Security context for files and directories

Security context for files and directories (involving some file systems)

When we hit a command to initiate a process to operate (read, copy, modify, delete, etc.) a directory or file, the process is executed according to our identity (owner of the directory, group, others), the owner of the directory or file, the group and other permissions. The process can execute only if we have the appropriate permissions for the directory. Processes are in order when they are matched, and when you are the owner of the file, the process does not control our group identities.

Directory and file permissions in detail:

First, the contents of the authority in detail:

When the performer has read access to the directory:

The performer can read the files in the directory and see the names of directories or files within the directory, but the properties information for the files or directories under that directory can be seen, depending on the performer's permissions on the directory or file.

[Redhat tmp]$ CD test

[Email protected] test]$ mkdir test.read

[Email protected] ~]$ chmod 400/tmp/test/test.read/

[Email protected] test]$ Su-root

[Email protected] ~]# cd/tmp/test/test.read/

[[email protected] test.read]# touch a b C

[email protected] test.read]# LL

Total dosage 0

-rw-r--r--. 1 root root 0 March 7 22:59 A

-rw-r--r--. 1 root root 0 March 7 22:59 b

-rw-r--r--. 1 root root 0 March 7 22:59 C

[email protected] test.read]# Su-redhat

[Email protected] ~]$ ll/tmp/test/test.read/

LS: Unable to access/tmp/test/test.read/a: Insufficient permissions

LS: Unable to access/tmp/test/test.read/b: Insufficient permissions

LS: Unable to access/tmp/test/test.read/c: Insufficient permissions

Total dosage 0

??????????            ? ? ? ? ? A

??????????            ? ? ? ? ? B

??????????            ? ? ? ? ? C

It's not hard to look at it. When the performer has only read access to the directory, there is no way to see the properties of the file in the directory, even if you have read permission to the file.

The reason is that when the performer has only permissions on the directory, the executor can only see the permissions, but there is no way to enter.

The specific reason is that the directory name and file name in the directory is stored in the block, (the block in this directory is the file name in this directory and the file name corresponding to the inode number), as well as the directory of files and directory attributes are recorded in the inode referred to in the block. And we only have the Read permission to the directory, can only read to the directory block, that directory, the file name and inode number, and can not enter the directory, you can not stand on the block to see the inode information referred to by the block.

[Email protected] test]$ Ls-id test.read/

33556153 test.read/

When the performer has permission to manipulate the directory, the performer can access the files in the directory for viewing. The equivalent of the performer can go into the directory of the door, of course, can be casually read.

[Email protected] test]$ chmod 500/tmp/test/test.read/

[Email protected] test]$ ll/tmp/test/test.read/

Total dosage 0

-rw-r--r--. 1 root root 0 March 7 22:59 A

-rw-r--r--. 1 root root 0 March 7 22:59 b

-rw-r--r--. 1 root root 0 March 7 22:59 C

But when the performer does not have the permission to write, the performer can only enter the directory, look at it (like we go to someone else's home, the door, see is can, want to move hands, or can not.) This means that the performer cannot create, delete, or rename the file in that directory.

[Email protected] test]$ CD test.read/

[Email protected] test.read]$ mkdir Woaini

mkdir: Unable to create directory "Woaini": Insufficient permissions

[Email protected] test.read]$ RM-RF a

RM: Unable to delete ' a ': Insufficient permissions

[[Email protected] test.read]$ MV A

MV: Unable to move "a" to "a": Insufficient permissions

You can delete, create, rename files or directories in a directory only if the performer has permission to write.

[Email protected] test]$ chmod 500/tmp/test/test.read/

[Email protected] test]$ ll/tmp/test/test.read/

Total dosage 0

-rw-r--r--. 1 root root 0 March 7 22:59 A

-rw-r--r--. 1 root root 0 March 7 22:59 b

-rw-r--r--. 1 root root 0 March 7 22:59 C

[Email protected] test]$ CD test.read/

[email protected] test.read]$ mkdir Woaini

mkdir: Unable to create directory "Woaini": Insufficient permissions

[email protected] test.read]$ RM-RF a

RM: Unable to delete ' a ': Insufficient permissions

[[email protected] test.read]$ MV A

MV: Unable to move "a" to "a": Insufficient permissions

[email protected] test.read]$ chmod 700/tmp/test/test.read/

[email protected] test.read]$ RM A

RM: Do you want to delete the plain empty file "a" with write protection? Y

[email protected] test.read]$ mkdir A

[email protected] test.read]$ MV b b

[email protected] test.read]$ LL

Total Dosage 0

drwxrwxr-x. 2 Redhat Redhat 6 March 7 23:36 A

-rw-r--r--. 1 root root 0 March 7 22:59 B

-rw-r--r--. 1 root root 0 March 7 22:59 C

Second, the authority of the document detailed:

When you read, write, or do not understand the file, it means that you should basically give up, and the gates of Linux are basically not open to you.

Third, the practice summary:

① Delete a directory of files, the performer must first be able to enter the directory, and then enter in order to delete files in the directory, so need to have WX permissions.

The principle of creating a file is the same as deleting it.

② copy a file, is to read the file, so there is r permission to copy the file.

This article is from the "Linux" blog, so be sure to keep this source http://ridingonhorse.blog.51cto.com/11265295/1748656

Security context for files and directories