Introduction, classification and implementation of permissions in Linux

Permissions:
DAC: Autonomous access control
is a combination of rwx permissions to restrict the user access to files and operation of the administrative control mechanism; When the permissions are managed in a DAC, the main user-oriented
RWX three permissions: Read and write execution
DAC: File directory
R Read gets the contents of the file view the filename in the directory
W Write the contents of the file to manipulate the filename
x executes the file As command execution can enter, reference directory, view property information

When you look in the LL command, the first paragraph has 9-bit privilege bits: 3 groups, each independent
First paragraph: Owner's permissions
Second paragraph: Permissions for all groups
Third paragraph: Other people's rights
DAC mechanism: Which user, with what action on which file
Command:
chmod---"Modify permissions change mod
Syntax: chmod permission bit value file name
Representation of permission bit values: symbol identification, digital ID
Symbol ID:
U: Owner
G: All Groups
O: Others
A:u+g+o
Assignment ID:
+: Add new permissions based on legacy permissions
-: Delete permissions based on legacy permissions
=: Regardless of the original permissions, set the new permissions directly
Permission ID: R W x
Examples:
chmod u+x FILE
chmod g-r FILE
chmod O=WR FILE
Digital ID:
r--"4
w--"2
x--"1
-: Representative No
When you use a symbol identifier, you can set a separate setting for a permission bit when setting permissions
When using the digital ID, the permission value of three permission bits must be completely written out when the permission is set.
Examples:
chmod 755 FILE
Umask---"Rights masking code, affecting default file permission parameters
root:022 or 0022: The first 0 is a mask code for special permissions
Normal User: 002 or 0002
Create a new directory with default permissions for the directory: 777-umask
Create a new file with default permissions for the file: 666-umask
Command:
chown--Modify the owner and all groups of the file
-R: Recursive modification of the ownership of the directory and the ownership of the subdirectories and sub-files of the directory
Chown USERNAME file only modifies the owner of the files
Chown:groupname file only modifies all groups of files
Chown Username:file also modifies both the owner and the owning group, which is the user's primary group
Chown Username:groupname FILE modifies both the owner and the owning group for the specified users and groups

Facl:filesystem Access Control List---permissions extended properties
Extended property settings for permissions
Role: Provides a convenience to allow a user to assign file access rights to a fixed user or a fixed group to execute without additional operational rights
Getfacl--"View a list of extended attributes for a file
Getacl FILENAME
Setfacl---"Set the extended Attributes list of the file
-M: Modify
Setfacl-m u:uid:perm FILENAME #UID GID can make the name
Setfacl-m G:gid:perm FILENAME
-X: Undo Modification
When you use the command ll command to view the permissions of a file, in-rw-r--r--. The last point indicates that the extended attribute is not enabled; when enabled.-->+

Special permissions
Background: When using Setfacl to give a user a directory of RWX permissions, the user can delete all files in the directory,
This is not safe, so you can use special permissions to control, the user can only control their own files.
SUID: Super User Rights S or s can only appear in the owner's X position 4
SGID: Super group permission S or S can only appear in the X position of the owning Group 2
Sticky: Sticky bit t or T can only appear in other people's W position 1

If the file has Execute permission before the special permission bit is set, special permissions are lowercase letters
If the file does not have permission to execute before the special permission bit is set, special permissions are uppercase letters

File directory
SUID: In the execution of a command with SUID, for the directory, SUID for the directory, there is no meaning
Performer will be the owner of the command
To perform

SGID: When executing a command with SGID, a directory with such permissions, all files created in it,
The performer will automatically inherit the group that belongs to the group that belongs to the group to which the command belongs.
To perform (almost unused)

Sticky: No meaning if the user has write access to a directory with Sticky permissions,
Then users can only modify and delete which owners are their own files

0022 0002 The first 0 is a special permission bit, which is not set by default

4755---SUID
2755---SGID
1755---Sticky

MAC: Mandatory access control
is the document as the principal, that is, the document can be performed by the user some kind of operation and the user does not have a direct relationship, the management of the security context to
The document is the subject, which is what permissions the document can be executed by that user

This article is from the "links" blog, so be sure to keep this source http://huashang13.blog.51cto.com/10726534/1728801

Introduction, classification and implementation of permissions in Linux