Linux entry record: 13, Linux extended permissions

Source: Internet
Author: User

First, the default permissions

Each terminal has a Umask property that is used to determine the default permissions of the new file or directory "Mask" (mask has the meaning of "mask", As for u, which is said later).

Linux generally has a default permission mask, using the command umask to view or set:

Umask 0022         with permission value is set, otherwise it is viewed

Generally, the permission mask for the average user (UID 500 or above) is considered to default to 0022 for the 0002,root user (UID 0).

If a new file or directory is created, the default permissions for this file or directory are equal to the default maximum permissions for the file or directory & (~ umask)

So, what is the default maximum permissions for a file or directory? In general, the default maximum permissions for a directory are 0777, the default maximum permissions for a file is 0666 (remove the x permission, prohibit execution, security considerations). Note: The permissions value of Linux is eight-binary! Therefore, some of the so-called decimal subtraction operations on the web to calculate the new file or directory default permissions logic is wrong.

How to memorize and understand this arithmetic logic?

Umask, I put it in the Chinese name as a "bitmask of bit inversion". "Bitwise inverse" comes from "U", "Mask" from "masks". Take this bit to reverse the permission mask (~ umask) with the default maximum permissions and "&", you get the new file (or directory) of the default permissions.

How do you understand that?

This is mainly "mask": The mask is used to and the target number of the logical and "&" operation, the target number with the mask bit is 1 bit combination, and will be followed by the mask bit 0 of the corresponding bits are discarded. The principle of the mask is the principle of logic, and any number and 1 phases are itself, and any number and 0 phase are 0. and a number with the mask of the inverse code (bit inversion) to the logical and, the result is the opposite, the results are retained in the number with the mask in the 0-bit corresponding to the bit, discarded with the mask in the position of the corresponding bit 1.

The umask here is the function, with the default maximum permissions with the inverse of the umask phase, from the default maximum permission to discard the Umask disallowed permissions. So it is not a simple decimal subtraction operation, for example, when the Umask value is 0022 and 0033, the default permission for a new file is 0644 for a normal user (because 0666 & (~ 0022) and 0666 & (~ 0033) have the same result, The rwx symbol means -rw-r--r-- .

Ii. Special Privileges

In addition to normal permissions, there are three special permissions:

Permissions Impact on a file Impact on the Directory
Suid

Execute as the file's owning user,

Rather than the user who executed the file

No
Sgid Execute as the file belongs to the group

of any new files created in this directory.

The owning group is the same as the owning group of the directory, i.e.

The owning group of the inherited directory

Sticky No

Users who have write access to the directory can only

Delete the files it owns and cannot delete the other

Files owned by the user

passwd command with SUID permissions

The password passwords for ordinary users in Linux are stored in the/etc/shadow file, which is accessible only to the root user and the root group. So how do ordinary users make changes to their passwords? Linux provides passwd commands for ordinary users to use to implement their own passwords:

We see that there is an "s" in this passwd 's U permission that takes up the original "x" bit, which means that the user who executes the command has "suid" permission to run as root, so the ordinary user can execute the passwd command to Modify your password and write it to the/etc/shadow file.

Third, set special permissions

Set SUID:

chmod u+s filename

Set Sgid:

chmod g+s filename

Set Sticky:

chmod o+t filename

Where setting the Sgid permission causes "s" to occupy the "x" bit of the G-permission, for example: "-rwxr-s---"; setting the sticky permission causes "T" to occupy the "x" bit of the O permission, for example: "drwxr-xr-t".

As with normal permissions, special permissions can also be expressed in octal values:

Suid   = 4 (2 ^ 2) sgid   = 2 (2 ^ 1) sticky = 2 (2 ^ 0)

Therefore, we can also set the following command:

chmod 4755 filename   normal permissions 755, the user-readable writable executable, the group and other users belong to the non-writable, special permissions to allow the identity of the user to execute

Linux entry record: 13, Linux extended permissions

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.