Article Title: Linux File System Management Ownership and permissions (2 ). Linux is a technology channel of the IT lab in China. Includes desktop applications, Linux system management, kernel research, embedded systems, open source, and other basic categories to change permissions
Add permission
Suppose you create a "Hello world" shell script. When you create a script for the first time, it is generally not executable. Use the chmod command and the + x option to add the execution permission, as shown in listing 5.
Listing 5. Creating executable shell scripts
[Ian @ echidna ~] $ Echo 'echo "Hello world! "'> Hello. sh [ian @ echidna ~] $ Ls-l hello. sh-rw-r --. 1 ian 20 Nov 30 13:05 hello. sh [ian @ echidna ~] $./Hello. shbash:./hello. sh: Permission denied [ian @ echidna ~] $ Chmod + x hello. sh [ian @ echidna ~] $./Hello. shHello world! [Ian @ echidna ~] $ Ls-l hello. sh-rwxrwxr-x. 1 ian 20 Nov 30 :05 hello. sh you can use + r to set the read permission in a similar way, and use + w to set the write permission. In fact, you can use r, w, and x together. For example, using chmod + rwx will set all the read, write, and execute permissions for the file. Chmod adds permissions that have not been set.
Optionality
In the preceding example, you may have noticed that the execution permission is set to the owner, group, and others. To be more optional, you can add the prefix u to the mode description to set user permissions, g to set group permissions, and o to set for others. It should be noted that a sets the permissions of all users, which is equivalent to ignoring it. Listing 6 shows how to add users and group write and execute permissions to other copies of shell scripts.
Listing 6. selectively adding Permissions
[Ian @ echidna ~] $ Echo 'echo "Hello world! "'> Hello2.sh [ian @ echidna ~] $ Chmod ug + xw hello2.sh [ian @ echidna ~] $ Ls-l hello2.sh-rwxrwxr --. 1 ian 20 Nov 30 13:08 hello2.sh Delete permission
Sometimes you need to delete permissions, not just add permissions. Simply change + to-to delete any specified permissions that have been set. Listing 7 shows how to delete all permissions of other users on two shell scripts.
Listing 7. delete permissions
[Ian @ echidna ~] $ Ls-l hello *. sh
-Rwxrwxr --. 1 ian 20 Nov 30 13:08 hello2.sh
-Rwxrwxr-x. 1 ian 20 Nov 30 13:05 hello. sh
[Ian @ echidna ~] $ Chmod o-xrw hello *. sh
[Ian @ echidna ~] $ Ls-l hello *. sh
-Rwxrwx ---. 1 ian 20 Nov 30 13:08 hello2.sh
-Rwxrwx ---. 1 ian 20 Nov 30 hello. sh note that you can change the permissions of one or more files at a time. Just as you can see other commands in topic 103, you can even use the-R (or -- recursive) option to perform recursive operations on directories and files.
Set permissions
Now you can add or delete permissions. You may wonder how to set only some special permissions. Use = replace + or-to complete this action. To set permissions in the preceding script, other users do not have access rights. You can use chmod o = hello * to replace the commands we use to delete permissions.
If you want to set different permissions for users, combinations, or others, you can use commas to separate different expressions. For example, ug = rwx, o = rx, alternatively, you can use the digital permissions mentioned later.
Octal permission
So far, you have used symbols (ugoa and rxw) to specify permissions. Each group has three possible permissions. You can also use octal instead of symbols to set permissions. The permissions set in this way use up to four Octal numbers. When discussing attributes, We will view 1st numbers. 2nd numbers define user permissions, 3rd are group permissions, and 4th are other permissions. Each of these three numbers is constructed by adding the required permission settings: Read (4), write (2), and execute (1 ). In the hello. sh example in listing 5, the created script has the permission-rw-r --, which is equivalent to octal 644. Set everyone's execution permission to change the mode to 755.
When you want to set all permissions at a time without having the same permissions for each group, it is very convenient to set digital permissions. Use table 2 as a convenient gossip permission reference.
Table 2. Digital Permissions
Octal symbol
Rwx 7
Rw-6
R-x 5
R -- 4
-Wx 3
-W-2
-- X 1
--- 0
Suid and sgid
The Linux permission model has two special access modes: suid (Set User id) and sgid (set group id ). When the executable program is set to suid access mode, it starts to run, as if it was started by the file owner rather than by the user who actually started it. Similarly, when the access mode is set to sgid, the program runs as if the startup user belongs to the file group, not all of its groups. You can set two access modes separately or simultaneously.
Listing 8 shows that executable passwd is owned by root:
Listing 8. suid access mode on/usr/bin/passwd
[Ian @ echidna ~] $ Ls-l/usr/bin/passwd
-Rwsr-xr-x. 1 root 34368 Apr 6 2010/usr/bin/passwd
Note that there is an s in the position x of the three sets of user permissions. This indicates that suid and executable bit have been set for this specific program. Therefore, when passwd runs, it loads and runs like the root user using full superuser access, instead of as the user who wants to run the program. Because passwd and root access run together, it can modify/etc/passwd.
The suid and sgid bits share the same space as the user and group x in the long directory list. If the file is executable, if the suid or sgid bit is set, it will be displayed as lowercase s; otherwise, it will be displayed as uppercase S.
Although suid and sgid are convenient and even necessary in many environments, improper use of these access modes may cause system security vulnerabilities. Use the suid program as few as possible. The passwd command is one of the few commands that must be suid.
Set suid and sgid
The suid and sgid bits use the letter s to set and reset the symbols. For example, u + s sets the suid access mode and g-s deletes the sgid mode. In the octal format, suid is set to 4 in the first (high-order) and sgid is set to 2.
Directory and sgid
When a directory uses the sgid mode, any files and directories created in this directory will inherit the group id of the directory. This is extremely useful for directory trees used by a group of people engaged in the same project. Listing 9 shows the directories that can be used by any user in greg who sets a development Group and an example of how gretchen creates a file in the directory. As created, the gretchen.txt file allows group members to edit files. Therefore, gretchen uses chmod g-w to obtain the write function of the group.
Listing 9. sgid access mode and Directory
[Greg @ echidna ~] $ Mkdir lpi101
[Greg @ echidna ~] $ Chmod g + ws lpi101
[Greg @ echidna ~] $ Ls-ld lpi101
Drwxrwsr-x. 2 greg development 4096 Nov 30 13:30 lpi101/
[Greg @ echidna ~] $ Su-gretchen
Password:
[Gretchen @ echidna ~] $ Touch ~ Greg/lpi101/gretchen.txt
[Gretchen @ echidna ~] $ Ls-l ~ Greg/lpi101/gretchen.txt
-Rw-r --. 1 gretchen development 0 Nov 30 14:12 home/greg/lpi101/gretchen.txt
[Gretchen @ echidna ~] $ Chmod g-w ~ Greg/lpi101/gretchen.txt
[Gretchen @ echidna ~] $ Ls-l ~ Greg/lpi101/gretchen.txt
-Rw-r --. 1 gretchen development 0 Nov 30/home/greg/lpi101/gretchen.txt any member of the development Group can now create files in the user's greg lpi101 directory. As shown in listing 10, other users in the group cannot upgrade the gretchen.txt file. However, they have write permissions on directories, so they can delete files.
Listing 10. sgid access mode and File Ownership
[Gretchen @ echidna ~] $ Su-tom
Password: [tom @ echidna ~] $ Echo "something" ~ Greg/lpi101/gretchen.txt-bash:/home/greg/lpi101/gretchen.txt: Permission denied [tom @ echidna ~] $ Rm ~ Greg/lpi101/gretchen.txt rm: remove write-protected regular empty file '/home/greg/lpi101/gretchen.txt '? Y [tom @ echidna ~] $ Ls-l ~ Greg/lpi101/total 0 pasting bits
You just saw how anyone with directory write permission can delete files in the directory. This is acceptable for a working group project, but it is not desirable for a shared file space around the world, such as the/tmp directory. Fortunately, there are solutions.
The rest of the access mode is called a paste bit. The symbol is t, and the digit is 1 in the order of octal digits. It is displayed in the long directory list of other users' executable Identifiers (the last character), and suid and sgid have the same case meaning. If you set a directory, it only allows users with ownership or superuser (root) to delete or remove the file link. Listing 11 shows how greg sets the paste bit in his lpi101 directory and/tmp.
Listing 11. paste the Directory
[Greg @ echidna ~] $ Chmod + t lpi101
[Greg @ echidna ~] $ Ls-ld lpi101/tmp
Drwxrwsr-t. 2 greg development 4096 Nov 30 14:16 lpi101
Drwxrwxrwt. 24 root 12288 Nov 30/tmp before, UNIX? The system used pasting bits on files to hoard executable files in the swap space to avoid re-loading. In modern Linux, the pasting bit is ignored if it is set to a file.
Summary of Access Modes
Table 3 summarizes the symbols and octal representations of the three access modes discussed here.
Table 3. Access Mode
Access Mode symbol octal
Suids with u4000
Sgids with g 2000
Sticky t 1000
Combined with the previous permission information, you can see that the complete octal ratio of greg's lpi101 permission and drwxrwsr-t access mode is 3775. Although the ls command does not display the gossip permission, you can use the find command to display the permission, as shown in listing 12.
Listing 12. printable symbols and gossip Permissions
[Greg @ echidna ~] $ Find.-name lpi101-printf "% M % m % f \ n" drwxrwsr-t 3775 lpi101
[1] [2] Next page
