Permissions on the Linux file system

Permissions on the Linux file system

First, let's look at how to modify a file's owner and owner group

Modify the owner of the file: Chown

chown [OPTION] ... [OWNER] [: [GROUP]] FILE ...

Usage

Owner modifies the owner

Owner:group Modify owner: Genus Group

: Group modified Genus

The colon in the command can be used. Replace

-R: Recursive

Chowen [OPTION] ...--reference=rfile FILE ...

Refer to the permissions of the Rfile file to modify the file's permissions to the same as the Rfile file permissions

Modify the genus Group of files: chgrp

Chgrp[option] ... GROUP FILE ...

Chgrp[option] ...--reference=rfile FILE ...

-R: Recursive

Let's take a look at the Linux system, the permissions of the file

The permissions of files in the file system refer to the file and directory permissions on the file system, and the permissions on the file system are mainly defined for three types of objects:

Owner: Master, u

Group: Genus, G

Other: Others, O

Each file has three permissions defined for each type of visitor:

R:readable

W:writable

X:excutable

Permissions have different meanings for files and directories:

File:

R: Use the File View class tool to get its contents

W: can modify its contents

X: This file can be brought to the kernel to start as a process

Directory:

R: You can use LS to view the list of files in this directory

W: You can create files in this directory or delete files in this directory

X: You can use Ls-l to view a list of files in this directory, and you can enter this directory by CD

Here, we add an X

x: Give only directory permissions, do not give file X permission

Here, it is very necessary to say the permissions application model in the Linux file system:

Taking Ls-l/etc/issue as an example

-rw-r--r--. 1 root root (Jul) 09:24/etc/issue

Then execute cat/etc/issue

1. First see whether the initiator of the command is the owner of the file is the right to the left three-bit permissions, if it is the right to apply the left three, otherwise

2. See if the initiator of the command is a group of files with both three-bit permissions and three-bit permissions in the app, otherwise

3. The right three-digit permission is used

As mentioned above we can use RWX to express permission, here we talk about another way to express

permission, binary, octal representation of the corresponding representation

---000 0

--x 001 1

-w-010 2

-WX 011 3

R--100 4

R-x 101 5

RW-110 6

RWX 111 7

For example:

640:rw-r-----

Rwxr-xr-x: 755

Know what the file permissions are, let's say how to modify file permissions

chmod

Chmod[option] ... Octal-mode FILE ...

-R: Recursive Modify permissions

Chmod[option] ... Mode[,mode] ... FILE ...

MODE:

To modify all permissions for a class of users:

u= g= o= ug= a= u=,g=

Modify one or some bit permissions for a class of users

u+ u-g+ g-o+ o-a+ a-+-

Chmod[option] ...--reference=rfile FILE ...

Refer to the permissions of rfile file, change file to the same rfile;

Note: Only administrators can modify the owner and owner group of the file;

Masking code when a file or directory is created: Umask

Umask: File Permissions reverse mask, mask code;

File:

666-umask

Directory:

777-umask

Note: The file is reduced by 666, which means that the file cannot have Execute permission by default: If there are execute permissions in the result of the reduction, it needs to be added 1;

umask:023

666-023=644

777-023=754

umask Command:

umask: View current Umask

umask MASK: Set umask

New dir permission: 777-umask

Non-privileged user umask is 002

Root Umask is 022.

Umask–s Mode display

Umask–p output can be called

Global Settings:/ETC/BASHRC user settings: ~/.BASHRC

Note: This type of setting is only valid for the current shell process;

Special permissions on the Linux file system

There are three special permissions on the Linux file system: Suid,guid,sticky

First we emphasize again that the Linux permissions model is made up of mode and owner

Mode:rwx

Owner:ugo

Here we need to say the security context:

The process has a group of owners and genera;

1) Any executable program file can be started as a process: depending on whether the initiator has EXECUTE permission on the program file

2) Start as a process, the owner of the process is the initiator, the group of the process belongs to the initiator

3) permissions for the process to access the file, depending on the initiator of the process

A) initiator of the process, owner of the same file: The application file is the Master permission

b) The initiator of the process, belonging to the group of documents; Apply file group permissions

c) application file "other" permissions

Suid:set UID

Premise: This type of file is a command with executable permission

Any executable program file can be started as a process: depending on whether the initiator has execute permissions on the program file

When started as a process, the owner of its process is the owner of the original program file (the valid identity of this process is not the initiator, but the owner of the command file itself)

Suid only valid for binary executable programs

Suid settings are not meaningful on the directory

Permission settings:

Chmodu+s FILE ...

Chmodu-s FILE ...

When viewed with ls-l, this s may appear in either uppercase or lowercase form;

When the main original execution permission, the display is lowercase;

When the owner has no execute permission, it is displayed in uppercase;

Sgid:set GID

Sgid Permissions on executables: (when Sgid works on a file)

Any executable program file can be started as a process: depending on whether the initiator has execute permissions on the program file

When started as a process, the owner of its process is the genus of the original program file

Permission settings:

Chmodg+s FILE ...

Chmodg-s FILE ...

Sgid permissions on the directory: (when Sgid works on the directory)

By default, when a user creates a file, its group is the primary group to which this user belongs

Once a directory has been set to Sgid, the user who has write permission to this directory is the group of files to which the file that is created in this directory belongs to

Typically used to create a collaboration directory

Permission settings:

Chmodg+sdir ...

Chmodg-s DIR ...

Sticky: Dip bit

Directories with Write permissions typically users can delete any file in that directory, regardless of the permissions or ownership of the file

In the directory settings sticky bit, only the file owner or root can delete the file

Sticky settings are not meaningful on the file

Permission settings:

Chmodo+t DIR ...

Chmodo-t DIR ...

For example:

Ls-ld/tmpdrwxrwxrwt12rootroot4096nov215:44/tmp

Just before we talked about the authority number method, again,

Three special bits also form a set of permissions, both Suidsgidsticky and can be expressed as;

SUID SGID STICKY

000 0

001 1

010 2

011 3

100 4

101 5

110 6

111 7

Example: Chmod4777/tmp/a.txt

Permission bit mappings

Suid:user, occupying the owner's execution permission bit

S: Owner has x permission

S: Owner does not have X permission

Sgid:group, occupying a group's execution permission bit

S:group has x permissions

S:group no x permission

Sticky:other, occupying other's execution permission bit

T:other has x permissions

T:other no x permission

To set file-specific properties:

Chattr +i cannot be deleted, renamed, changed

Chattr +a can only increase

Lsattr Display Specific Properties

Access Control List

Acl:access control List for flexible rights management

In addition to the owner of the file, the owning group and others, you can set permissions on more users

CentOS7.0 the XFS and Ext4 file systems created by default have ACL capabilities.

centos7.x Previous versions, the default manually created Ext4 file system has no ACL functionality. Manual Increase Required:

Tune2fs–o ACL/DEV/SDB1

Mount–o acl/dev/sdb1/mnt

ACL Effective Sequence: Owner, custom user, custom group, others

Grant access to files and directories for multiple users or groups rwx

Mount-o acl/directory

Getfacl file |directory

Setfacl-m u:wang:rwx File|directory

SETFACL-RM g:sales:rwx Directory

Setfacl-m File.acl File|directory

Setfacl-m G:SALESGROUP:RW file| Directory

Setfacl-m D:u:wang:rx Directory

Setfacl-x U:wang File |directory

Setfacl-x File.acl Directory

The group permission on the ACL file is the mask value (custom user, custom group, with maximum permissions for the group), not traditional group permissions

Getfacl can see special permissions: Flags

The default ACL permissions give x, and the file does not inherit the X permission.

Base ACL cannot be deleted

Setfacl-k dir Delete default ACL permissions

Setfacl-b file1 Clear All ACL permissions

Getfaclfile1 | Setfacl--set-file=-file2 copy file1 ACL permissions to File2

Mask only affects the maximum permissions for people and groups other than the owner and other

Mask needs to be logical and operational with the user's permissions before it becomes a limited permission (effective Permission)

The settings for a user or group must exist within the Mask permission setting to take effect. Setfacl-m Mask::rxfile

The--set option will remove the original ACL entries, with a new alternative, it is important to note that you must include the Ugo settings, not just add ACLs like-M. such as:

Setfacl--set U::rw,u:wang:rw,g::r,o::-file1

Backup and Restore ACLs

The main file Operations Command CP and MV both support ACLs, but the CP command needs to be prefixed with the-p parameter. However, common backup tools, such as tar, do not preserve ACL information for directories and files

#getfacl-R/tmp/dir1 > Acl.txt

#setfacl-R-b/tmp/dir1

#setfacl-R--set-file=acl.txt/tmp/dir1

#getfacl-R/tmp/dir1

This article is from the "11798474" blog, please be sure to keep this source http://11808474.blog.51cto.com/11798474/1834613

Permissions on the Linux file system