Knowledge carding of permissions under Linux system

Source: Internet
Author: User

(0) Umask is the permission code, the default is 022
Using the command "Umask" can be queried.

File default permissions are 666, directory default permissions are 777
New file and directory permissions are respective default permissions minus umask permission code values

New file permissions, 666-022=644
New directory permissions, 777-022=755


(1) Chmod,chown,chgrp

chmod represents a digital permission (4,2,1), such as setting 755 permissions for a file, and entering directly:
chmod 755 A

Chown represents the owner permission, CHGRP represents the owning group permission, but usually we authorize these two directly with Chown.

For example, the authorization to a file belongs to the Wangshibo, the group is Wutao, the following practices:
1) chown Wangshibo A
Chgrp Wutao A
2) Chown Wangshibo.wutao A


(2) Chattr hidden permission, this is very important!!! Typically used to lock files.
Two parameters are commonly used: I and a
Chattr +i says nothing can be done for a file except for viewing (delete, add, rename)
Chattr +a said that in addition to viewing the content can be added, but only echo append content (Echo >>), not directly vim to edit!

Chattr-i or chattr-a means delete this parameter permission
Lasttr statement View chattr permissions for settings

The above chattr is for the file set permissions, if the directory (such as the test directory, such as the next) set, it is the same!
Chattr +i Test then only the CD switch to the test directory, for files under the test directory in addition to view permissions, the other can not be manipulated
Chattr +a Test then only the CD switch to the test directory, for the files in the test directory in addition to view permissions, can only echo append content, the others can not do
But remember, delete permissions, in Chattr-ai-r to add a-r recursive parameter, indicating that the file permissions with the directory are deleted!!!


(3) Facl permissions, Setfacl to set permissions, Getfacl to view permissions
The fixed command format is as follows:
"Setfacl-m u: User name: Character permission file name" (This is for files)
"Setfacl-r-M U: User: Permissions directory Name" (This is for the directory)

-M means set permissions
-B Express Delete permission

Setfacl-b file name facl permissions to delete files
Setfacl-r-B Directory name remove FACL permissions for directory

Getfacl file name or directory name representation view FACL permissions


(4) Special permission: ""
1) suid permissions: Allows ordinary users to perform "Only root permissions to perform" Special permissions. This is generally for the command file, such as passwd, generally not--------settings, in the file before the current digital permission to add 4
2) Sgid permissions: After setting, you can let ordinary users have the same permissions as this file belongs to the group--------settings, in the file before the current digital permissions plus 2
3) T permissions: Special note, T permissions only for the directory, the file is not valid! After that, only root and file owners have permission, and no other user has permission to operate. (Unless you set 7 of all the other group parts of the file, such as set 777 permissions), add 1 to the current file number before you--------set.

Examples of Sgid permissions:
[[email protected] src] #cd/usr/local/src
[[email protected] src]# Touch AA
[email protected] src]# LL
Total dosage 0
-rw-rw-r--. 1 Wutao wutao 0 August 05:21 AA "Note, set Sgid permissions, to ensure that the file belongs to the group has operation Rights"
[Email protected] src]# chown Wutao.wutao AA
[email protected] src]# LL
Total dosage 0
-rw-r--r--. 1 Wutao wutao 0 August 05:15 AA
[Email protected] src]# Su-wangshibo
[Email protected] ~]$ cd/usr/local/src/
[[email protected] src]$ ls
[[email protected] src]$ echo 123 > AA Because a file is a file under Wutao account, Wangshibo user does not have permission to operate
-BASH:AA: Insufficient Authority
[Email protected] src]$

Now set the Sgid permission to a file, then Wangshibo user can have operation permission on a file as long as they are within the Wutao group.

*************************************************************************************************************** *************************************************
Small Knowledge Points:
There are two ways to pull a user into a group:
"GPASSWD-A User name Group name"
"USERMOD-G Group name User name"

To remove a user from a group
"Gpasswd-d User name Group name"
*************************************************************************************************************** *************************************************

[[email protected] src]# chmod 2664 AA "set sgid permissions"
[email protected] src]# LL
Total dosage 0
-RW-RWSR--. 1 Wutao wutao 0 August 05:21 AA
[[email protected] src]# gpasswd-a Wangshibo Wutao "pull Wangshibo user into Wutao group"
Adding user Wangshibo to group Wutao
[[email protected] src]# ID Wangshibo
uid=501 (Wangshibo) gid=501 (Wangshibo) group =501 (Wangshibo), (Wutao)

[Email protected] src]# Su-wangshibo
[Email protected] ~]$ cd/usr/local/src/
[[email protected] src]$ echo 123 > AA so that Wangshibo users will be able to grass group AA files
[Email protected] src]$

Examples of permissions for T:
Note: The t permission is only valid for directory settings!
/tmp directory is a temporary directory under Linux, generally set 777 permissions, in order to respect other users can operate in this directory, in fact, is a common directory, we can use!
But sometimes some directories in the TMP store their own more important files, do not want to let other users operate, security, will give the TMP directory set t permissions!

[Email protected] ~]# ll-d/tmp
Drwxrwxrwx. Root root 4096 August 05:32/tmp "tmp temp directory is 777 permissions"
[Email protected] ~]# Su-wutao
[Email protected] ~]$ cd/tmp/
[Email protected] tmp]$ Vim SSS
[email protected] tmp]$ ll SSS
-rw-rw-r--. 1 Wutao Wutao 7 August 05:33 SSS "This file owner is Wutao"
[Email protected] tmp]$ Logout
[Email protected] ~]# Su-wangshibo
[[email protected] ~]$ ll/tmp/sss "Other users can operate on files that are not created by themselves under the TMP temp directory"
-rw-rw-r--. 1 Wutao Wutao 7 August 05:33/tmp/sss
[Email protected] ~]$ echo 123123 >/tmp/s

For security reasons, files created under the TMP temp directory are now not available to other users except for themselves and root. It's not shared!!
Then this time will have to set the T permission to TMP!
[Email protected] ~]# ll-d/tmp
Drwxrwxrwx. Root root 4096 August 05:33/tmp
[[email protected] ~]# chmod 1777/tmp "set t Permissions"
[Email protected] ~]# ll-d/tmp
DRWXRWXRWT. Root root 4096 August 05:33/tmp
[Email protected] ~]# Su-wangshibo
[Email protected] ~]$ ll-d/tmp
DRWXRWXRWT. Root root 4096 August 05:37/tmp
[Email protected] ~]$ ll/tmp/sss
-rw-rw-r--. 1 Wutao Wutao 4 August 05:36/tmp/sss
[Email protected] ~]$ echo 555 >/tmp/sss
-bash:/tmp/sss: Insufficient Authority
[Email protected] ~]$

"At this time, Wangshibo users will not be able to manipulate SSS files. If you want to have permission to operate, you can add the Wangshibo user to the Wutao group, because the SSS file group has the W Write permission "


In general, to switch to the root account, you need to know the root password, the su command switch

But with the sudo command, you don't need to know the root password, just know your password! But the day before yesterday to add the user to the/etc/sudoers file, that is added to the sudo file!

sudo permissions: is to allow the normal user to switch to the root user (this way is not allowed to know the root password)
sudo location file:/etc/sudoers
But you can also use the Visudo command to edit, but only under the root user!
Other users, you can only edit the/etc/sudoers file.

Under root user, use the Visudo command to edit:
Rootall= (All) all add users below this

Like what:
Wutao all= (All) All this explains that the sudo permission is set to the Wutao user and can be sudo su-switch to the root account, or sudo plus other commands to manipulate

Wutao all= (All) Nopasswd:al This means that you are not allowed to enter your own password when switching

For example, to the Wutao user set sudo permissions, has been added above, and no password

[email protected] ~]$ sudo su-
[Email protected] ~]#

*************************************************************************************************************** *************************************************
When Su and sudo switch commands, note that there is a-
Plus-, which means not only switching to the user, but also switching in with the user's system environment variables "to perform env before and after the switch to see environment variables"
No--Indicates that the user's system environment variable is not switched in just by switching to user state.

SU Root only switches to the root user state, the root system environment variable does not switch over "for example, some commands that can only be operated under root, not add-although switch to root, but can not operate"
Su-root not only switched to root, but the system environment variable of root also switched over.
*************************************************************************************************************** *************************************************

sudo permission settings can also be set according to the group
For example, set the following, then all users within the wheel group have sudo permissions
%wheel all= (All) Nopasswd:all

[[email protected] ~]# gpasswd-a Wangshibo wheel Add Wangshibo to wheel Group

[Email protected] ~]# Su-wangshibo
[email protected] ~]$ sudo su-
[Email protected] ~]#

Refer to one of my notes on Evernote:

Knowledge carding of permissions under Linux system

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.