Linux file permissions, special permissions

Each file or directory in Linux contains access rights.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" http:// S3.51cto.com/wyfs02/m00/6f/2b/wkiol1wtuzmjeobaaafgalvu_bm449.jpg "height=" 187 "/>

When the ls–l is executed, the first 2-10 characters are used to represent the permissions, and the initial character is used to differentiate the file type:

D: Indicates directory

-: Indicates normal file

L: Represents a symbolic link file, which in fact points to another file

B: Represents a block device

P: Indicates piping equipment

First, General authority:

Each of the 第2-9个 characters is a group of three, followed by the owner, the owning group, and other users.

R (read, readable): For a file, you have the ability to read the contents of a file, that is, you can use cat. For the directory is the browse directory, can LS but not cd;

W (write, writable): For the file, has the ability to delete and modify the contents of the file, for the directory has moved, deleted directories within the file permissions;

X (Execution): For a file, you have permission to execute, and you can access the CD to the directory. (Files with executable permissions in the CentOS environment are green);

-: The delegate does not have any permissions.

-RWX------: The file owner has read, write, and execute permissions on the file.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M01/6F/2B/wKioL1WTuzrTg2vSAABaUIrzymQ767.jpg "height=" 102 "/>

Umask modifies user-created file permissions by default of 0022.

Second, special permissions:

1) Setuid,setgid

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M02/6F/2B/wKioL1WTuzqzBfJiAACGe5WMJ40382.jpg "height="/>

/etc/passwd files stored in the account and password information for each user,/USR/BIN/PASSWD is to perform the modification and viewing of this file program, but from the permissions,/etc/passwd only the root of the write (W) rights, can actually each user can be/usr/ BIN/PASSWD command to modify this file, so here is involved in Linux special Permissions setuid, as-rwsr-xr-x in the S

Setuid is: Let ordinary users have the ability to perform "only root permission to execute" Special permissions, setgid refers to "group".

As a normal user is not authorized to modify the/etc/passwd file, but to/usr/bin/passwd to setuid permissions, ordinary users can be executed passwd command, temporary root permissions, to modify the/etc/passwd file.

Setuid:chmod U+s

Setgid:chmod G+s

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/6F/2B/wKioL1WTuzrRP4BWAABEnMLIuKE193.jpg "height="/>

The TMP directory is a temporary folder common to all users, all users have read and write permissions, which inevitably arises a problem, a user in/tmp created a file a.file, at this time B user looked uncomfortable, in/TMP to delete it (because of having read and write permission), it is certainly not. This is not actually the case because there is a special permission to stick bit (paste bit) permission, as in DRWXRWXRWT the last T

Stick bit (paste bit) is: unless the owner and root user of the directory has permission to delete it, other users cannot delete and modify the directory.

That is, in the/tmp directory, only the owner and root of the file can modify and delete it, other users do not, avoid the above mentioned problem arises. The purpose is generally to open a folder's permissions, and then to share files, like the/tmp directory.

Stick Bit:chmod o+t xxx

Three, chattr and lsattr:

The CHATTR command is very powerful, some of which are supported by the Linux kernel version, and if the Linux kernel version is less than 2.2, then many
function cannot be implemented. The same-D check for errors in compressed files requires 2.5.19 or more cores to support. In addition, through the CHATTR command
Modifying a property can improve the security of the system, but it is not suitable for all directories. CHATTR command cannot protect/,/dev,/tmp,/var
Directory.

These two commands are used to change the file, directory properties, and chmod,ls these commands compared to the chmod just change the file read and write, execute permissions,
The lower-level attribute control is changed by Chattr.
chattr command usage: chattr [-RV] [-v version] [mode] files ...
Most crucially, in the [mode] section, the [mode] section is composed of +-= and [Asacddiijsttu] characters, which are used to control the file
Property.
+: On the basis of the original parameter setting, append the parameter.

-: Remove parameters based on the original parameter setting.

=: Updated to specify parameter settings.

A: Append, after setting this parameter, can only add data to the file, not delete, more for the server log file security, only root can set this property.

I: The settings file cannot be deleted, renamed, linked, and cannot be written or added. The I parameter is useful for file system security settings.

The most common are the above items, and some are not used:

A: Atime (access time) of a file or directory cannot be modified (modified), which can effectively prevent the occurrence of disk I/O errors such as laptops.

S: HDD I/O sync option, similar to sync.

C: Compresse, set whether the file is compressed and then stored. An automatic decompression operation is required for reading.

D: No dump, the settings file cannot be the backup target of the dump program.

J: Journal, set this parameter so that when the file system is mounted via the Mount parameter: data=ordered or Data=writeback, the file is recorded (in journal) when it is written. If the filesystem parameter is set to Data=journal, the parameter is automatically invalidated.

S: Delete files or directories confidentially, that is, the hard disk space is fully recovered.

U: In contrast to S, when set to U, the data content actually exists in the disk and can be used for undeletion.

A and I are commonly used in the various parameter options. The A option enforces that only non-removable, multi-log system security settings can be added. While I is a more stringent security setting, only superuser (root) or processes with cap_linux_immutable processing power (identity) can apply this option.

Lsattr is used to view the properties of a file.

650) this.width=650; "title=" image "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0 px;padding-top:0px;padding-left:0px;margin:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" image "src=" Http://s3.51cto.com/wyfs02/M00/6F/2B/wKioL1WTuzqi2eLUAAFUhKZ8_qk854.jpg "height=" 179 "/>

650) this.width=650; "title=" File directory "style=" border-top:0px;border-right:0px;background-image:none;border-bottom:0px ;p adding-top:0px;padding-left:0px;border-left:0px;padding-right:0px; "border=" 0 "alt=" file directory "src=" http:// S3.51cto.com/wyfs02/m01/6f/2e/wkiom1wtuxjwb9wxaacrdmf-r4m051.jpg "height="/>

Linux file permissions, special permissions