Default permissions and Hidden permissions (files, folders) in Linux

Source: Internet
Author: User

A file (or folder) has a number of properties. Contains basic properties such as (r/w/x), as well as attributes such as folder (d) and file (-) or connection file (L). In addition, Linux can also set other system security properties. Use Chattr to set. Check it out in lsattr. The most important is the ability to set its immutable features, even if the owner of the file can not be changed.

This property is quite important. In particular, security mechanisms.


file default permissions: Umask

When a new file or folder is created, its default properties are related to Umask.

Typically, umask is specifying the default value of the property when the current user establishes a file or folder. So, how to know and set umask?

There are two ways to view it, one is to enter umask directly, and to see the number type's permission setting score. One is to increase the-s (symbolic), and ambulance to display permissions in the form of symbolic types.

On the properties of the default permissions. Folders are not the same as files. Because we don't want the files to have operational permissions. By default. The file is not available with the run (x) permission. So:

1. If the user establishes a "file", the default does not have the ability to run (x) permissions, and only the two rights of RW, that is, the maximum is 666, the default property:-rw-rw-rw-;

2. If the user is setting up a "folder", then the X is related to whether it is enough to enter this folder. Therefore, all permissions are open by default. That is, 777, the default property: Drwxrwxrwx.


UMASK Specifies the permission that the default value needs to be lost. Since r/w/x are each 4/2/1, that is, when you want to remove the Write permission, enter 2. When you want to remove Read permissions. To enter 4, to remove the read and Write permissions, enter 6. So, in 0022. Is that the group and others attributes were removed by 2. So when the user:

1. When creating the file: (-rw-rw-rw-)-(-----w--w-) è-rw-r--r--

2. When creating a folder: (DRWXRWXRWX)-(d----w--w-) èdrwxr-x-r-x

Suppose we just want to cancel the group's W permission, that is, we want to write the file should have-rw-rw-r--permission, all, umask should be 002. Enter 002 directly behind the umask.


In the default case. Root Umask will remove more properties, Root's umask default is 022. This is a security-based consideration. General identity users typically have a umask of 002 and retain write access to the same user group.

File Hidden Properties

The file has hidden properties, and the hidden properties are very helpful to the system. Especially in the area of system safety (security).

1. Chattr (set file hidden properties)

This property is set on. The more common is the set value of a and I. And the vicious setting value must be set by the root ability.

This command is very important, especially in terms of the security of the system. Because these properties are hidden, they need to be viewed with lsattr talent.

The most important is the +i property. It makes it impossible for a file to be changed. If it is a login file, it is more necessary to +a the parameter so that it can add but not change and delete the original data.

2, Lsattr (Show hidden properties of the file)


With chattr settings, you can use Lsattr to view hidden properties.


File Special permissions: Suid/sgid/stickybit 1. Set UID

The S and T permissions are created so that the general user can temporarily have permissions to the program owner when running certain programs.

For example, the account and password files are in fact/etc/passwd and/etc/shadow, and their owners are root.

In this permission, only root can force the write. An ordinary user webgod to update their password, use is/USR/BIN/PASSWD program, but can update success, and/USR/BIN/PASSWD owner is root.

So. That is to say webgod this ordinary user is able to visit/etc/shadowpassword file.??? This is both due to the help of the S permission. When the S permission is at User X (note the related property of/USR/BIN/PASSWD), here is-rwsr-xr-x, called set UID, referred to as SUID, which represents the ID of the user, and user represents the program (/usr/ BIN/PASSWD) (Root).

Therefore, when the Webgod user runs/sur/bin/passwd, he temporarily gets the permissions of the file owner root.

Note: The suid is available only in binary files (binary file). and the folder is not valid.

2. Set GID

Assume that the permissions of s are in the user group. So that is set GID, referred to as SGID. Sgid can be used in two ways:

1 file: Assume that the Sgid is set on a binary file. No matter who the user is. When running the program, its effective user group will become the user group of the program all of them;

2 folder: Assume that Sgid is a user group that is set up on a folder, the files or folders that are created within the A folder. will be the user group for this a folder.

3. Sticky Bit

sbit is generally used on folders, which is of little significance to files. Sbit for folders: Under Folders with Sbit. If the user has W and x permissions under this folder. When a user creates a file or folder under that folder, only the file owner and Root have the right to delete it. Sbit can be understood as an anti-delete bit.

If you want users to be able to add files but cannot delete them at the same time, you can use the Sbit bit for the files. When this bit is set, the file cannot be deleted even if the user has write access to the file's parent folder.

4. Suid/sgid/sbit Permission Settings

Using numbers to change permissions is a combination of "3 numbers," So if you precede these 3 numbers with a number, the first number represents a combination of the several properties: 4 is suid. 2 for Sgid. 1 for Sticky Bit.

The system specifies that there should be x on that bit. These special flags are lowercase (s/s/t), otherwise, they appear as uppercase letters (S/S/T).


Default permissions and Hidden permissions (files, folders) in Linux

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.