Linux Basics: File permissions

Source: Internet
Author: User
Tags filegroup

User and user groups

Linux is a multi-user, multi-tasking operating system, in order for each user to have more confidential file data, so not see the rights management is more important. Linux file ownership and access authorization are closely related to user IDs and groups. Linux generally divides the identity of the file accessible access into 3 categories, namely owner, group, others, and 3 of the identities have read, write, execute and other permissions.

Authentication occurs when a user logs on to the system. Users who successfully log on to the system will have the user ID (username, UID) as well as the group identity (group ID, GID), and when they need to access the file or execute the program, check whether the user has access rights.

in general, Linux user information is stored in the/etc/passwdIngroup information is saved in/etc/group, each line of the file represents a user/group. Early Linux saved the password in clear text in the form of/etc/passwdInand now more in the form of a cipher (that is, the form of encryption) is saved in/etc/shadowIn Store the password in the/etc/shadowInImproved password security because/etc/passwdallow all people to view while/etc/shadowonly allow root users to view。

Useidcommand, you can identify user and group information. Similarly, you can use thegroupscommand to find out what group you are in.

[[email protected] ~]# iduid=0 (root) gid=0 (root) groups=0 (root) [[email protected] ~]# Groupsroot[[email protected] ~]#


Linux file properties

To understand Linux permissions control, you must learn the file permissions and properties of Linux. There are 3 types of Linux permission models per file system object. These permissions are read (r), write (w), and execute (x). Write permissions include the ability to modify and delete objects. In addition, these permissions are assigned to the file owner, filegroup members, and others, respectively.

You can use the # ls-l command to view

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/5B/34/wKioL1UCU4jjrarBAADdH4DvcUc923.jpg "title=" 1.png " alt= "Wkiol1ucu4jjrarbaaddh4dvcuc923.jpg"/>

Let's explain the meaning of the above 7 columns.

    • The first column represents the type and permissions of this file (permission)

It consists of 10 characters, the first letter describes the type of the object (-in this case, the ordinary file), the remaining 9 letters every three letters of a group, corresponding to the owner , belong to the group (groups) and other people (other) permissions . The first group represents the read, write, and execute permissions for the file owner. -Indicates that the appropriate permissions have not been granted.

The first character represents the type of file :

    • [d] Catalog (directory)

    • [-] Document (file, F)

    • [l] Symbolic link files (Symbolic links file)

    • [b] block device files (blocks)

    • [c] Character device file (character)

    • [P] Named pipes (pipe)

    • [s] Socket (socket)

In the following characters, a group of three, each of which is a combination of three parameters, is "rwx".

where [R] stands for readable (read), [W] stands for writable (write), [x] stands for executable (execute). Note that the location of the three permissions does not change, and if there is no permission, a minus sign [-] is present.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/5B/3A/wKiom1UCVADy2mxZAACAXOgpNVY288.jpg "title=" 1.png " alt= "Wkiom1ucvady2mxzaacaxogpnvy288.jpg"/>

    • The second column represents how many file names are connected to this node (inode).

Each file has its permissions and properties recorded in the inode of the file system, but in the organization of the inverted directory tree structure used by Linux, the file name is stored in the directory file, so each file name is connected to an inode. This property records how many different filenames are connected to the same inode number. So there is a case where multiple filenames are connected to an inode, which is a hard link, and that column refers to the number of hard links.

    • The third column represents the owner (master) of the file (or directory).

    • The fourth column represents the group to which this file (or directory) belongs.

    • The fifth column represents the size of this file, in bytes (byte).

The size of the linked file (the B.txt file above) is exactly the number of characters that point to the target file name.

    • The sixth column represents the last modified time (mtime) of the file. in fact, the file attributes also include the creation time and the last read time, but it is not displayed.

    • The seventh column is the file name of the file.


The meaning of directory permissions

Directories use the same permissions identities as regular files, but their translations are different. Read permissions for a directory allow users to list directory contents with this permission. Write permissions mean that users can use this permission to create or delete files in the directory. Execute permissions allow the user to enter a directory and access any subdirectory. Without execute permissions, the file system object under the directory is inaccessible. Without Read permissions, the file system objects under the directory are not visible under the directory list, but they are still accessible if you know the full path of the objects on the disk.


permissions for normal files :

    • R (Read): Allow Read permissions, such as commands that can be used cat <file name> to read the contents of a file

    • W (write): Allow Write permission, indicating that you can edit and modify the contents of a file

    • X (Execute): Permission to execute, typically a binary program file or script file that can be run. The type of file is not differentiated by file suffix on Linux. But having the ability to execute, and the success of being able to do it, is two things.

permissions for the catalog file :

However, the permission bit for the directory is easily confused, here to distinguish:

R (read contents in directory): reads the contents of the directory.
So when you have permission to read (r) a directory, it means that you can query the files in that directory.

W (Modify contents of directory): Edit the contents of the directory. Have permissions to change the directory structure list:
Mainly include
1. Create new files and directories
2. It is important to delete the files and directories under the directory (regardless of the permissions of the file)
3. Renaming files and directories inside the directory
4, the location of files and directories in the mobile directory

X (Access directory): Represents whether the user can enter the directory to become the working directory. (quite important concept)


NOTE: directories must have both read and Execute permissions to open, and a directory with write permission to allow other files to be created, because the catalog file actually holds information such as a list of files in that directory


To edit the contents of a file, you must have RW permissions on the file.

To edit directory content, you must have wx permissions on the directory.


How to modify file properties and permissions

We already know the importance of file permissions for a system, but how do you modify the properties and permissions of a file? Here the main use of three commands:chgrp, Chown, chmod, respectively, corresponding to modify the user group, owner and file permissions.

    • Change the owning group: CHGRP

    • Change owner: Chown

    • Change file permissions: chmod

# # Chgrp/chown/chmod [-R] Dirname/filename-r: Recursive recursive## change Genus Group # CHGRP users a.txt## Change owner # chown users a.txt# chown R Oot:root a.txt# chown:users a.txt# chown-r root:root./tmp # recursion, all files in its subdirectories will change

Symbolic way to change file permissions:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/5B/36/wKioL1UCfbSh4IUTAABR78KAJTA759.jpg "title=" 1.png " alt= "Wkiol1ucfbsh4iutaabr78kajta759.jpg"/>

[Email protected] ~]# chmod--helpusage:chmod [OPTION] ... Mode[,mode] ... FILE ... or:chmod [OPTION] ... Octal-mode file ... or:chmod [OPTION] ...--reference=rfile file ... Change the mode of each FILE to mode.


Mode can be divided into the following 3 blocks: [who] operator [permission]

[ ugoa]* ([-+=] ([rwxxst]*|[ Ugo]) +

Who 's meaning is :

U file belongs to master permission

G Same group User rights

o Other user rights

A All users (all set permissions for all users, which is equivalent to ignoring it)

the meaning of operator :

+ Add Permissions

-Cancel Permissions

= Set Permissions

the meaning of permission :

R Read Permissions

W Write permission

X Execute Permissions

X means only if the file is a subdirectory or the file has been set to be executable.

S file owner and group ID

L lock files so that other users cannot access them

Example:

# chmod U=rwx,go=rx A.txt # Note: There are no spaces between U=rwx,go=rx # chmod U=rwx,g=rx,o=rx a.txt# chmod o=-a.txt# chmod a+x a.sh# chmod +x a.sh


Octal mode to change file permissions:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/5B/3C/wKiom1UCevmgQaXjAAA3tvibDOc845.jpg "title=" 1.png " alt= "Wkiom1ucevmgqaxjaaa3tvibdoc845.jpg"/>

R=4,w=2,x=1, the respective three permissions (R, W, X) for each identity (owner, group, others) are cumulative. each of these three numbers is built by adding the required permission settings: Read (4), write (2), and execute (1).

Owner = RWX = 4 + 2 + 1 = 7

Group = R-x = 4 + 0 + 1 = 5

other = R-x = 4 + 0 + 1 = 5


Suid and Sgid

The Linux permissions model has two special access modes, named SUID (set User ID) and Sgid (set group ID). When the executable program is set to SUID access mode, it starts running as if it were started by the owner of the file rather than by the user who actually started it. Similarly, when set to Sgid access mode, the program runs as if the startup user belonged to a filegroup and not to all of his groups. You can set up two access modes individually or simultaneously.

the suid and Sgid bits occupy the same space as the user and group x in the Long catalog list. If the file is executable, the suid or Sgid bit, if set, will appear as lowercase s, otherwise it will appear in uppercase S.

Although Suid and Sgid are convenient, and even necessary in many environments, the inappropriate use of these access patterns can create vulnerabilities in system security. You should use the SUID program as sparingly as possible. The passwd command is one of the few commands that must be suid.

Set SUID and Sgid

The suid and Sgid bits are set and reset using the letter s on the symbol, for example, u+s setting suid access mode, g-s deleting Sgid mode. In octal format, SUID is the first (higher order) value of 4, while Sgid is the value 2.

# chmod u+s aaa# chmod 4755 AAA


Purpose of Suid:

    • SUID permissions are only valid for binary programs (Binaryprogram) and cannot be sufficient for shell script.

    • Performer must have X executable permission for the program

    • This permission is valid only during the execution of the program (Run-time)

    • The performer will temporarily have permissions for the program owner (owner)

    • Not valid for directory

The purpose of SUID is to allow users who do not have the appropriate permissions to run the program to access resources that they do not have access to. Under Linux/unix, the executable can be setuid, which allows any user to bind the file owner's permissions when executing the file. It's like a file with a imperial sword, by default, the user executes a directive that runs the process as the user's identity. The mandatory bit on the instruction file allows the user to execute the instruction to run the process as an instruction to the owner of the file or the identity of the owning group. Note: This suid can only be run on a binary program (some commands in the system) and cannot be used in scripts (script), because the script will be able to assemble many programs together, rather than executing the script itself. Similarly, this suid can not be placed in the directory, put on is also invalid. setuid files are often used to elevate the user's permissions. The most representative of the SU command. Normal users can execute the command to upgrade themselves to root.


The role of the SET GID coercion bit:

By default, a user-created file belongs to the same group as the user. However, the directory is set to Setgid, which means that any file created by anyone in this directory will belong to the group that the current directory belongs to. If the user has the W permission in this directory, the new file will have the same group as the group in this directory if the consumer creates a new file under this directory.

for Catalogs :

    • Users can enter this directory if they have r and X permissions for this directory

    • The user's valid user group in this directory (effective group) will become the user group for that directory

    • If the user has the W permission in this directory (a new file can be created), the user group of the new file that the users create is the same as the user group for this directory.


for files :

    • Sgid Useful for binary programs

    • Program performer must have x permission for the program

    • The performer will receive support for the program's user group during execution.


The Sticky Bit is only valid for the directory. Its role is:

    • When a user has w,x permissions for this directory, the file or directory created only has the right to delete itself and root.

In other words: When a user has a group or other person's identity for a directory, and has the W permission for the directory, this means that a user can "delete, rename, move" The directory or file created by anyone in that directory. However, if the a directory is added to the Sticky bit permission bit, a can only for the file or directory you create "Delete, rename, move" and so on, and can not change the others. The most representative is the/tmp directory.



File preset permissions: umask

In the default case:

    • If the user creates the "file" then the default does not have the executable (x) permission, namely only R, W these two options, namely the maximum is 666, the default permissions are as follows:-rw-rw-rw-

    • If the user creates a new directory, the default is open for all permissions because X is related to whether it can enter this directory, which is 777, and the default permissions are as follows: drwxrwxrwx

How to view the default umask:

[Email protected] ~]# umask0022[[email protected] ~]# Umask-su=rwx,g=rx,o=rx

Umask's score refers to the permission that the default value needs to be dropped; assuming that Umask is 022


When creating a new file: (-rw-rw-rw-)-(-----w--w-) = (-rw-r--r--)

When creating a new directory: (DRWXRWXRWX)-(-----w--w-) = (drw-r-xr-x)

Umask's configuration file is:/etc/profile or ~/.profile or ~/.bash_profile, can change its default umask by modifying the Umask value in these files.



This article is from the "Share Your Knowledge" blog, so be sure to keep this source http://skypegnu1.blog.51cto.com/8991766/1620167

Linux Basics: File permissions

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.