File Access permission

Source: Internet
Author: User

Unit 5:

All files have an owned by a user and are connected to a group.
Therefore, whether a user has the permission to read and write or execute a file is determined by whether the file is granted the corresponding permission. Permissions can be set to the file owner, the group where the file is located, or anyone else.

You can run the LS-l command to view the file permissions (permissions ):
$ LS-L/bin/login
-Rwxr-XR-x 1 Root 19080 Apr 1/bin/login

You can see that the object ACL is represented by 10 characters.

File Access Permissions are available for three types of users. Each type has one character:
U -- owner of the file)
G -- other users in the file group
O-any user (Others)
Access Permissions of each type are independent from each other.

Three standard file access types:
R -- File Read Permission/List Directory content permission (List A directory's contents)
W -- file write permission/File Creation or Deletion permission in the directory
X -- File Execution permission/file access permission in the directory, such as CD to this directory
These three standard file access types can be assigned to the user types of the preceding three file access permissions, namely U, G, and O.

In the file access permission, 2nd, 3, and 4 characters indicate the permissions of the file owner; 5th, 6, and 7 characters indicate the permissions of the file group, the 10 characters indicate the permissions of other users. For example:
$ LS-L/bin/login
-Rwxr-XR-x 1 Root 19080 Apr 1/bin/login

It indicates that the owner of the file can read and write and execute the file. Other users (including users in the group) can read and execute the file. Another example:
$ LS-l readme
-RW-r -- 1 Anderson visitor 2948 Oct 11 readme

This file can be read and written by users in the visitor group, but cannot be executed; it can be read by other users, but other users cannot rewrite or execute it.

The first character "D" in the file access permission distinguishes directories from other files:
$ LS-LD/bin
Drwxr-XR-x 2 root Root 4096 APR 20/bin/

More examples:
User Fred is a member of the Fred group and the staff group.
User Mary is a member of Mary, admin, and staff.
The file filea owner is Fred and the owner group is Fred.
The fileb owner is Mary and the owner group is root.
The filec owner is root and the owner group is staff.
The following table is provided.
User filea fileb filec
Fred U, G, O, O, G
Mary o u, o, G
Root U, G, O
If filea has the permission to access rwxr-XR --, the access permission is as follows:
Read Write excute
Fred yes
Mary Yes No
Root yes

Use the CHMOD command to change file permissions. the CHMOD command is followed by an expression. The expression can be a string of numbers or a combination of Preset code: Who is the change, Operator) and permission (permission ).

Who can have the following options:
U file owner
G users in the file group
O other users
A All Users

Operators can have the following options:
+ Add permissions
-Delete Permissions
= Grant permissions...

R read
W write
X execution (access for directories)
S set userid bit (fourth digit) or set groupid bit (seventh digit)
T Set Sticky Bit (for the directory, it is -- prevent other non-owners from deleting files in the directory, which is located at 10th bits)

For example:
$ Chmod g + W. bash_profile
This command grants the write permission to users in the file group.

$ Chmod go-RW. bash_profile
This command denies the read and write permissions of non-owner users.
A useful parameter in chmod is-R (recursion, capital note). You can rewrite all permissions for files and subdirectories in the entire directory.

As mentioned above, there is also a way to modify the File Permission, that is, the number method. Determine the object access permission in three digits. The first digit indicates the owner permission, the second digit indicates the user permission in the file group, and the third digit indicates other user permissions. The permission expression is composed of the following numbers:
4 (read permission)
2 (write permission)
1 (Execution permission)

For example, set file to read-only:
$ Chmod 444 File
For example, if the file owner has the read and write permissions, the users in the group have the read and execute permissions. Other users do not have the following permissions:
$ Chmod 750 File

We also need to mention the default file permissions. The default file permission is determined by umask. The umask of a non-privileged user is 002, that is, the default file permission is 664, while the root user's umask is 022, that is, the default file permission is 644.

Without umask, all files will have 666 permissions by default, meaning that all users can read and write new files. Note that all newly created files do not have execution permissions, even umask is powerless. All execution files must have explicit execution permissions to run. However, no matter what the umask value is for a directory, the execution permission is granted by default when the directory is created (the directory can be accessed ).

To change umask, you only need to press:
$ Umask 022
In this way, the original default 002 umask value is changed to 022. However, when you log on again next time, umask will return to the original value, which requires you to add a specific umask value to the bash initialization script.

In addition to the three standard access permissions, there are three special permissions mentioned above. They are setuid, setgid, and sticky bits.

(I do not know whether my understanding is correct or not. I hope you can give me some advice !)
The setuid bit sets the user ID of the process as the user ID of the file, which is invalid for the directory.
Setuid is a very powerful and dangerous tool. For example, if a program sets the setuid bit and its owner is root, it has the privilege for the root user to execute the program when the program is executed. Some programs must use it to run the program correctly. For example, the Ping program must set setuid to root because it needs to transmit the raw data of the ICMP Packet over the network. Any setuid program must be carefully written and eliminate security vulnerabilities.

The setgid bit sets the group ID of the process as the group ID of the file. For the directory, it forces all files created in this directory to have the same group as this directory, regardless of who the file creator is.
Setgid is as powerful as setuid and should be used with caution. Because it allows unintentional access to files and resources. For example, the mini-com terminal simulator sets the setgid as the uucp group, which provides the permission to access the computer's serial port (the Group UCP has this permission ).

The sticky bit is used in the directory to prevent users from deleting files they do not own (files they do not own ). A typical sticky application is in the/tmp directory to prevent users from deleting files from each other. The sticky bit has no effect on the file.

Unit 6: Linux File System

Files And Directories are organized in a single-root reverse tree structure. Includes independent physical device volumes, such as floppy disks, CDROM, or multiple hard disks. The base point (highest point) of the reverse tree structure is the root directory or "/".
The file name is case-sensitive. The "/" symbol is a delimiter that separates all elements of the path name. For example,/usr/bin/X11/x
Each shell and system process has a "Current directory ". ".." Indicates the upper-level directory of the current directory, and "." indicates the current directory. Files or directories starting with "." are so-called hidden files, which are not listed by default.
A user's path is a list of directories used to search for programs that execute commands.

__________________________________________________ | ______________________________________
ETC bin sbin lib root usr mnt var boot TMP opt Dev home proc lost + found

Bin: used to store user commands. The/usr/bin directory also stores user commands.
Sbin: the location of system commands, such as shutdown. The/usr/sbin directory also stores many system commands.
Root: super user's home directory.
MNT: Generally, after the system is started, it contains the mount point for file system loading ).
Boot: contains the kernel and other files used during system startup.
Lost + found: fsck is used to store the found file fragments (files without file names ).
Lib: contains many library files used by programs in/bin and/sbin. The/usr/lib directory contains more library files.
Dev: stores device files.
ETC: contains many configuration files and directories.
VaR: stores "variables" files such as system logs and print pools.
Proc: A Virtual File System Containing system process information (not stored on disk)
TMP: A "draft" for a user and a program./tmp is open to everyone and all processes.
OPT: the installation directory of third-party packages such as StarOffice.

The following are the details about the ext2/ext3 file system.

When the ext2/ext3 file system is created, the metadata of the system (metadata) is stored in the superblock ). Because the data is crucial to the operating file system, a copy of the file system's super block is also created. (For example, a copy is created for every 8192 blocks in a small file system ). The dumpe2fs command can be used to view data on a super block. Superblock contains metadata of the file system (metadata): volume name, uid, number of inode, number of blocks, number of reserved blocks, location of block groups, and so on.

Inode is like the description of data on blocks. Inode does not store the real data of a file, but stores the file information. The STAT command can help us view the inode of a file to learn how it is stored in the file system.
$ Stat passwd
File: "passwd"
Size: 1129 blocks: 8 Io block: 4096 regular file
Device: 306 H/774d inode: 214057 links: 1
Access: (0644/-RW-r --) uid: (0/root) gid: (0/root)
Access: Sat Sep 29 13:34:57 2001
Modify: Sun Sep 23 17:12:41 2001
Change: Sun Sep 23 17:12:41 2001

The following describes the concept of hard link.
A hard connection is a "physical" file in the file system. Each link points to the inode of the file. It makes it possible for a file to have two or more names. Note: users can link files they do not own, but they are still restricted by information on inode. Hard link is often used as a way to save the input of long path names.
Hard link cannot operate across disks or partitions. This is because the inode pointed to by hard link is unique in a partition, but not in the entire file system. Hard link cannot be created for a directory.
Use ln filename [linkname] to create a hard link.
Use LS-I to display inode numbers of all files in the current directory.
When LS-L is used, the number of hard links of the file is displayed in the second column. If the number of hard links in a file is 0, it is deleted.

The following describes the concept of soft connections (or symbolic connections.
Symbolic Link is a Linux file type (l ). "L" is the first character of the file access permission.
Unlike hard link, it stores the complete file name of another file to which it points. If the pointed file is renamed or deleted, the symbolic link does not point to it. Therefore, symbolic link can also point to files that do not actually exist. In addition, symbolic link can also point to files and directories across partitions, which cannot be implemented by hard link.
Use ln-s filename [linkname] to create a symbolic link.
Use LS-L to view the point of the symbolic link. For example:
$ Ln-S/etc/passwd Password
$ LS-l password/etc/passwd
Lrwxrwxrwx 1 Doug 11 May 19 18:41 password->/etc/passwd
-RW-r -- 1 Root 919 May 13/etc/passwd

Symbolic Link always has full access permissions of 777. Note that the file size is 11 bytes, which is exactly the number of letters "/etc/passwd.

For Removable Media, they must be mounted before being used-use the mount command. Similarly, before removable media is taken away, you must first unmount it-use the umount command. For example:
Mount-T vfat/dev/fd0/mnt/Floppy -- mount a floppy disk
Mount/mnt/floppy-use fstab to mount a floppy disk
Mount-T iso9660/dev/CDROM/mnt/CDROM -- load CDROM
Mount/mnt/CDROM-use information in fstab to load CDROM

In addition, if you have installed the autofs RPM package, your system can be configured to be automatically loaded. The default configuration files are in/etc/auto. Master and/etc/auto. Misc.

If you have installed the mtools package, it can help you access the FAT file system. You can use a fat-format floppy disk or hard disk without loading it. The command is m followed by the doscommand. For example, mdir.

For file search, Linux provides the slocate command and the find command.
The slocate command is not as powerful as find, but is fast. Because it uses a daily update database of the system, rather than instant search like find. Find is more flexible. You can use multiple parameters and options, and specify the file type, owner, modification date, and so on.

Slocate Syntax: slocate [pattern] or locate [pattern]
Note: In Red Hat Linux, locate is a symbolic link of slocate. Slocate uses the database updated daily by the system. Therefore, it is powerless to add or modify files after the last update.

Find Syntax: Find [path] [Options] [expression]
The main task of finding is to generate a list of file or directory names. Find recursively searches down the path name specified in [path] To find all files that meet the conditions are listed. You can use the-name option to restrict the listed files. When using wildcards, always add double quotation marks "".
Example: find.-Name index.html
Find.-Name "*. html"
Other find options:
-Atime + N,-n lists more than/less than N days ago accessed files.
-Mtime + N,-n lists objects modified more than/less than N days ago.
-User uname: List objects owned by the uname user
-Group gname: lists the Files Owned by the gname group.
-Perm mode: Lists objects with octal access permissions.
-Size N [c]: list the files that occupy n blocks or contain N characters when C appears.
-Type C: List C-type files. C may be: B (Block specail
File), C (character special file), D (directory ),
P (FIFO or named pipe), L (symbolic link ),
S (socket), F (plain file)
-The pattern searched by INAME pattern is case sensitive.

Find is also powerful in that it can pass the found file to some commands as parameters. Syntax:
Find dir_list [Options]-exec cmd {}\;
Note that the last semicolon should not be missed in the preceding syntax.
If the command cmd needs to be confirmed, for example, RM,-OK can be used instead of-exec.

Linux provides several compression file tools.
# Gzip and gunzip are standard Linux compression tools
# Bzip2 and bunzip2 are newer Linux compression tools, generally compared with Gzip
The compression ratio is higher, but the speed is slow. Bzip2 pressure
The scaled file suffix is .bz2.
# Compress and uncompress are previous UNIX compression tools

Gzipcompressed files are generally suffixed with .gz and can be used on many non-UNIX platforms. In addition, gunzip can also decompress files compressed with compress.
Usage: gzip [-D] File
Gunzip File

Gzip-D is used to decompress the file, instead of the gunzip command. The file name to be followed does not need to be suffixed with .gz.

Zip/unzip is a tool compatible with PKZIP/WinZip on DOS/Windows platforms. It can compress multiple files into one file, which is not implemented by gzip and compress. To Compress multiple files in gzip and compress, you must first combine them into tar.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.