Linux basics: file security and permissions

When creating a file, the system saves all information about the file, including:
• File location.
• File type.
• File length.
• Which User owns the file and which user can access the file.
• I node.
• File modification time.
• File Permission bit.

Let's use the touch command to create a file:

Code:

$ Touch temp

After creating an empty file, run the LS-l command to view the attributes of the file in the directory (I will use the Chinese version here ):
As follows:

Code:

[Root @ linux_chenwy temp] # ls-l Total usage 36 -RW-r -- 1 Root 34890 October 19 20:17 httpd. conf -RW-r -- 1 Root 0 October 19 20:16 temp

Code:

Total usage 36: the number of bytes occupied by the LS entries (in K ). 1. Number of hard links to the file. Root file owner. The default group (also called R o t) of the root file owner ). 34890 indicates the length of the file in bytes. Remember, it is not K Bytes! The time when the file was updated At 20:17, January 1, October 19. Temp or HTTD. conf file name.

Sunsroad writes:

BTW: run the following command to check the space occupied by all files in the directory: Du. For example, the above 36 is how to calculate: First, we need to first understand the size of the I/o block (a cluster in Chinese) of your file system. The size of the I/O block in this file system is 4096 bytes. It is the smallest read/write and allocation unit of the file system. You cannot be smaller than this size for each read/write operation. Even if your file has only one byte. In addition, the storage of files on the hard disk is also in this unit. That is to say, if the file size is smaller than this value, the space occupied by the file on the disk is 4096 bytes. The specific algorithm for space occupation is: (1 (file size/4096) × 4096. Based on this, you can calculate the space usage of the file in the example you listed: 34890 divided by 4096, which is about 8.5, and 9 is obtained in the next method, that is to say, a file occupies nine blocks on the disk, each of which is 4 K, so the space occupied by these two files is 36 K. This rule is also suitable for directories, but there will be no directories with 0, even empty directories.

-RW-r --: The permission bit of the file.

The first horizontal bar: Specifies the file type, indicating that the file is a common file. (Most of the created files are normal files or symbolic link files ).

Aside from the Front horizontal bar, there are a total of 9 characters, which correspond to 9 permission bits. With these permission bits, you can set the user's access permissions to files. The exact interpretation of these two files is:

Code:

RW-: the first three digits. The file owner can read and write data. R --: the middle three digits, which are readable to the same group of users R --: the last three digits. Other users are only readable.

Temp does not grant the execution permission to the owner during file creation. When a user creates a file, the system does not automatically set the execution permission limit. This is to enhance system security.

BTW: The owner group of a file is not the default group of the file owner, but can be any user group unrelated to the file owner.
File Type

The first horizontal bar mentioned above indicates that the file is of the common file type.
There are seven file types, which can be seen from the first of the results listed by the LS-l command.

Seven types:

Code:

D directory. L Symbolic Link (pointing to another file ). S socket file. Block B device files. C character device file. P name the MPs queue file. -Common files, or more accurately, do not belong to the above types of files.

Each group of characters in the file's permission bits contains three permission bits:

Code:

R read permission W write/Change permissions X permission to execute the script or program

For example:

Code:

R -- --- the file owner is readable, but cannot be written or executed. R -- --- text file owner and users in the same group (generally, it is the default group where the file owner is located) R -- r-any user can read, but cannot write or execute Rwx r -- r-file owner is readable, written, and executed. users in the same group and other users are only readable. Rwx R-x --- the file owner can read, write, and execute it. Rwx R-X Files are read, written, and executed by the owner, and are readable and executed by users in the same group and other users. RW---- text file owner and the same group of users can read and write RW-r-file owner and users in the same group can read and write files, while other users can read files. RW---- the owner of the file and the users in the same group and other users can read and write the file. Use this permission with caution. Settings, because any user can write the file

Sunsroad writes:

The owner group of a file is not the default group of the file owner, but can be any user group unrelated to the file owner.

Use chmod to change the permission bit

This command has the signed mode and absolute mode.

Symbol Mode

The general format of the CHMOD command is:

Chmod [who] OPERATOR [permission] filename

The meaning of w h o is:

Code:

U file owner permission. G. O other user permissions. A. All users (file owner, users in the same group, and other users ).

Meaning of o p e r a t o r:

Code:

+ Add permissions. -Cancel the permission. = Set permissions.

Meaning of P e r m I s I o n:

Code:

R read permission. W write permission. X execution permission. S file owner and group set-id. T viscosity position *. L lock the file to make it inaccessible to other users. U, G, O operations on file owners, users in the same group, and other users. * In a column file or directory, the "T" bit is sometimes encountered. "T" represents the sticky bit. If the "T" bit appears in a directory, it means that only the owner of the file in the directory can be deleted, even if a user in the same group has the same permissions as the owner. However, some systems are not very strict with this rule. If "T" is displayed in the file list, this means that the script or program will be placed in the SWAp zone (virtual storage) during execution ).

The explanation for "T" is "sunsroad:

Sunsroad writes:

"T" permission is meaningless to use on files. It is not a concept of a SWAp zone. It has nothing to do with file execution, but is mainly set for file sharing.

For example

Code:

Chmod A-x temp // RW-Revoke the execution permissions of all users Chmod og-W temp // RW-r -- r-Revoke the write permissions of the same group of users and other users Chmod g + W temp // RW-r--grant write permission to the same group of users Chmod U + x temp // rwx RW-r--grant the file owner the execution permission Chmod go + x temp // rwx R-x grant the same group of users and other users the execution permission

For example

When creating a temp file, it has the following permissions:

Code:

-RW-r -- 1 Root 0 October 19 20:16 temp

If you want to grant the owner and users in the same group the execution permission and cancel the write permission of other users (all other users), you can use:

Code:

$ Chmod ug + x temp $ Chmod o-w temp

In this way, the permission for this file is changed:

Code:

-Rwxr -- r -- 1 Root 0 October 19 20:16 temp

Now the file owner has the read and write permissions on temp files. users in the same group have the read and write permissions, and other users have no permissions.
Absolute Mode

The general form of the absolute mode of the chm d command is:

Chmod [mode] File

M o d E is an octal number.
In absolute mode, the permission part has different meanings. Each permission bit is represented by an octal number, as shown in figure

Code:

0 4 0 0 file owner readable 0 2 0 0 file owner writable 0 1 0 0 file owner executable 0 0 4 0 same group user readable 0 0 2 0 users in the same group can write 0 0 1 0 users in the same group can execute 0 0 0 4 other users readable 0 0 0 2 other users can write 0 0 0 1 other users can execute

When setting permissions, you only need to follow the numbers shown above that correspond to the permissions of the file owner, users in the same group, and other users, and add them together to indicate the corresponding permissions.
It can be seen that the maximum permissions available to the file owner, users in the same group, and other users are 7.

Let's take a look at the example above:

Code:

-Rwxr -- r -- 1 root 0 October 19 20:16 temp

The corresponding permissions are:

Code:

Rwx-: 0400 + 0200 + 0100 (file owner reads, writes, and executes) = 0 7 0 0 R --: 0 0 4 0 (same group of users can read) = 0 0 4 0 R --: 0 0 4 0 (same group of users can read) = 0 0 4 0 0 7 4 4

There is a better way to calculate the octal permission representation, as shown below:

Code:

File owner: R w x: 4 + 2 + 1 Users in the same group: R w x: 4 + 2 + 1 Other users: R w x: 4 + 2 + 1

In this case, it is easier to calculate the corresponding permission value. You only need to add the numbers below the corresponding permissions to the file owner, users in the same group, and other users.

The temp file has the following permissions:

Code:

R w x r -- 4 + 2 + 1 4 4

Add the values corresponding to the corresponding permission bits, that is.

For example:

Code:

Chmod 666 RW-grant read and write permissions to all users Chmod 644 RW-r -- r--grant primary read and write permissions to all files and read permissions to all other users Chmod 744 rwx r -- r--grant the primary read, write, and execute permissions to the file, and read permissions to all other users. Chmod 664 RW-r--grant the read and write permissions to the file owner and users in the same group, and other users Chmod 700 rwx --- grant the file owner the permission to read, write, and execute the file Chmod 444 r -- r-grant read permission to all users

In the following example, assume that a file named temp has the following permissions:

Code:

-RW-r -- 1 root 0 October 19 20:16 test1

To read, write, and execute the file, the root user can type:

Code:

$ Chmod 740 test1 $ LS-l -Rwxr ----- 1 root 0 October 19 20:16 test1

If the file is readable, written, and executed, read-only to all other users, use:

Code:

$ Chmod 744 test1 $ LS-l -Rwxr -- r -- 1 root 0 October 19 20:16 test1

If you want to set permissions for all files in the directory at one time, you can use:

Code:

$ Chmod 664 * $ LS-l -RW-r -- 1 root 0 October 19 20:16 test1

This grants the file owner and users in the same group the read and write permissions. Other users only have the read permission.

You can also use the-r option together with the files in the subdirectory:

Code:

Chmod-r 664/temp /*

In this way, you can set all the files under the/TEMP directory together with the permissions of the files under each subdirectory to the file owner and the same group of users to read and write, and other users to read-only. Be cautious when using the-r option. You can use it only when you need to change the permission of all files under the directory tree.
Directory

The directory permission bit is different from the file. The read permission bit of the Directory means that the contents can be listed. Write Permission bit means you can create a file in this directory. If you do not want other users to create a file in your directory, you can cancel the corresponding write permission bit. The execution permission limit means searching and accessing the directory.

Code:

R: List objects in this directory. W: You can create or delete files in this directory. X: You can search for or enter this directory.

Permission files belong to the same group of users and other users

Code:

Drwx rwx R-X (775) is the primary read, write, and execute, reading, writing, and executing in the same group, and reading and executing in other groups. Drwx R-x r-(754) is the primary read, write, and execute. It is read and executed in the same group and read in other groups. Drwx R-X (755) is the primary read, write, and execute. It is read and executed in the same group, and read and executed in other groups.

If you set the permissions of users in the same group or other users for a directory to-X, they will not be able to list the files in the directory. If the directory contains a script or program with the execution position, you can still execute it as long as you know its path and file name. The user's access to this directory does not prevent execution.

The permission of the directory will overwrite the permission of the files in the directory. For example, if the directory temp has the following permissions:

Code:

Drwxr -- r -- 1 Admin 0 October 19 20:16 temp

The file myfile permission in the directory is:

Code:

-Rwxrwxrwx 1 Admin 0 October 19 20:16 myfile

Users in the admin group cannot edit the file because the directory to which the file belongs does not have the permission.

This file can be read by any user. However, because the directory where the file is located does not grant execution permissions to the users in the admin group, users in this group cannot access this directory, they will get an error message with limited access.