logon user to baobao: [baobao @ fedora ~] $ Cd/tmp/123/-bash: cd:/tmp/123/: insufficient permissions/baobao logon directory failed, no ACL permission fine-tuning successful, you can set File ACL permissions for partitions. The partition types of the ACL file system are ReiserFS, EXT2, EXT3, EXT4, JFS, the/etc/fstab file is repaired by XFS and added after the partition permission. The acl restarts the system or is re-attached to the partition.