File default Permissions
From the Linux user group, file permissions detailed understanding of the file and directory of the basic Rights Management, when the file is created if you do not specify the specific permissions, then the system will assign it a default permission, this default is Umask.
[Email protected]:~$ umask //We can use the Umask command to view the default permissions 0002
The 1th 0 is a special default permission that can be used without a tube. The next 002 is our default permission to create a file/directory. Because the normal file does not have the executable permission by default, that is, only R, W permissions, so the maximum permission is 666 (-rw-rw-rw-). The directory needs to be accessed and requires R, W, x permissions, so the maximum permissions are 777 (DRWXRWXRWX). And Umask is the default value to subtract the permissions, at this time, Umask is 002 (1th 0 regardless), normal file default permissions = (-rw-rw-rw-)-(--------W) =664 (-rw-rw-r--), directory default permissions = (drwxrwxrwx )-(--------W) =775 (drwxrwxr-x).
[Email protected]:~$ touch aa[email protected]:~$ mkdir bb[email protected]:~$ ls-20 1 vbird vbird 0 September 9: aadrwxrwxr2 4096 September 9: BB
Just using umask to see that the default permissions are 0002,linux in addition to the common read (R), write (W), execute (x) permissions, there are 3 special permissions, respectively, setuid, setgid and stick bit, corresponding to the 1th 0 value.
File Special permissions: SUID, SGID, Sbit
setuid: SUID, all called set UID, is represented as s on the third position.
When our ordinary users use passwd to change the password, passwd will go to visit/etc/shadow, but ordinary users do not have access to read and write, how to do? Linux when we run passwd change password, will temporarily get the/etc/shadow file owner root permissions, and then to read and write access to/etc/shadow, after access to release the permissions of the file owner. This is the charm of setuid. Simply put, the user temporarily gets the permissions of the owner of the file (directory) and releases it after use.
setgid: Sgid is similar to suid, and behaves as s on the sixth position of raised.
Sgid change is the performer's owning group, which can be set on executable files and directories. By setting the Sgid property on a directory, you can take ownership of all files created under that directory, inheriting the owner of the original directory, not the creator. Because once a user enters the directory, because of the Sgid permission, the user who enters the directory becomes the owner of the directory, and all files created under that directory are created as the owner of the directory.
Take advantage of this privilege bit to make it easier to manage on many team-working projects. For example, a co-maintained data folder, in order to facilitate management, only allow administrators to change and delete the data inside the right, but there are many users need to have in this directory to add data files right, using Sgid can be a good solution to this point.
The stick bit:sbid permission is also only valid for the directory, and the lowest bit in the permission bit is T.
By setting Sbid permissions on the directory and the permissions of the directory to 777, all users can create files in that directory, and the file owner is himself. However, under the Sbid permissions directory, only root and the owner of the file can delete the file, even if the file has a property of 777 and cannot be deleted by another user. This privilege is very useful in the sharing process. Shared files anyone has the right to read and write, but only the owner of the file can delete the file.
Suid/sgid/sbit permission settings
The SUID value is 4,sgid value is 2,sbit value is 1,umask in the default permissions in the left-to-right 1th values are suid/sgid/sbit permissions.
File hiding permissions
In addition to the above permissions, Linux also provides a set of hidden permissions mechanism. You need to use Chattr to set hidden permissions, lsattr view hidden permissions.
Command function:
To view hidden permissions for a file
Command format:
lsattr [-RVADV] [files ... ]
Command parameters:
-R recursive view file under directory
-V Displays the version of the program
-A does not ignore the "." Hidden files at the beginning
-V lists the file's version number and build number
Command instance:
See Chattr
Command function:
To view hidden permissions for a file
Command format:
chattr [-RVF] [-v version] [mode] files ...
Command parameters:
+-=: [+ add] [-decrease] [= set] The meaning of the property
A: When the A attribute is set, the access time of this file (or directory) Atime (access) will not be modified, can avoid such as portable computer prone to disk I/O error situation occurs!
S: This feature is a bit like sync function! is to write data synchronously to disk! Can effectively avoid the data loss!
A: After setting a, this file will only add data, not delete it, only root can set this property.
C: After this property is set, will automatically compress this file, will be automatically extracted when reading, but in the storage, will be compressed before storage (it seems to be very useful for large files!) )
D: When the Dump (Backup) program is executed, setting the D attribute will enable the file (or directory) to have dump effect!
I: This I can be very powerful! He can let a file cannot be deleted, renamed, set the link also cannot write or add data! Great help for system security! (only root can be set)
J: When using the Ext3 file system format, setting the J attribute will cause the file to be recorded in Journal when it is written! However, when the filesystem setting parameter is data=journalled, because the log has been set, so this property is invalid!
S: When the file is set to the s parameter, he will be completely removed from the hard disk space.
U: In contrast to S, when using U to set the file, the data content actually exists in the disk, can be used to retrieve the file.
-R recursive view file under directory
-V Displays the version of the program
-V lists the file's version number and build number
Note: chattr command Many settings must be root to set
Command instance:
1. Create a new 1 file AA, and then set the Hide permission I so that it cannot be deleted. (only root to perform this operation)
[Email protected]:/home/vbird# Touch Aa[email protected]:/home/vbird# lsattr AA-------------e--Aa[email protected]:/home/vbird# chattr +i aa[email protected]:/home/vbird# lsattr AA----I--------e--Aa[email protected]:/home/vbird# rm aarm:cannot Remove'AA': Operation not permitted[email protected]:/home/vbird# Chattr-i aa[email protected]:/home/vbird# RM aa[email protected]:/home/vbird# ls aals:cannot access'AA': No such file or directory
Linux files (directories) default permissions, special permissions, and hidden permissions