Linux File Permission System

Everything in Linux is a file. Its files are divided into the following types:

Common files: divided into plain text files (ASCII files, files that can be directly read, such as configuration files), binary files (such as executable files ), data format files (such as login files );

Directory file: Directory

File connection: A shortcut similar to Windows

Device Files: In/dev, device files are divided into block device files and character device files. Block devices are transmitted in units of character blocks, while character devices are transmitted in units of individual characters.

Socket: these files are usually used in network data connections and are usually stored in the/var/run directory.

Pipe file: used for communication between multiple processes. It refers to a file buffer.

 

When we use the LS-Al command to list the file information in the directory, we can see that its file attribute is

Format:-rwxrwxrwx, where '-' indicates the file type:

[D] indicates a directory, [-] indicates a file, [l] indicates a connection file, [B] indicates a block device file, and [c] indicates a character set.

Backup file;

The following nine attributes are divided into three groups: user, group, and others. [R] indicates

Readable; W indicates writable; X indicates executable. At the same time, these three attributes can be represented by numbers:

[R]: 4; [w]: 2; [x]: 1

The above describes the basic permissions of files. In addition, files in Linux have three special permissions: SUID/SGID/Sticky Bit.

SUID: When the s permission replaces the user's X, it is similar to-r-s-X, called set UID, referred to as suid.

When you execute this file, the user will temporarily get the permission of the file owner.

Setgid: similar to SUID, except that its s replaces Group X.

Sbit: when T permission replaces other X, it indicates sbit. It is only valid for directories and has no effect on files. In

If you have the permissions W and X in the sbit directory

Only the file owner and root have the permission to delete the directory.

 

File Permission change

Chgrp: Change the group to which the file belongs

Usage: chgrp [-R] dirname/filename; // The following-r parameters are used for recursion of files in the directory.

Example: chgrp users install. Log

 

Chown: Change the file owner

Usage: chown [-R] owner file or directory

Chown [-R] owner: group file or directory

Example: chown Huli install. Log

Chown Huli: usersinstall. Log

Note: When we use CP to copy a file to another user, the owner and group of the file are not modified.

To completely belong to this user, you must modify the owner and group of the file.

 

Chmod: change file attributes

As mentioned above, the numbers corresponding to the R, W, and X attributes are 4, 2, and 1. The nine attributes are divided into three groups.

A group of attributes is the accumulation of these three attributes.

For example, when the attribute is-rwxr-x ---, we can see that

Owner = rwx = 4 + 2 + 1 = 7; Group = r-x = 4 + 1 = 5; others = --- = 0 + 0 + 0 = 0;

The permission for this file is 750

Usage: chmod [-R] xyz file or directory

Here, XYZ is the file permission just mentioned, as shown in Figure 750 above.

Example: chmod 777 ~ /. Bashrc

 

There is also a way to change file permissions. You can use U, G, and O to indicate the properties of the three groups, and a to indicate all. The syntax is as follows:

Chmod [ugoa] [+-=] [rwx] file or directory

Parameters:

In this example, the u table shows the user, G indicates the group, O indicates the other, a indicates all, and + indicates adding the attribute.-Indicates subtracting the attribute.

= Indicates setting properties.

Example: chmod u = rwx, go = RX ~. Bashrc

Chmod A + W ~ /. Bashrc

Chmod A-x ~ /. Bashrc

 

Note: A special feature of the Directory attribute is whether or not it can be accessed depends on the attribute X.

Example: CD/tmp

Mkdir Testing

Chmod 766 Testing

Su Huli

CD testing; // permissiondenied

As you can see, in the above example, I created a directory under/tmp and changed the directory permission to rwxrw-RW -]

Switch to the user Huli. You can see that the user has read and write permissions for the directory, but does not execute

Line permission, then, I use the CD command to enter this directory, will see the Permission denied prompt, indicating

You are not authorized to access this directory. At this time, if you add the X permission, chmod o + X testing, and then use the CD command

You can access this directory smoothly.

It can be seen that whether the directory can be accessed is closely related to the X attribute.

 

As mentioned above, the SUID, SGID, and sbit permissions are involved.

Similar to common attributes, the numbers corresponding to SUID, SGID, and sbit are also 4, 2, and 1.

For example, change the File Permission to-rwsr-XR-X]

Chmod 4755 Test

Change the File Permission to-rwxr-Sr-t]

Chmod 3755 Test

We can see that these three permissions are set at the beginning.

Note: When the permission of an object is [-RW-], let's try to change these special permissions.

Chmod 7666 test; LS-l test

As you can see, the printed result is "rwsrwsrwt". Why is it "s" and "T" in uppercase? This is because the user in the original basic attribute of the file, the Group and others do not have the property "X", and SUID indicates "The file owner has the permission to execute the file", but the file owner cannot execute it, which of the following permissions is assigned to others? Therefore, uppercase S and T indicate null.

 

Default permissions for files and directories

What is the default attribute of a new file or directory? This is related to umask. Umask is "the default value of the file or directory attribute to be removed ". What if I check the umask value and the default value of the file or directory attributes?

Umask can be viewed in two ways.

First, use umask directly.

0022

The first group of numbers refers to the special attributes just mentioned.

The second is to print unmask-s in the form of symbols

U = rwx, G = RX, O = RX

 

The default values of file and directory properties are also different. By default, files do not have the executable permission, that is

666, [-RW -];

Because X is related to whether to enter this directory, all permissions are enabled by default, that is, 777, [drwxrwxrwx ];

When a new file or directory is created, its properties are the default properties above minus the umask value.

 

Hidden attributes of a file

The file has a hidden attribute, which is very important in terms of system security.

Chattr: sets file hiding.

Usage: chattr [+-=] [asacdistu] file or directory name

All parameters are not listed one by one. Here, only two important parameters are listed.

A: After setting a, this file can only add data, but cannot be deleted. Only root can set this attribute.

I: It is very useful. It can make a file "cannot be deleted, renamed, set connections, and cannot be written or added"

Note: These two attributes are commonly used and can only be set by the root user.

 

Lsattr: display the hidden attributes of a file

Format: lsattr [-ar] file or directory

-A indicates that the properties of the hidden file are also displayed, and-R is also listed together with the properties of sub-directories.