Linux file access permission-detailed explanation of mode bit problems

Source: Internet
Author: User


File Access permission-detailed explanation of mode bit problems

I. Preface

This article describes how to set the access permissions for common files and directories in Linux. This article is written for beginners with a little Foundation (I am also a beginner), as shown in
If you can understand the output meaning of the following lines of the 'LS-l' command (note the ^ bit below), you do not need to read this article.
Time is the most precious thing for you!

-R-Sr-XR-x 1 root bin 26975 Jun 24 1999 0:32/usr/bin/passwd ----------- 1.1
-Rwxrwsr-x 1 zyd 12506 Oct 29 test_euid ----------------------- 1.2
Drwxrwxrwt 5 root Root 1024 Nov 1 01; 34/tmp ---------------------- 1.3
-Rwxr-XR-x 2 zyd 32506 Oct 19 hard_link --------------------- 1.4
Lrwxr-XR-x 1 zyd 1 Oct 23 :40 sym_link->/tmp/sym_target ----------- 1.5


II. Introduction to the output format of the 'LS-l' command

The 'LS-l' command displays the file list in long format. The meanings of each field are as follows:

Lrwxr-XR-x 1 zyd users 15 Oct 23 :40 sym_link->/tmp/sym_target
| + -- Symbolic connection (s_link)
| + ----- File name (name)
| + ---- Last file change time (time)
| + ------------ File length in bytes (size)
| + ---------- File Group)
| + -------------------- File owner (User)
| + ------- Number of connected digits (count)
| + ------- File mode, 9 digits
+ ------------ File type (type), occupies one position

In addition to s_link, all the preceding nine fields must have different files and directories. The meanings of user, group, time, and name are as follows:
This article will not introduce other fields. Other fields will be introduced in this topic section.

Iii. File Type)

Linux supports the following types of files:
1. Common File ========>-
2. directory file ========> d
3. Symbolic connections ========> L
4. character device file ===> C
5. Block Device Files ======> B
6. Named Pipe FIFO
7. Socket

FIFO and socket are beyond the scope of this article. Other files are described as follows:

1. Common files: common files (nonsense !), Myfile created using 'Vi myfile' is a common file, such as executable binary code.
File, Script script file, ASCII text file, data file, configuration file... can this be explained?

2. Directory files: A directory can be understood as a container for storing other files and/or other directories. It is a special file whose content is composed of directory items, each directory item consists of two parts: the file name and the index node number inode. The two are called connections. We will introduce inode in more detail in the next section.

3. Device Files: Do you have any experience in using DOS? If our machine has only three DOS system file IO. sys, msdos. sys, command. com, but you need to edit an English document and output it through the printer later. What can you do?

Copy con mydoc. txt

Enter the document content here

^ + D; end Storage

Copy mydoc. txt> PRN; print the document

If you are familiar with this process, you will understand the device file. The con and PRN are two device files defined by DOS, which correspond to the terminal and parallel print ports respectively. This design eliminates the need to understand the specific hardware details used by the device. external devices are used in the same way as common files.

In Linux, device files are divided into three categories: character devices, Block devices, and network devices. to distinguish between them accurately, you may need to write a more smelly and longer article separately. The general situation is: character devices directly read data without using a buffer, such as a serial port or terminal. Block devices read data through the buffer and can only read a certain number of blocks at a time, for example, if a disk needs to read at least one slice (such as 512 bytes) at a time, Block devices can perform random read/write. The network device is the socket mentioned above, because I am not familiar with it, so I won't bother talking about it. Device Files are generally stored in the/dev directory. You can use the LS-l command to see what is available? The focus of this article is to introduce common files and directories. The device files are not important, so we will only introduce them here.

Iv. index nodes, hard connections, and connection count

1. Index node inode:

In Linux, an inode number is assigned to each file, which is called an index node. inode can be simply understood as a pointer, which always points to
Specific storage location. The system locates each file by indexing nodes rather than file names. For example:

Suppose we have created a text file named mytext in the current directory of the hard disk, with only one line of content:
This is my file.
Of course, this line of text must be stored in a specific location in the disk data area (physically, it must be described by the head number, cylinder number, and sector number, in this example, the values are 1, 20, and 30 respectively ).
Assuming the inode is 262457, the system will be able to convert the inode into a specific physical address (1 magnetic
Header, 20 cylinder, 30 slice), and finally read the file content: "This is my file ."
Therefore, inode is the pointer number pointing to a file data zone. An inode corresponds to the only physical data zone in the system, and is located in two
Files in the same physical data zone must correspond to two different inode numbers respectively.

File copy command:
# Cp/home/zyd/mytext newfile
Create a new file newfile in the current working directory. The actual operations include the following three steps:
1. Add a directory item to the current directory, fill in the file name field in newfile, and assign a new inode, which is assumed to be 262456.
2. Copy the content of the original file (in 1 Head, 20 cylinder, 30 slice) to the new idle physical block (assuming 1 Head, 20 cylinders, 31 fans ).
Area ).
3. Fill in other key information so that the system can convert the physical address through the information and inode number.

Therefore, a new inode and a new data zone should be allocated for file replication, although the content of the two files is the same.

2. Hard connection:
When we use a file, it is generally referenced by the file name. Through the above discussion, we know that one inode number must be exactly the same
The data zone of a file corresponds to one by one. Can two or more different file names in a file system correspond to the same file? The answer is yes. We know that the inode number is recorded in the directory item corresponding to the file name. We can make the directory items of two or more files have the same inode value, in fact, they correspond to the same file. There are several directory items with the same inode number. We can say that this file has several hard links. For common files, the Count field value of the LS-l command is the number of hard connections in this file. You can use the ln command to create a hard connection. For example:
# Ln/home/zyd/mytext hardlink_mytext
A new file hardlink_mytext is created, and the inode of this file is also 262457. Creating a hard connection actually only adds
Directory, but copy the file data zone. The original file data zone is shared by two files. This can save a lot of disk space and ensure that the two files can be updated simultaneously.

'LS-il 'can display the inode of the file (at the leftmost of the following ):

262456-RW-r -- 1 zyd 17 Nov 3 14:52 newfile
262457-RW-r -- 2 zyd 17 Nov 3 14:50 hardlink_mytext
262457-RW-r -- 2 zyd 17 Nov 3 14:50 mytext

3. connection count:

As described above, the file connection count field indicates that there are several file directories in the system with the same inode as this file, that is, there are several hard connections in this file. In the preceding example, the Count values of the hardlink_mytext and mytext files are both 2.

So what is the meaning of the count field of a directory? The count of the directory also indicates how many directory items direct to this directory, but the details must be
The description must further explain the structure of the VFS file system. For the sake of simplicity, you only need to understand this: (count-2) equals
Number of sub-directories (that is, only the son is included, not the grandson !). For example, if the Count field of a directory/ABC is 5
The/ABC directory must contain three subdirectories.

So far, we have introduced important concepts such as common files, directory files, device files, hard connections, connection counts, and index nodes.

4. Further explanation:

A hard connection file is actually not a new type of file. The two files are hard connections of each other. They should all be common files (who can tell
Me: Can other types of files be hard-connected ?). Except for the name or/and directory of the two files, the other parts are identical and the length, content, and modification time of the other files are changed accordingly, changed the permission bit mode of one file, and the other will change the same.

Note that the Count field of the connection count field indicates that there are two inode pointing to the same file.
When we delete a file, the system first deletes (count-1)-> count. If the result is zero, the directory items and data areas are deleted,
Otherwise, only the local directory items are deleted, and the data area is retained and can still be accessed through another file name. Based on this feature, you can establish a hard connection for important files to prevent them from being deleted by mistake.

The number of inode nodes allowed by a file system is limited. If there are too many files, even if each file is a 0-byte empty file, the system will eventually
Files cannot be created because the Node space is exhausted. Therefore, when a file cannot be created, you must first check whether there is space in the hard disk data zone (you can run the du command), and then check the Node space.

Multiple hard-connected files must be located on the same file system. The root device and any partition, floppy disk, NFS, and optical drive that requires mounting are independent file systems. Each file system has a corresponding device number, there is no connection between files with the same inode nodes in different file systems. The system uniquely identifies a file by combining the device number and inode number.

Linux supports a variety of file systems, because Linux provides a Virtual File System (VFS ).
Layer software masks the differences in the underlying structure of the actual file system and provides a unified interface for the system to access files located in different file systems. In fact, many file systems do not have the inode structure, and their directory structure is also different from the above discussion. However, through VFS, the system provides a virtual consistent inode and directory item structure. Therefore, the inode actually displayed by the 'LS-il 'command should be VFS inode, that is,
Inode is the data structure that exists in the memory, not necessarily the actual hard disk structure. However, the ext2 file system customized for Linux is practical.
So for the ext2 file system, we can think that the hard connection concept we discussed above is completely correct.

It doesn't matter if you cannot understand the last two paragraphs of this section. As you learn more, you will be able to understand it.

V. Symbolic connection

Hard Connections cannot be established for files in different file systems, but can be synchronized through symbolic connections. A symbolic connection is an independent file type. It has its own data zone, but the content of the data zone is only the path name of the file to which it points. The example in the preface section 1.5 shows that the sym_link file is a symbolic connection to the/tmp/sym_target file. If we cat sym_link, the system automatically opens the file it points to, instead of displaying the sym_link file itself, note that the length of the sym_link file is 15, which is the length of the string/tmp/sym_target. The ln command is used like the hard connection, but the '-S' option must be added:

Ln-S/home/zyd/file_system/mytext my_sym_link
# Ls-Li my_sym_link
262458 lrwxrwxrwx 1 zyd 28 Nov 3 my_sym_link->/home/zyd/file_system/mytext

Question: When establishing a symbolic connection, you usually need to enter the absolute path of the target file. Why?
(Note: if we want users to execute/usr/local/my_bin/myproc in any current directory, run the following command:
# Cd/usr/local/bin
# Ln-S ../my_bin/myproc)

Vi. File Mode

The chmod command can be used to change the user's access permissions to the corresponding files.
In Linux, a 16-bit character is used to store the type and mode of each file. The 4-bit high character determines the type of the file through combination, which is written during file creation, the user cannot change it. Next we will introduce the 12-bit pattern bit

Bit | 11 10 9 | 8 7 6 | 5 4 3 | 2 1 0 |
---- | -------- | --------- |
| X |
---- | -------- | --------- |
Mode R w x r w x

Each of these 12-digit groups has a special meaning. This high-level group (6, 7, 8 digits) determines the file
The permissions of the owner, and the next group determines the permissions of the file owner. The delimiter group determines the permissions of users other than the owner and the group to perform operations on the file.

In the lower three groups, the execution bit, rewriting bit, and read bit are the highest bits, and the position 1 indicates that the group has the relevant permissions. For example, if 6th bits are 1, the owner can execute this file. If 4th bits are 1, other users in the same group can rewrite this file. If 2nd bits are 1, other users can read this file. The three digits in each group constitute an octal number, which can be expressed by a combination of three permission bits in octal format. For example:
111 101 100 indicates 754, the command: chmod 754 filename enables the owner of the file to read, write, and execute the filename file. Other users in this group can read and execute this file, but cannot be modified. Other users can only read this file.

The 11th bits are SUID bits, the 10th bits are SGID bits, and the 9th bits are adhesion bits.
If a SUID bit is set for an executable file, the running process of the file will have the same permissions as the file owner.
/Usr/bin/passwd sets the SUID bit and its owner is root. When any user runs it, the process has the root permission, which is
Common users can also use the passwd command to change their logon passwords (actually, the/etc/shadow file is changed, only root has
Permission to read and write this file ). if the sub-database has a SUID and the sub-database is executable, the sub-database displays s instead of X without a suid. If the sub-database cannot run, the sub-database displays s in upper case.

SGID corresponds to suid. If the sgid bit is set and the group is executable, the group execution bit is changed to S. Otherwise, the group is displayed as S.

The adhesion bits are displayed as T or T on the other user's execution bits when LS-L is run by other users. For executable files, the adhesion bit can be set to keep the copy of the body in SWAp after the first operation. Because the files in the SWAp partition are continuously stored, so the memory can be quickly transferred to the next operation. For modern file systems, this function has no practical significance.

If an adhesion bit is set for a directory, only users with write permission for the directory that meet one of the following three conditions can delete or rename the files in the directory:
1. Super User Root.
2. Owner of this directory.
3. Files with names to be deleted or changed.
This feature is used in the/tmp directory in Linux: anyone can use this directory to store files, but only the file owner and root can delete or rename the files.

The last thing to talk about is the exact meaning of the reading, writing, and execution bits of the directory. Beginners often understand the permission bits of the Directory, mainly because they do not understand the exact structure of the file system.
R indicates the read directory, W indicates the write directory, and X indicates the search directory (note not the execution directory)

Through the above discussion, we know that a directory is actually a special file, which consists of directory items. Each directory item includes the file name and inode of the next file in the directory. Therefore, the read permission is the permission to read the directory items, so you can obtain the list of file names contained in this directory. Similarly, the write directory permission is to change the directory file (add, delete, and rename the directory items). It is actually whether to create, delete, and rename the file in the directory. The general search permission can be understood as the permission to access the directory to operate on the file content, including opening the file and obtaining further details of the file. More commonly, we can compare the contents to the boxes containing medicines. We put a label (directory name) called "medicines" on a large pharmaceutical box (root directory ), the "penicillin" and "cold medicine" (directory item) are listed below. Having the X permission is equivalent to having the key to open the box. If we have the key, we can open this box (with the X permission of the root directory, we can access it). After opening it, we found that there is a locked box with the "cold medicine" label (subdirectory ), the following lists "senmao Tong" and "senkang "......, in addition, there is a medicine bottle containing penicillin ).
If we need to take penicillin (equivalent to opening files under the root directory), we must have the key to opening the big box (root directory x permission) and
The right to take the medicine (corresponding file permissions), but if we need to take "shikang", we must have the next key. The directory read permission is equivalent
No, the write permission is equivalent to whether we own a pen. We don't have any keys to understand what is in the big box, but we don't know what specific medicines are in the small box. If you need to know, you must first open the big box. If we want to add a new drug to the big box or take out a new drug (equivalent to creating or deleting files in the root directory), we must first be able to enter the big box (x ), then there is a pen (w) that can change the label of the big box accordingly.
With the above metaphor, the following is a formal description:
1. When we open any file (that is, when our command contains the final file name), each directory in the absolute path of the file name must have the X search permission. You can use the CD command to access this directory only if you have the X permission.
2. The read permission allows us to obtain the list of file names of the Directory through the LS command, but the premise is that we must still have the X permission on all the parent directories of the directory (think about the story of the pharmaceutical box ).
3. If the directory permission is met, the final read, write, and execution of the file depends on the file permission.
4. As long as you have the write permission for a directory and the search permission for all the upper-level directories, you can create and delete files in this directory, even if this file is not yours !!!
5. Super Users can perform checks beyond most file permissions.

1. Why is the default permission for Directory Creation rwxr-XR-X?
2. Assume that there is a subdirectory test in your current directory. You have the read and write permissions and do not have the search permission. Which of the following commands can be executed successfully?
OK? Why?
Ls Test
Ls-l test
CD Test
Del test/new_file
Ln test/new_file up_file

7. Change the file Mode

You can use the CHMOD command to change the file mode. We set every three low 12 bits of the mode into four Octal numbers, and set the permission bit to 1. Otherwise, the value is 0, as one of the CHMOD parameters, follow the list of file names that need to change permissions, for example:

# Chmod 4752 this. File
The SUID (4) of this. file is set. The file owner can read, write, and execute (7). other users in the same group can read and execute the file. It cannot be changed (5 ),
Other users can only rewrite, not read, and execute (2) -- which of the following sets the permission bit? I'm sure it's a bit difficult :)


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.