Linux entry record: 13, Linux extended permissions

First, the default permissions

Each terminal has a Umask property that is used to determine the default permissions of the new file or directory "Mask" (mask has the meaning of "mask", As for u, which is said later).

Linux generally has a default permission mask, using the command umask to view or set:

Umask 0022         with permission value is set, otherwise it is viewed

Generally, the permission mask for the average user (UID 500 or above) is considered to default to 0022 for the 0002,root user (UID 0).

If a new file or directory is created, the default permissions for this file or directory are equal to the default maximum permissions for the file or directory & (~ umask)

So, what is the default maximum permissions for a file or directory? In general, the default maximum permissions for a directory are 0777, the default maximum permissions for a file is 0666 (remove the x permission, prohibit execution, security considerations). Note: The permissions value of Linux is eight-binary! Therefore, some of the so-called decimal subtraction operations on the web to calculate the new file or directory default permissions logic is wrong.

How to memorize and understand this arithmetic logic?

Umask, I put it in the Chinese name as a "bitmask of bit inversion". "Bitwise inverse" comes from "U", "Mask" from "masks". Take this bit to reverse the permission mask (~ umask) with the default maximum permissions and "&", you get the new file (or directory) of the default permissions.

How do you understand that?

This is mainly "mask": The mask is used to and the target number of the logical and "&" operation, the target number with the mask bit is 1 bit combination, and will be followed by the mask bit 0 of the corresponding bits are discarded. The principle of the mask is the principle of logic, and any number and 1 phases are itself, and any number and 0 phase are 0. and a number with the mask of the inverse code (bit inversion) to the logical and, the result is the opposite, the results are retained in the number with the mask in the 0-bit corresponding to the bit, discarded with the mask in the position of the corresponding bit 1.

The umask here is the function, with the default maximum permissions with the inverse of the umask phase, from the default maximum permission to discard the Umask disallowed permissions. So it is not a simple decimal subtraction operation, for example, when the Umask value is 0022 and 0033, the default permission for a new file is 0644 for a normal user (because 0666 & (~ 0022) and 0666 & (~ 0033) have the same result, The rwx symbol means -rw-r--r-- .

Ii. Special Privileges

In addition to normal permissions, there are three special permissions:

Permissions	Impact on a file	Impact on the Directory
Suid	Execute as the file's owning user, Rather than the user who executed the file	No
Sgid	Execute as the file belongs to the group	of any new files created in this directory. The owning group is the same as the owning group of the directory, i.e. The owning group of the inherited directory
Sticky	No	Users who have write access to the directory can only Delete the files it owns and cannot delete the other Files owned by the user

passwd command with SUID permissions

The password passwords for ordinary users in Linux are stored in the/etc/shadow file, which is accessible only to the root user and the root group. So how do ordinary users make changes to their passwords? Linux provides passwd commands for ordinary users to use to implement their own passwords:

We see that there is an "s" in this passwd 's U permission that takes up the original "x" bit, which means that the user who executes the command has "suid" permission to run as root, so the ordinary user can execute the passwd command to Modify your password and write it to the/etc/shadow file.

Third, set special permissions

Set SUID:

chmod u+s filename

Set Sgid:

chmod g+s filename

Set Sticky:

chmod o+t filename

Where setting the Sgid permission causes "s" to occupy the "x" bit of the G-permission, for example: "-rwxr-s---"; setting the sticky permission causes "T" to occupy the "x" bit of the O permission, for example: "drwxr-xr-t".

As with normal permissions, special permissions can also be expressed in octal values:

Suid   = 4 (2 ^ 2) sgid   = 2 (2 ^ 1) sticky = 2 (2 ^ 0)

Therefore, we can also set the following command:

chmod 4755 filename   normal permissions 755, the user-readable writable executable, the group and other users belong to the non-writable, special permissions to allow the identity of the user to execute

Linux entry record: 13, Linux extended permissions