Linux file permissions

First, brief

As implies, file permissions are the extent and extent to which the user has the ability to perform operations on the file. Before you explain Linux file permissions, let's look at a common command in Linux, ls

Second, LS command and authority detailed

LS is mainly used to display directory list and file attributes and other information

Usage: LS [option] ... [File] ...

Common options:

-A: Displays all files in the directory (including hidden files starting with.)

-L: Long format, displays detailed property information of the file, ls-l equivalent to LL

-D: Show only the directory name, not the list of files in the directory

-K: Displays the file size in kilobytes (Kbytes)

-I: Display the file's node number (inode)

To illustrate:

[Email protected] ~]# ls-l/etctotal 1880drwxr-xr-x.  3 root root 4096 6 04:54 abrtdrwxr-xr-x.  4 root root 4096 6 05:05 acpi-rw-r--r--.  1 root root 17:52 adjtime-rw-r--r--. 1 root root 1512 Jan aliases

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/AA/wKiom1YDcqKiywKYAADeMalG5wA611.jpg "title=" m0v@) W8CKHD (v}g$f7~%03m.png "alt=" Wkiom1ydcqkiywkyaademalg5wa611.jpg "/>

1. The first column represents the type and permissions of the file

A) The first character represents the type of a file

D: Catalog file

-: Normal file

L: Symbolic Link file

C: A character device (such as a keyboard, mouse) file, such as/dev/tty

B: Block devices (such as hard drives, optical drive) files, such as/DEV/SDA1, block devices can be accessed randomly, but the character device can not

S: Socket file, such as/var/run/acpid.socket

P: Piping

b) in the following characters, a group of three, with three groups representing the permissions of the owner of the file, the permissions of the file group, and other users who are neither the owner nor the group. Each group is a combination of rwx three parameters, R for readable (read), W for writable (write), X for executable (execute)

Take Drwxr-xr-x as an example, the file is a directory file, the file is master readable, writable, executable, the user of the same group is readable, not writable, executable, other users are also readable, non-writable, executable

2. The second column represents how many file names are connected to this node (inode)

3, the third column represents the file owner and the group, file size (default is byte)

4. The Sixth column represents the file setup time or the last modified time

5, the Seventh column is the file name. Note that the file name begins with the "." Sign as hidden files, and you need to specify the-a option to display

Iii. the significance of permissions to files and directories

1. The meaning of the permission to the document

R: can read file contents

W: can edit, modify or add file content

X: The file has permission to be executed by the system

2, the significance of the permissions to the directory

R: Indicates permission to read directory manifest

W: Create or delete a file or directory that already exists

Renaming files and directories that already exist

Move files, directory locations within this directory

X: Access to the Directory

Iv. Permissions matching model when users access files

1. Check if the owner of this process is the same as the owner of the file it is accessing

2. Check whether the owner of this process belongs to the group of this file

3. Access as a different user

V. Modification of the Authority

chmod command to modify permissions for a file or directory

Note: Only the owner and root of the file can have permissions

Usage: chmod [OPTION] ... Mode[,mode] ... FILE ...

Common options:

--reference= specify a file or directory: permissions to set a file as a reference to the specified file or directory's permissions

-R: Recursive processing, along with all files and subdirectories inside the directory, are modified

1, the operation of the three types of user rights, using octal to represent, such as rwxr-xr-x available 755 means

Example: chmod 640 file, chmod 5 file (equivalent to chmod 005 file)

2. Operation permissions for the specified category

U: Genus G: Group O: Other A:all

Example: chmod u=rw fatab, chmod ug=rwfatab

3. Operation specifies the specified permission bit of the category user

such as chmod g-w Fatab

[[email protected] ~]# ls -l /home/tesla/inittab-rw-r--r-- 1 tesla  Tesla 884 aug 20 21:13 /home/tesla/inittab[[email protected] ~]# chmod  666 /home/tesla/inittab[[email protected] ~]# ls -l /home/tesla/ inittab-rw-rw-rw- 1 tesla tesla 884 aug 20 21:13 /home/tesla/inittab[[ email protected] ~]# chmod u=rwx /home/tesla/inittab[[email protected] ~]#  ls -l /home/tesla/inittab-rwxrw-rw- 1 tesla tesla 884 aug 20  21:13 /home/tesla/inittab[[email protected] ~]# chmod g-w /home/tesla/ Inittab[[email protected] ~]# ls -l /home/tesla/inittab-rwxr--rw- 1 tesla  tesla 884 aug 20 21:13 /home/tesla/inittab[[email protected] ~]#  chmod --reference=/etc/passwd /home/tesla/inittab[[email protected] ~]# ls -l /home/tesla/inittab-rw-r--r--  1 tesla tesla 884 aug 20 21:13 /home/tesla/inittab

Vi. Special File permissions

1, SUID              

When s this flag appears on the file owner's x permission bit, such as "-rwsr-xr-x.", this is called the set UID, referred to as suid. A few notes

1) suid permissions are valid only for binary programs

2) Performer must have X executable permission for the program

3) This permission is valid only in the course of executing the program (run-time)

4) The performer will have the permission of the owner of the program

Take passwd as an example, we know that to change the password, you need to encrypt the password to write to the/etc/shadow file, the permissions of the file is----------, the normal user does not have any permissions, but all the permissions settings for the administrator root is not valid. /USR/BIN/PASSWD permissions are-rwsr-xr-x, when the user runs this command as a process, the valid identity of this process is no longer the initiator, but the owner of the file, that is, the root user, and the root user is writable to/etc/shadow, That's why ordinary users can also change their passwords.

Setup method: chmod u+s FILE ...

When viewing with ls-l after adding suid, the S character may appear in either uppercase or lowercase form, which is displayed as lowercase when the primary execution permission is present, otherwise uppercase

[Email protected] ~]# ls-l/usr/bin/passwd-rwsr-xr-x.  1 root root 30768 Feb 2012/usr/bin/passwd[[email protected] ~]# chmod u-x/usr/bin/passwd[[email protected] ~]# ls-l /usr/bin/passwd-rwsr-xr-x. 1 root root 30768 Feb 2012/usr/bin/passwd

2, SGID

Similar to suid, just Sgid is the permission to get the file group.

Mainly used in the directory, if the user has write permission to the directory, after the directory of the group set Sgid, the user created in this directory group of files is no longer the basic group of users, but the directory of the genus Group

Also valid for binary programs, the performer needs to have X's executable permission

Setup method: chmod g+s FILE ...

[Email protected] ~]# Ls-ld/home/tesla/geniusdrwxrwxr-x 2 tesla Tesla 4096 02:44/home/tesla/genius[[email Prote CTED] ~]# chmod g+s/home/tesla/genius[[email protected] ~]# touch/home/tesla/genius/sb[[email protected] ~]# ls-l/Home /tesla/geniustotal 0-rw-r--r--1 root Tesla 0 02:51 SB

3, Sticky (sbit)

is set for other, only valid for the directory, the role is: when the user creates a file or directory in this directory, only himself and the root user can delete

Setup method: chmod o+t FILE ...

Vii. facl (File access control list)

Facl enables ordinary users to add additional user access authorization mechanisms through the file's extended attributes without changing their owner, group, or other permissions.

1. getfacl command to get file access control List

Usage: getfacl [option] ... FILE ...

2, Setfacl command to set the file access control list

Usage: setfacl [option] ... Target: MODE FILE ...

Common options:

-M: Change the access control list for a file

-X: Cancel file access Control List entry

-R: Recursive processing

Example: setfacl-m U:docker:rw-a.os user Docker has read and write access to A.os

[Email protected] ~]# getfacl/home/tesla/inittabgetfacl:removing leading '/' from absolute path names# File:home/tesla /inittab# owner:tesla# group:teslauser::rw-group::r--mask::r--other::r--[[email protected] ~]# setfacl-m u: wittgenstein:rw-/home/tesla/inittab[[email protected] ~]# getfacl/home/tesla/inittabgetfacl:removing leading '/' From absolute path names# file:home/tesla/inittab# owner:tesla# group:teslauser::rw-user:wittgenstein:rw-group:: r--mask::rw-other::r--

3. Application model for permissions after enabling FACL:

Primary-user-level facl-group-group-level facl-others

Eight, Umask

The umask command sets the mask for new file permissions to control the default permissions for the newly created file.

The default permission for new files is 666-umask, the new file does not have executable permissions by default, and the default permission for the new directory is 777-umask.

The Umask value actually has 4 digits, the latter three is the owner, the genus Group, the other user's permission, the first bit is the special permission bit, its corresponding number is: Suid-4,sgid-2,sbit-1. The first place is not used much, now only take the following three notes.

The default value for root user umask is 022 (normal user is 002) and can be viewed and modified by the Umask command

Usage: umask [option] ... [New permission value (in octal)]

Example of calculation for default permissions:

1) If the Umask value is 022, the file permission start value is 666-022=644 (rw-r--r--), and the directory permission start value is 777-022=755 (rwx-r-wr-w)

2) If the Umask value is 045,666-045=621 (rw--w---x), since it is usually required to create a new file by default does not have executable permissions, thereby adding 1 to the corresponding X-bit, the new file default permission is 622

[[email protected] ~]# umask0022[[email protected] ~]# umask 045[[email protected] ~]# umask0045[[email protected] ~]# MKD  Ir/home/jack[[email protected] ~]# ls-ld/home/jackdrwx-wx-w-2 root root 4096-03:54/home/jack[[email protected] ~]# Touch/home/jack/rose[[email protected] ~]# ls-l/home/jack/rose-rw--w--w-1 root root 0 03:56/home/jack/ros E

Linux file permissions