LINUX file security and permissions

Source: Internet
Author: User
LINUX file security and permissions when you create a file, the system saves all information about the file, including :? File location .? File type .? File Length .? Which user owns the file and which user can access the file .? I node .? File modification time... Info & nbs LINUX file security and permissions when you create a file, the system saves all information about the file, including :? File location .? File type .? File Length .? Which user owns the file and which user can access the file .? I node .? File modification time .? File permission. Let's use the ls-l command to see a typical File: root @ ubuntu :~ /Resource/mini2440/file-system # ls-ltotal 11488drwxr-xr-x 33 root 4096 2013-04-17 busybox-1.17.3-rwxrw-rw-1 root 2094550 2013-04-17 busybox-1.17.3.tar.bz2-rw ------- 1 root 9660288 2013-04-17 haitao. img: The print information shown above is analyzed as follows: total 11488: this row shows the space occupied by all the files in the directory. D rwx r-x: The permission bit of the file. There are 10 characters in total, except for the first one, they correspond to 9 permission bits. With these permission bits, you can set the user's access permissions to files. The nine characters can be divided into three groups: rwx: file owner permission, which is the first three r-x: Same group user permission, which is the middle three r-x: other user permissions. this is the last three permissions. we will introduce these permissions in more detail. The horizontal bars that appear on r, w, and x indicate that the access permission is forbidden. 33 indicate the number of hard links in the file. default value of the root file owner root the length of group 4096 in bytes, remember, it's not K bytes! Busybox-1.17.3 file name (here is actually a directory name) there are seven types of files, it can be seen from the first of the results listed by the ls-l command, these seven types are: d directory l symbolic link (pointing to another file ). S socket file. Block B device files. C character device file. P name the MPs queue file. -Common files, or more accurately, do not belong to the above types of files. So the above busybox-1.17.3 is a directory name file permission root @ ubuntu :~ /Resource/study/shell # touch testroot @ ubuntu :~ /Resource/study/shell # lstestroot @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-rw-r -- r -- 1 root 0 2013-04-18 test we used touch to create an empty file. we can see that it is a common file, the owner permission is readable, writable, and unexecutable. the User Group permission is readable, writable, and unexecutable. the permissions of other groups are readable and unwritable, what cannot be executed is to try to change these permissions to achieve the permissions we want to set. the general format of chmod commands implemented through chmod is: the meaning of chmod [who] operator [permission] filenamew h o is: u file owner permission. G. O other user permissions. A. all users (file owner, users in the same group, and other users ). O p e r a t o r meaning: + add permissions. -Cancel the permission. = Set permissions. P e r m I s I o n meaning: r read permission. W write permission. X execution permission. S File owner and group s e t-I D. T viscosity position *. L lock the file to make it inaccessible to other users. U, g, o operations on file owners, users in the same group, and other users. In column files or directories, "t" characters are sometimes encountered. "T" represents the sticky bit. If the "t" bit appears in a directory, it means that only the owner of the file in the directory can be deleted, even if a user in the same group has the same permissions as the owner. However, some systems are not very strict with this rule. If "t" is displayed in the file list, this means that the script or program will be placed in the swap zone (Virtual Storage) during execution ). However, because the current memory price is so low, you can ignore the file's "t" usage and check the instance. root @ ubuntu :~ /Resource/study/shell # chmod u + x test root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-rwxr -- r -- 1 root 0 2013-04-18 22:26 testroot @ ubuntu :~ /Resource/study/shell # chmod g + x test root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-rwxr-xr -- 1 root 0 2013-04-18 testroot @ ubuntu :~ /Resource/study/shell # chmod o + x test root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-rwxr-xr-x 1 root 0 testroot @ ubuntu :~ /Resource/study/shell # chmod a-x test root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-rw-r -- r -- 1 root 0 2013-04-18 test first, the owner, user group, and other user group permissions are added with the permission to point, then their permission to the directed line is removed. of course, there is another way to change the permission. the general form of the absolute mode of the chmd command is as follows: chmod [mode] file where the mode is an octal number r w x4 2 1 and above is the ing relationship. the description is as follows: readable, writable, executable: 4 + 2 + 1 = 7 readable, not writable; Executable: 4 + 1 = 5 readable, writable; Executable: 4 + 2 = 6 readable, not writable, not executable: 4. The following describes how to grant permissions to a directory. The permission bit of a directory is different from that of a file. Now let's take a look at the differences. The read permission bit of the directory means that the contents can be listed. Write permission bit means you can create a file in this directory. if you do not want other users to create a file in your directory, you can cancel the corresponding write permission bit. The execution permission limit means that if you set the permission of users in the same group or other users for a directory to-x, they will not be able to list the files in the directory. If the directory contains a script or program with the execution position, you can still execute it as long as you know its path and file name. The user's access to this directory does not prevent execution. Here is a good example of setting suid and guid. I manage several large database systems, and backing up them requires system management permissions. I have written several scripts and set their g u I d, so that some of the users I specified can execute these scripts to complete the corresponding work, you do not need to log on as a database administrator to avoid accidental damage to the database server. By executing these scripts, they can complete database backup and other management tasks, but after these scripts are run, they will return to their permissions as common users. There are quite a few u n I x commands also set s u I d and g u I d. To find these commands, go to the/B I n or/s B I n directory and run the following command: $ ls-l | grep '^... the above command is used to find the s u I d file; $ ls-l | grep '^... s .. the above command is used to find suid and guid. Now we understand what suid is, but how to set it? The following describes the problem. If you want to set s u I d, set the one before the corresponding permission bit to 4; if you want to set g u I d, set the one before the corresponding permission bit to 2. if you want both of them to be set, set the one before the corresponding permission bit to 4 + 2. Once this bit is set, an s will appear at the position of x. Remember: When setting s u I d or g u I d, the corresponding execution permission limit must be set. For example, if you want to set g u I d, you must grant the user group the execution permission. Let's take a look at the following example root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-r-xr-xr-x 1 root 0 2013-04-18 testroot @ ubuntu :~ /Resource/study/shell # chmod 4555 test root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-r-sr-xr-x 1 root 0 2013-04-18 testroot @ ubuntu :~ /Resource/study/shell # chmod 555 test root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-r-xr-xr-x 1 root 0 2013-04-18 testroot @ ubuntu :~ /Resource/study/shell # chmod 2555 test root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-r-xr-sr-x 1 root 0 2013-04-18 testroot @ ubuntu :~ /Resource/study/shell # chmod 555 test root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-r-xr-xr-x 1 root 0 2013-04-18 testroot @ ubuntu :~ /Resource/study/shell # chmod 6555 test root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-r-sr-sr-x 1 root 0 2013-04-18 test. let's take a look at the command chowm, this command is generally used to change the file owner chown command in the form of: chown-R-h owner file-R option, which means the same operation is performed on all files in all subdirectories. The-h option means that when changing the owner of a symbolic link file, the target file to which the link is directed is not affected. Root @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-r-xr-xr-x 1 hai-tao root 0 2013-04-18 test-rw-r -- 1 root 0 2013-04-18 test1root @ ubuntu :~ /Resource/study/shell # cd .. root @ ubuntu :~ /Resource/study # chown-R root shellroot @ ubuntu :~ /Resource/study # ls-l shelltotal 0-r-xr-xr-x 1 root 0 2013-04-18 test-rw-r -- 1 root 0 2013-04-18 test1root @ ubuntu :~ /Resource/study # cd .. root @ ubuntu :~ /Resource # cd study/shellroot @ ubuntu :~ /Resource/study/shell # chown hai-tao testroot @ ubuntu :~ /Resource/study/shell # ls-ltotal 0-r-xr-xr-x 1 hai-tao root 0 2013-04-18 test-rw-r -- 1 root 0 2013-04-18 test1 file test ownership the user root handed over the chgrp command to the user hai-tao in the similar format as the chown command, it is used to change the user group to find the user group to which the user belongs. The book says that it is obtained through the group. when I use it, an error occurs. the "root @ ubuntu: ~" command is OK when I use groups :~ /Resource/study/shell # groupsrootroot @ ubuntu :~ /Resource/study/shell # groups hai-taohai-tao: the command above hai-tao adm dialout cdrom plugdev lpadmin admin sambashare tells us that hai-tao belongs to the following user group umask. When I first logged on to the system, the umask command determines the default file creation mode. This command is actually the opposite of the chmod command. Your system administrator must set a reasonable umask value for you to ensure that the files you create have the desired default permissions and prevent other users from having the write permission on your files. After logging on, you can use the umask command to change the default permissions for file creation based on your preferences. The change remains valid until you exit the shell or use another umask command. Generally, the umask command is set in the/etc/profile File. every user will reference this file during logon. Therefore, if you want to change the umask of all users, you can add corresponding entries to the file. If you want to permanently set your umask value, place it in the. profile or. bash_profile file under your $ HOME directory. How to calculate the umask value umask command allows you to set the default mode for file creation, corresponding to each type of users (file owner, users in the same group, other users) there is a number in the corresponding umask value. For files, the maximum value of this number is 6. The system does not allow you to grant the execution permission when creating a text file. you must use the chmod command to add this permission after the creation. You can set the execution permission for the directory. for the directory, the number in the u m a s k can be up to 7. The general form of this command is umask nnn, where nnn is umask and set to 000-777. Lists umask values corresponding to permissions. Umask value and permission umask file directory 0 6 71 6 62 4 53 4 44 2 35 2 26 0 17 0 when calculating umask value, you can create default permissions for all types of users in this table to find the corresponding umask value according to the required file/directory. For example, the default permissions for creating files and directories corresponding to umask 002 are 6 6 4 and 7 7 5, respectively. There is another method for calculating the umask value. We only need to remember that umask is to "remove" the corresponding bits from the permission. for example, for umask 0 0 2, what is the default permission for creating the corresponding files and directories? Step 1: Write down the mode with all permissions, namely 7 7 7 (all users have read, write, and execute permissions ). Step 2: write the corresponding bits in the following line according to the umask value. In this example, the value is 0 0 2. Step 3: In the next row, remember that no matching bits exist in the above two rows. This is the default directory creation permission. Remember this method with a little practice. Step 4: for a file, you cannot have the file permission when creating it. you only need to remove the corresponding execution permission bits. Using soft links to save multiple images of a file, we will explain what the symbolic link is like. For example, if there is a file containing sales information in a directory, everyone in the sales department wants to see this file. You can create a link to the file in the $ HOME directory of each user, instead of copying one copy under each directory. To change this file, you only need to change one source file. Each link in the $ h o m e directory can be named without having to be the same as the source file. If there are many subdirectories and it takes a lot of time to enter these directories, the link is also very useful in this case. You can create a link for a deep subdirectory under the $ h o m e directory. The command is generally in the form of ln [-s] source_path target_path, where the path can be a directory or a file. Take a look at the following example: root @ ubuntu :~ /Resource/study/shell # lsfolderroot @ ubuntu :~ /Resource/study/shell # cat folder/one 123456root @ ubuntu :~ /Resource/study/shell # ln folder/one one_linkroot @ ubuntu :~ /Resource/study/shell # cat one_link 123456

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.