(GO) Linux Rights Management (basic permissions, default permissions)

I. Basic file Permissions 1-1. Modification of basic permissions

-rw-r--r--
-The first "-" indicates the file type (-file, D directory, l soft link file)
-rw-r--r--
U owner G-owned group O others
where R reads, W writes, X executes

(1). chmod [option] Mode file name
-Options
. -R recursion
-mode
[Ugoa] [+-=] [RWX]
[mode=421]

#为所有者添加rw权限, the owning group removes the W permission
chmod U+RW, G-w test.txt

Number representation of the permission (number of binary turns)
R---4;  W----2; x----1;
If Rwxr-xr-x, the corresponding 7 5 5

1-2. The role of permissions on files

R: Read file contents (cat more head tail)
W: Edit, add, modify file contents (vi echo)
-but does not contain delete files, because the file name and files data are stored in different locations
X: Access to Directory
Attention:
For files: The highest privilege is X
For the directory: the highest privilege is W

Head: Default is to view the first 10 lines of the file
Tail: The last 10 lines of the file are viewed by default
-n Specifies how many rows to view
MORE: Pause when full page is displayed, press empty SPACEBAR to continue to display the next page, or press Q to stop the display.

(2). Chown: Modify the owner of the file
Format: Chown User name File name

(3). CHGRP: Modify the owning group of the file
Format: CHGRP Group name File name

Instance requirements
-Have a test directory
-Let TestUser have all the permissions
-Let the user group have permission to view
-everyone else is not allowed to view this directory

[Python] View plain copy

2. # Have a test directory
4. [Email protected]:~$ ll-d Test
6. Drwxrwxr-x 3 Changwen changwen 4096 :test/
10. # Add a testuser user
12. [Email protected]:~$ sudo useradd testuser
16. # Set the user's password
18. [Email protected]:~$ sudo passwd testuser
20. Enter New UNIX Password:
22. Retype new UNIX Password:
24. Passwd:password updated successfully
28. # Add two users to a user group
30. [Email protected]:~$ sudo useradd-g usergroup user1
32. [Email protected]:~$ sudo useradd-g usergroup user2
36. # Set the owner of the test directory: owning group
38. [Email protected]:~$ sudo chown testuser:usergroup test
42. [Email protected]:~$ ll-d Test
44. Drwxrwxr-x 3 testuser usergroup 4096 :test/
48. # Set permissions by instance requirement
50. [Email protected]:~$ sudo chmod- test
52. [Email protected]:~$ ll-d Test
54. Drwxr-x--- 3 testuser usergroup 4096 :test/

Second, the file default permissions

(4). Unmak: View default Permissions
such as 0022
-First bit 0: File special permissions
-022: File default permissions
Temporary modification: umask 0002
Permanent modification: Vi/etc/profile

File default Permissions
1). Files cannot be created by default and must be manually assigned to execute permissions
2). So file default permissions up to 666
3). Default permissions need to be converted into letters and then subtracted
4). Default permissions after the file is established, 666 minus umask value
For example:
-File default maximum permission is 666, Umask value is 022
--rw-rw-rw-minus-----w--w-equals-rw-r--r--

Default Permissions for Directories
1). Directory default Permissions Max 777
2). Default permissions need to be converted into letters and then subtracted
3). Default permissions after the file is established, 777 minus umask value
For example:
-Directory default permissions Max 777, Umask value is 022
--rwxrwxrwx minus-----w--w-equals-rwxr-xr-x

Iii. Introduction to ACLs

ACLs are used to solve the problem of insufficient user identity

# See if partition ACL permissions are turned on
(5). DUPE2FS command is a command that queries the specified partition detail file system Information
Dupe2fs-h/dev/sda51
-H only displays information in the Super block, not disk block details

# temporarily turn on partition ACL permissions
Mount-o remount, ACL/
-Re-mount the root partition and mount the Add ACL permission

# permanently open partition ACL permissions (not recommended for modification)
Vi/etc/fstab
#加入acl
Then modify the UUID=C2CA6F57-B15C-43EA-BCA0-F239083D8BD2/EXT4 defalults ACL 1 1

# re-mount the file system or reboot the system for the changes to take effect
Mount-o remount/

3-1 Viewing and setting ACL permissions

# View ACL permissions
Getfacl file name

# Set ACL permissions
Setfacl option file name
-M Set ACL permissions
-X Deletes the specified ACL permissions
-B Remove All ACL permissions
-D Set Default ACL permissions
-K Remove Default ACL permissions
-R recursively Set ACL permissions

[Python] View plain copy

2. [Email protected]:~$ mkdir av
6. # Add owners and user groups, and set permissions on AV directory
8. [Email protected]:~$ sudo useradd Tony
10. [Email protected]:~$ sudo groupadd stu
12. [Email protected]:~$ sudo chown tony:stu av
14. # Set AV permissions
16. [Email protected]:~$ sudo chmod 770 av
20. # Add Lao Wang user and set password
22. [Email protected]:~$ sudo useradd LW
24. [Email protected]:~$ sudo passwd LW
26. Enter New UNIX Password:
28. Retype new UNIX Password:
30. Passwd:password updated successfully
34. # give R-x permissions to user LW, using "u: User name: Permissions" format
36. [Email protected]:~$ sudo setfacl-m u:lw:rx/home/changwen/av
40. # Assign ACL permissions to user group tgroup2. Using the "G: Group Name: Permissions" format
42. Setfacl-m G:tgroupt2:rwx/home/changwen/av

You can see that the user LW does not belong to the user group, nor to other groups, which is ACL permissions

3-2. Maximum effective permission and deletion

Above Getfacl AV can see there's a mask
Mask: is used to specify the maximum effective permissions. If I give the user ACL permissions, it is necessary and mask permission "phase" to get the user's true permissions.

# Modify Maximum effective permissions
Setfacl-m M:rx file name
-Set mask permission to R-x. Using the "M: Permissions" format

Remove ACL permissions
# Remove ACL permissions for the specified user
Setfacl-x u: User name File name

# Remove ACL permissions for user groups
Setfacl-x g: Group name File name

# Remove all ACL permissions for a file
Setfacl-b file name

3-3. Default ACL permissions and recursive ACL permissions

1). Recursion is the parent directory when you set ACL permissions, all sub-files and subdirectories also have the same ACL permissions. Recursive permissions can only be assigned to directories and cannot be assigned to files.
setfacl-m u: User name: Permissions-r file name
-R If you do not add R, the file created under this directory does not have ACL permissions
But add R, there will be permission overflow
Therefore, it is recommended to use less ACL permissions

2). The default ACL permissions are that if the default ACL permissions are set for the directory, then all new child files in the parent directory inherit the ACL permissions of the parent directory.
Setfacl-m d:u: User name: Permission file name

(GO) Linux Rights Management (basic permissions, default permissions)