Repost a good article on Linux File permissions. There will always be gains after reading it patiently!
One user and one group
Let's take a look at the Linux permission and ownership model. We can see that each file belongs to a user and a group. This is the core of the permission model in Linux. You canLs-lView users and groups in the list:
$ LS-L/bin/bash
-rwxr-xr-x 1 root wheel 430540 Dec 23 18:27 /bin/bash
In this special example,/Bin/bashThe executable file belongsRootUserAndWheelGroup. The Linux permission model allows three independent permission levels for each file system object-they are the file owner, the file group, and all other users.
Understanding"LS-L"
Let's take a look at ourLs-lOutput, check the first column of this list:
$ ls -l /bin/bash
-rwxr-xr-x 1 root wheel 430540 Dec 23 18:27 /bin/bash
First field-Rwxr-XR-xPermission to include this special fileSymbol. The first character (-) SpecifiesTypeIn this example, it is a regular file. Other possible first characters include: "D" Directory; "L" Symbolic Link; "C" special device file; "B" special device file; "p" first-in-first-out; "S" socket;
Three productkey, devicename, and devicesecret
$ ls -l /bin/bash
-rwxr-xr-x 1 root wheel 430540 Dec 23 18:27 /bin/bash
The rest of this field is composedThreeThe productkey, devicename, and devicesecret. The first three-character group represents the permissions of the file owner, the second represents the permissions of the file group, and the third represents the permissions of all other users: "rwx"; "R-X "; "R-X"
Above,RAllow reading (viewing data in the file ),WAllow writing (modifying and deleting files ),XIndicates that "execution" is allowed ). By putting all this information together, we can find that everyone can read and execute the file, but only the file owner (Root User) can modify the file in any way. Therefore, although you can copy the file, only the root user is allowed to update or delete it.
Who am I?
Before we can see how to change the user ownership and group ownership of a file, let's take a look at how
You are aware of your current user identity and membership. Unless you have recently usedSuCommand. Otherwise
The preceding user ID is the user ID you use to log on to the system. However, if you useSu, You
You may not remember your current valid user ID. To view the user ID, enterWhoami:
# whoami
root
# su drobbins
$ whoami
drobbins
Which group do I belong?
To see which group you belong to, useGroupCommand:
$ groups
drobbins wheel audio
In the above example, I amDrobbins,WheelAnd audio group members. If you want to see the groups of other users, specify their usernames as parameters:
$ groups root daemon
root : root bin daemon sys adm disk wheel floppy dialout tape video
daemon : daemon bin adm
Change User and Group Ownership
To change the owner or group of files or other file system objects, useChownOrChgrp. Both commands require one user name or group name as the parameter, followed by one or more file names.
# chown root /etc/passwd
# chgrp wheel /etc/passwd
You can also use the CHOWN command to set the owner and group at the same time:
# chown root.wheel /etc/passwd
You cannot useChownHowever, anyone can useChgrpTo change the group ownership of files to the group to which they belong.
Recursive ownership change
Chown andChgrpEach has-ROptions, which can be used to tell them to recursively add ownership
And group changes are applied to the entire directory tree. For example:
# chown -R drobbins /home/drobbins
IntroductionChmod
ChownAndChgrpCan be used to change the owner and group of file system objects, while another program-
CalledChmod-Used to changeLs-lTheRwxPermission. Chmod
It has two or more parameters: "Mode", which describes how to change permissions.
File or file list:
$ chmod +x scriptfile.sh
In the above example, our "Mode" is+ X. You may guess,+ XMode notificationChmodTo make this special file
It is executable for users, groups, and anyone else.
If we wantRemoveWe should do this for all the execution permissions of a file:
$ chmod -x scriptfile.sh
User/group/other Granularity
At this point, ourChmodThe example has affected all three productkey, group, and other users. Generally,
It is convenient to modify only one or two three tuples at a time. To do this, you only need+Or-Before the symbol
The specified productkey, devicename, and devicesecret. For the "user" productkey, devicename, and devicesecretUFor the "Group" tripletGFor
He/everyone "usesO:
$ chmod go-w scriptfile.sh
We just removed the write permissions of the group and all other users, but kept the "owner" permission unchanged.
Reset Permissions
In addition to opening and disabling permission spaces alternately, We can reset them together. Use=
Operator, we can tellChmodWe need to specify the permission and cancel other permissions:
$ chmod =rx scriptfile.sh
Above, we only set all the "read" and "execute" bits, not all
"Write" bit. If you only want to reset a specific triple,
In=Previously, the symbol name of the triple is specified:$ chmod u=rx scriptfile.shDigital ModeTill now, we have used the "symbol" ModeChmodChange the specified permission. However, specify
PermissionA common method is to use a four-digit octal number. Use a syntax called the number permission syntax. Each digit represents one.
PermissionsProductkey, devicename, and devicesecret. For example1777Medium,777Set the "owner", "group", and "other" discussed in this chapter"Flag.1This section describes how to set a special permission bit. This chart illustrates how to explain the secondFour digits (777):Mode Numberrwx 7rw- 6r-x 5r-- 4-wx 3-w- 2--x 1--- 0Numeric permission syntax
When you need to specifyAllThe numeric permission syntax is particularly useful when the permission is limited, for example, in the following example:$ chmod 0755 scriptfile.sh$ ls -l scriptfile.sh-rwxr-xr-x 1 drobbins drobbins 0 Jan 9 17:44 scriptfile.shIn this example, we use0755Mode, which is expanded to set "-rwxr-XR-X" for a complete permission ".UmaskWhen a process creates a new file, it specifies the permissions that the new file should have. Generally, the requested Mode
Yes0666(Everyone can read and write), it has more permissions than we want. Fortunately
No matter when a new file is created, Linux will refer to what is called "umask. System Use
Umask value to reduce the initial specified permission to a more reasonable and safer permission. You can
EnterUmaskTo view your current umask settings:$ umask0022In Linux, the default value of umask is generally0022, Which allows others to read your new files (if they can
But cannot be modified.
To make the new file more secure by default, you can change the umask settings:
$ Umask 0077
Umask will ensure that the Group and other users have no permissions for the newly created files. How does umask work?
Unlike the "General" permission of a file, umask specifies which permission should be disabled. Let's take a look at our "mode ".
Map tables to numbers so that we can understand what umask 0077 means:
Mode Number
Rwx 7
RW-6
R-x 5
R -- 4
-WX 3
-W-2
-- X 1
--- 0
With this table, the last three digits of 0077 are extended to --- rwxrwx. Now, remember that umask tells the system which permission to disable.
We can infer that all the "Group" and "other" permissions will be disabled, and the "user" permissions will not be retained.IntroductionSUIDAndSGIDWhen you first log on, a new shell process is started. You already know, but you may not know the new shellProcess (usuallyBash) Run with your user ID. In this way,BashThe program can access all your files andDirectory. In fact, as users, we rely entirely on other programs to represent our operations. Because the program you started inheritsYourUser identity, so they cannot access any file system objects that you are not allowed to access.For example, you cannot directly modify the passwd file because the "write" mark has been disabled for each user except the "Root User:$ ls -l /etc/passwd-rw-r--r-- 1 root wheel 1355 Nov 1 21:16 /etc/passwdHowever, average usersIndeedThey need to be able to modify their passwords whenever they need to change their passwords./Etc/passwd(At least
Grounding ). However, if the user cannot modify the file, how can this work be completed?SuidFortunately, the Linux permission model has two special bits: "SUID" and "SGID ". When an executable program is set
When the "SUID" of, it will represent the executable fileOwnerInstead of running the program.
Now, return/Etc/passwdProblem. If you have a lookPasswdExecutable File. We can
It belongs to the root user:$ ls -l /usr/bin/passwd-rwsr-xr-x 1 root wheel 17588 Sep 24 00:53 /usr/bin/passwdYou will also note that there isSReplace one of the three User PermissionsX. This indicates that for this special program,
SUID and executable bit are set. For this reason, whenPasswdIt indicatesRootUser execution (
With full superuser access), rather than representing the user running it. BecausePasswdToRootUserAccess
Permission execution, so it can be modified/Etc/passwdFile.SUID/SGIDWarning descriptionWe can see how SUID works, and SGID works in the same way. It allows the program to inherit group ownership of the program
Is the program ownership of the current user.
Here are some other but important information about SUID and SGID. First, SUID and SGID occupy
Ls-lIn the listXSpace with the same bit. IfXBit, the corresponding bit is representedS(Lower case ). However,
If noXBit, which indicatesS(Uppercase ).
Another important note: In many environments, SUID and SUID are useful, but improper use of these bits may cause
System security is damaged. It is best to use the "SUID" program as little as possible. The passwd command is one of the few required
"SUID" command.ChangeSUIDAndSGIDSetting and removing SUID and SGID bits is quite simple. Here, we set the SUID bit:# chmod u+s /usr/bin/myappHere, we use a directoryRemoveSGID bit. We will see how the sgid bit affects the following screens
Directory:# chmod g-s /home/drobbinsPermissions and objectives
So far, we have the permission from the perspective of regular files. When you look at permission limits from a directory perspective, the situation is a little different. Directory
Use the same permission flag, but they are interpreted as representing slightly different meanings.
If the "read" flag is set for a directory, you canListDirectory content; "write" indicates that you can
RecordingCreateFile. "execute" indicates that you canEnterThis directory and access any internal sub-directories. No "execute"
The file system objects in the directory are not accessible. Without the "read" flag, the file system objects in the directory are not allowed.
But as long as someone knows the complete path of the objects on the disk, they can still access the objects in the directory.Directory andSGID
If the "SGID" flag of the directory is enabled, any file system objects created in the directory will inherit the Directory
. This special feature is used when you need to create a directory tree for a group of people in the same group.
Very useful. You only need to do this:# mkdir /home/groupspace# chgrp mygroup /home/groupspace# chmod g+s /home/groupspaceNow,MygroupAll users in the group can/Home/GroupSpaceTo create a file or directory. Similarly
Will be automatically allocatedMygroupGroup ownership. Based on the user's umask settings, the new file system object
MygroupOther members of the group can or cannot be readable, writable, or executable.Directory and delete
By default, Linux directories are represented in a way that is not ideal in all cases. Generally
The directory hasWriteAccess permission. Anyone can rename or delete files in this directory. For directories used by individual users, such rows
It is reasonable.
However, for directories used by many users, especially/TmpAnd/Var/tmpThis behavior may cause trouble.
BecauseAnyoneYou can write these directories,AnyoneYou can delete or rename any other person's files.
Their! Obviously, when any other user can input "RM-RF/tmp/*" at any time and corrupt each user's text
It is difficult to use/tmp for any meaningful file.
Fortunately, Linux has something called Sticky Bit. When/TmpSet the sticky bit (
Chmod + T), Which can be deleted or renamed/TmpIs the owner of the directory (usuallyRootUser)
, File owner orRootUser. In fact, all Linux distribution packages are enabled by default./Tmp,
You can also find that the sticky position is useful in other situations.Hard to understand
To sum up this chapter, let's take a look at the hard-to-understand first digits of the digital model. You can see that the first digit
Used to Set Sticky, SUID, and SGID bits:
| SUID | SGID | Sticky | Mode Number |
| On | On | On | 7 |
| On | On | Off | 6 |
| On | Off | On | 5 |
| On | Off | Off | 4 |
| Off | On | On | 3 |
| Off | On | Off | 2 |
| Off | Off | On | 1 |
| Off | Off | Off | 0 |
Here is an example of how to set a directory permission in 4-digit mode. This directory will be used by a working group:
# Chmod 1775/home/groupfiles
Think about it1755Meaning of permission settings in digital mode.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
