permissions, special permissions, ACLs under Linux

First of all, we know that Linux is a multi-user operating system, then the problem is, suppose I have a file called File1, this file is User user1, User1 has a project group G1, he wants his project team colleagues can view modify this file, But you don't want other people to see the contents of the file, of course, and not edit it. How to solve this problem depends on the permissions we have to say below. By configuring file permissions, we can implement different user or group access rights when accessing the same resource.

Ugo Model

The so-called Ugo is to the file for all users of the three identities, the owner of the main user is the file owners, the group belongs to groups, the file belongs to groups, other than the user is not the group.
The user has been divided into categories, then a file needs to what properties of permissions, the next file in the Linux permissions include RWX, that is, read (reading), write (write), Excute (execution) for a normal file (excluding directory) has Read permission on behalf of the user can only view the contents of the file, with write permission to modify the contents of the file (do not need Read permission to modify), Excute permissions for the file is more sensitive, There is no point in plain files, but once the contents of the file can be executed, it means that the user can execute the file (only execute permission is required to execute without the Read permission), unless the necessary execution permissions should not be assigned to anyone.
With the above the above example is easy to solve, to file the owner of the main RW permissions, the file belongs to the group to G1 and give RW permission, the other person permissions are empty. Then we look at the meaning of the permission bits represented in the file information. Use the LL command to view the file details.

-rw-r--r--. 1 root root      0 Apr  3 21:17 file1-rw-r--r--. 这其中，第一位是文件类型-代表是普通文件            后面9位，3位一组代表ugo的权限-表示没有对应权限            最后一位是acl权限，此位为+表示该文件设置了acl权限

Chown Modify Owner

The Chown command can be used to modify the owner of the file, including the owning and owning group (where the file and root are not available to other users)

chown user1.g1 file1    \\把file所属主所属组改为user1，g1

Chown can use the-r option to recursively process a directory

chown -R username dir   \\把dir目录及其目录下文件递归处理

CHGRP Modifying the owning group

Chgrp are used in a similar way to chown, and often rarely using the same support-R recursion

chgrp -R grpname dir    \\把敌人目录及其目录下文件一并处理

chmod Modifying file permissions

chmod use is more flexible and very common, you can specify the file permissions by different methods

chmod u=rw,g=rw,o= file1    \\指定file1针对ugo的权限分别为rw,rw和空

In the above example, the U,g,o in front of the equal sign represents the scope of the permission modification, can be specified separately or can be specified at a time, or you can use a for all modifications, as follows

chmod ug=rw,o= file1    \\和上条命令效果相同chmod a=rw file1        \\所有用户权限设置为rw

You can also use the '-' + ' operator as follows

chmod u-w,g+r,o+r file1      \\去掉u的w权限，g和o加上r权限chmod a-x file1              \\去掉file1文件所有用户的x权限

In addition to this approach, using the numeric method to specify directly is our more common approach. When using the digital method, we use 4,2,1 to represent rwx respectively, when it is used, the corresponding numbers of Ugo corresponding permissions can be added directly to the file to set corresponding permissions for example:

chmod 660 file1         \\指定file1针对ugo的权限分别为rw,rw,和空

Chmod also supports the-R recursion, not in the example.

Extensions: Directory Permissions

Directory nature is a special kind of file, so the rwx corresponding permissions in the directory on the display and the file is not the same, a simple summary, for reference

R	can only list folders under file names, not including details	RW	and just give R the same
W	Useless	Rx	For general
X	Can be entered, can execute the directory under the program	Wx	Unable to list files under directory, can be entered, can delete files under directory

Can be seen and the file is different, for the directory x permissions are the underlying permissions, if only to RW does not make sense, but it should be noted that the directory of the W permissions can not be given, because the general directory will give RX permissions, and the combination of WX permissions means that users can delete files under the directory, so for the directory, WX's privilege combination is quite dangerous.

Default Permissions and Umask

We are in the new file or directory when the permissions are set, this permission is called the default permissions, for the file this permission is 644, for the directory is 755, then this permission is determined by Umask. You can enable Umask to view the currently set Umask value, Umask value is four digits, and the first bit is the special permission bit (Suid,sgid,sticky). You can modify the current user by modifying the ~/.BASHRC file Umask or you can change the global umask settings by modifying the/ETC/BASHRC file. Unlike many of the online interpretations of Umask, the umask and default permissions described below should be calculated more accurately.
First, the maximum default permission for a file is 666, the directory is 777, and usually we use the maximum privilege minus umask as the default permission, which is not a problem for the directory, but some values may not be the same as the actual result. If Umask is 125, the above method default file permissions should be 541, but the actual creation will be found to be 642.
First give the conclusion: the Umask representative cancels the corresponding permission. Specifically, this is the
666
125
Converted to binary, the 9 bits correspond to the 9 permission bits in the UGO permission combination, 1 for the corresponding permission, and 0 for no corresponding permission
110110110
001010101
And then cancel the maximum permissions in the Umask the corresponding permissions are interpreted as follows
Cancel the first and second 0 permissions, that is, do not make changes, cancel the third bit of the 1 permission is still 0, the fourth bit to cancel 0 unchanged, the fifth bit 1 is 0 ... In this calculation, the resulting binary permissions are
110100010 means 642.
Take a look at the following example:

[[email protected] ~]# umask 125[[email protected] ~]# umask0125[[email protected] ~]# touch file[[email protected] ~]# mkdir dir[[email protected] ~]# lltotal 4drw-r-x-w-. 2 root root 4096 Apr  4 18:06 dir-rw-r---w-. 1 root root    0 Apr  4 18:06 file

However, the above calculation method is too complex, we can still directly use 666 minus umask value for the operation, but need to calculate the result of the odd bit plus 1 or above as an example, 666-125=541, odd digits +1 is 642

Special Permissions Suid,sgid,sticky

Let's start with the conclusion that SUID is usually used to raise rights, Sgid is used to inherit group permissions, sticky is used to prevent non-owning master users from deleting files.

SUID

For example, an ordinary user wants to change the password, but changing the password necessarily changes the contents of the/etc/shadow file, so let's take a look at the permissions of the shadow file.

----------. 1 root root 1077 Apr  3 23:33 /etc/shadow

All empty, that is, in addition to root, other users do not have permission to modify the file, but it is clear that all users can modify their own password, this is the Suid permissions in effect, but on the shadow file does not see any permissions information, in fact, this permission is added to the/usr/bin/ The passwd file. The principle is that when the user executes the passwd command, the system executes the program as root, which is what suid does. When a program is configured with SUID permissions, an ordinary user executes the program as the owner of the program when it executes.
SUID permissions can be configured using the chmod command, as follows

chmod u+s file          \\给指定文件添加suid权限chmod 4777 file         \\suid对应的权限位数字为4

The SUID permission information is represented by the X-bits in the owner of the permission bit, such as:

-rwsr-xr-x. 1 root root 30768 Nov 24  2015 /usr/bin/passwd

Because of the characteristics of suid, for ordinary files and directories, Suid no meaning, only in the binary program to take effect
!! Note: the permissions of the program are inherited from the initiator of the program

SGID

Sgid permissions and Suid similar, just suid inherit the permissions of the owner, Sgid inherit the permissions of the owning group, except for the directory settings Sgid will let all new files under the directory belong to the directory belongs to the following groups:

[[email protected] tmp]$ mkdir dir[[email protected] tmp]$ ll -d /tmp/dirdrwxrwxr-x. 2 mrhan mrhan 4096 Apr  4 19:01 /tmp/dir[[email protected] tmp]$ touch dir/file[[email protected] tmp]# touch dir/file1[[email protected] tmp]# ll dirtotal 0-rw-rw-r--. 1 mrhan mrhan 0 Apr  4 19:01 file-rw-r---w-. 1 root  root  0 Apr  4 19:01 file1

In the above example, I first created the directory dir in/tmp with a normal user, and created the file under the Dir directory, and created the file1 under/tmp/dir/with Root. But we can see that although the Dir directory belongs to the normal user Mrhan but the new file under the directory still belongs to root (which is actually the creator's primary group) then I need sgid permission if I want all the new files in the Dir directory to belong to Mrhan.
The designation of Sgid is similar to suid. The Sgid permission information is represented in the X-permission bit of the owning group's permission bit, which can also be specified numerically, the suid corresponds to a permission number of 2, and the suid specifies the same method.

[[email protected] tmp]$ chmod g+s dir[[email protected] tmp]$ ll -d /tmp/dirdrwxrwsr-x. 2 mrhan mrhan 4096 Apr  4 19:01 /tmp/dir[[email protected] tmp]# touch dir/file2[[email protected] tmp]# ll dirtotal 0-rw-rw-r--. 1 mrhan mrhan 0 Apr  4 19:01 file-rw-r---w-. 1 root  root  0 Apr  4 19:01 file1-rw-r---w-. 1 root  mrhan 0 Apr  4 19:11 file2

In the example above, the Dir directory creates a new file after configuration Sgid file2 the owning group defaults to the group that the dir belongs to

Sticky

Also known as sticky bit, the public directory configuration sticky permissions, you can prevent users from the directory under the arbitrary deletion of files, can only delete the main file, sticky permissions only for the directory to take effect, the corresponding permission number is 1, set method and Suid similar. If you configure 777 permissions on a directory and do not want the directory files to be arbitrarily deleted when you can use Sicky permissions, configuration will only delete their own files.

ACL Permissions Control List

Or the above example, for the job needs User1 want to let another project G2 colleagues can see file1 inside content, but do not want them to modify, there is a colleague User2 he is not in any project, but to see this file will be modified when necessary, obviously for this demand, Ugo This simple configuration has not been resolved, this time requires ACL permissions.
ACL access control lists, which means that when the user does not meet any one of the Ugo, or when it is not possible to specify the rights of the corresponding user or group directly by configuring Ugo resolution, the use is simple.

setfacl -m g:g2:r file1     \\指定g2组对file1的权限为rsetfacl -m u:user2:rw file1 \\指定user2对file1的权限为rwsetfacl -x g:grpname file 删除file文件中组的acl权限setfacl -x u:username file 删除file文件中用户的acl权限setfacl -b file1            \\清除file1的acl规则        -d                  \\-d参数用来对目录设置acl，目录下新建文件默认设置acl        -M                  \\从文件读取权限列表批量设置acl                            \\文件内容格式同设置参数

Use the Getfacl file command to view a list of ACL permissions for a specified file
Once ACL permissions are enabled, the Ugo permission bit G section permission becomes the Mask permission, using chmod to modify this partial permission is equivalent to setting the Mask permission, the Mask permission controls the maximum permissions of ACL permissions
Tip: When permissions contain odd numbers, there must be X permissions

permissions, special permissions, ACLs under Linux