Linux file permissions detailed

Source: Internet
Author: User

Each file or directory in Linux contains access rights that determine who can access and how to access these files and directories.

By setting permissions, you can restrict access by only allowing users to access them, allowing users in a pre-specified group to access them, and allowing any user in the system to access them. At the same time, users can control the degree of access to a given file or directory. A file live directory may have read, write, and execute permissions. When a file is created, the system automatically gives the file owner read and Write permissions, which allows the user to display the file contents and modify the file. The file owner can change these permissions to whatever permissions he or she wants to specify. A file may have only read permission and no modification is allowed. The file may also have only execute permissions, allowing it to execute as if it were a program.

Three different user types have access to a directory or file: All, user groups, or other users. The owner is the user who creates the file, the user is the owner of the file created by all users, and the user can allow the user group to access the user's files. Typically, users are grouped into groups of users, for example, all users in a category or project can be categorized as a user group by a system administrator, and a user can grant file access to other members of the user group in which they are located. Finally, users also open their own files to all users within the system, in which case all users within the system can access the user's directory or file. In this sense, all other users within the system are other user classes.
Each user has its own read, write, and execute permissions. The first set of permissions Controls access to their own file permissions, that is, owner permissions. The second set of permissions controls the permissions of the user group to access the files of one of the users. The third set of permissions controls the permissions of all other users to access a user's files, and these three sets of permissions give the user read, write, and execute permissions on different types of users (that is, owners, user groups, and other users), which constitute a group of 9 types of permissions.

--------------------------------------Split Line--------------------------------------

Linux file permissions and access mode links http://www.linuxidc.com/Linux/2015-09/122934.htm

UNIX file Permissions "set User ID bit" http://www.linuxidc.com/Linux/2015-07/120628.htm

Linux file Permissions chmod chown http://www.linuxidc.com/Linux/2015-04/116853.htm

Linux privilege Supplement: RWT RWT RWS RWS Special privileges http://www.linuxidc.com/Linux/2013-07/87537.htm

Linux User and user group permissions http://www.linuxidc.com/Linux/2013-05/84980.htm

Linux three special permissions setuid setgid stick bit http://www.linuxidc.com/Linux/2013-08/88587.htm

Linux system Getting Started Tutorial: Linux file Permissions simple description http://www.linuxidc.com/Linux/2015-03/115135.htm

Linux user group, file permissions detailed http://www.linuxidc.com/Linux/2015-04/116103.htm

--------------------------------------Split Line--------------------------------------

We can display the file details with the-l parameter's ls command, which includes permissions. As shown below:

[Email protected]:/media/sda5/software compression/linux$ LS-LH
Total dosage 191M
-RWXRWX---1 root plugdev 18M 2007-02-28 18:05 actioncube_v0.92.tar.bz2
-RWXRWX---1 root plugdev 60M 2007-04-30 22:52 nexuiz-223.zip
-RWXRWX---1 root plugdev 7.4M 2007-04-25 02:16 stardict-oxford-gb-2.4.2.tar.bz2
-RWXRWX---1 root plugdev 102M 2007-05-01 18:22 tremulous-1.1.0-installer.x86.run
-RWXRWX---1 root plugdev 4.9M 2007-04-30 14:32 wqy-bitmapfont-0.8.1-7_all.deb.bin

When the ls-l or Ls-al command is executed, the first 2nd to 10th character is used to represent the permission, as shown in the result. The first character is typically used to differentiate between files and directories:

D: Represents a directory, in fact, in EXT2FS, the directory is a special file.
-: Indicates that this is an ordinary file.
L: Indicates that this is a symbolic link file, which in fact points to another file.
B, C: respectively, the block device and other peripheral equipment, is a special type of file.
S, p: These files are related to the system's data structures and pipelines, which are often rarely seen.
Here is a detailed description of the types of permissions and how to set permissions.

General permissions

Each of the 2nd to 10th characters is a group of 3, the left three characters represent owner permissions, the middle 3 characters represent the permissions of the user in the same group as the owner, and 3 characters to the right are the permissions of the other user. These three groups have a total of 9 characters and represent the following meanings:


R (Read, reading): For the file, has the right to read the contents of the file, for the directory, with browse directory
W (write, writes): For the file, has the new, modifies the file content the permission, for the directory, has the deletion, moves the file inside the directory the permission.
X (Execute, execute): For the file, it has permission to execute the file, and for the directory, the user has permission to enter the directory.

-: Indicates that the item does not have permission.
The following examples illustrate:
-RWX------: The file owner has read, write, and execute permissions on the file.
-rwxr―r--: The file owner has read, write, and execute permissions, while the other user has Read permissions.
-rw-rw-r-x: The file owner and the same group of users have read and write permissions to the file, while the other user has only read and execute permissions.
Drwx--x--x: The directory owner has read and write access to the directory, and other users can access the directory, but cannot read any data.
DRWX------: In addition to the full permissions of the directory owner, other users have no permissions on the directory at all.

Each user has his or her own directory, which is usually centrally placed in the/home directory with the default permissions of rwx------:

Indicates that the directory owner itself has all permissions and other users cannot enter the directory. The directory created by the mkdir command is executed with the default permissions of Rwxr-xr-x, and the user can modify the permissions of the directory as needed.

In addition, the default permissions can be modified using the Umask command, the usage is very simple, just execute the umask 777 command, it represents the blocking of all permissions, and then the creation of a file or directory, its permissions are changed to 000, and so on. Usually the root account with the Umask command value is 022, 027 and 077, the average user is 002, so that the resulting permissions are 755, 750, 700, 775. A digital representation of the permissions, which is explained later.

When the user logs on to the system, the user environment automatically executes the Rmask command to determine the default permissions for the file and directory.

Special permissions

In fact, the file and directory settings more than these, there are so-called special permissions. Because special permissions will have some "privileges", so that users do not have special needs, should not enable these permissions, to avoid serious security vulnerabilities, resulting in hacking, or even destroying the system!!!

s or S (suid,set UID): Executable file with this permission, you can get privileges, arbitrary access to the file owner can use all the system resources. Please note that with SUID permissions, hackers often use this privilege to suid with the root account owner, silently open the back door in the system for future access.

s or S (Sgid,set GID): Set on the file, the effect is the same as suid, except that the owner of the file to the user group, the file can be arbitrary access to the entire user group can use the system resources.

T or T (Sticky):/tmp and/VAR/TMP directory for all users to temporarily access files, that is, each user has full access to the directory, to browse, delete and move files.

Because Suid, SGID, and sticky occupy the position of X, there is a case for the representation. When you join both Execute permissions and suid, SGID, Sticky, the permissions represent lowercase characters:

-rwsr-sr-t 1 root root 4096 June 08:17 conf

If execute permission is turned off, the character is capitalized:

-rwsr-sr-t 1 root root 4096 June 08:17 conf

Use File Manager to change permissions for a file or directory

If the user wants to change the permissions of a file directory, right-click on the file or directory to change permissions, select "Properties" from the popup shortcut menu, the system will open the Properties dialog box

In the Properties dialog box, clicking the Permissions tab opens the Permissions tab.

Here you can modify the permissions of the file or directory owner, group, and other users, and you can set special rights

For special permissions, it is best not to set, or it will bring a serious security problem.

Of course, here you can also change the owner and owning group of files and directories.

Use chmod and numbers to change the access rights of a file or directory

Permissions for files and directories are represented by the rwx three characters to represent the permissions of the owner, user group, and other users. Sometimes, characters seem to be too cumbersome, so there is another way to represent permissions in numbers, and only three numbers are required.

R: Corresponding value 4
W: Corresponding value 2
x: Corresponding value 1
-: Corresponding value 0

The key to digital setting is the value of mode, at first many beginners will be confused, in fact, it is very simple, we will rwx as a binary number, if there are 1 said, no 0 said, then rwx r-x R-can be expressed as:

111 101 100

Then convert every three bits into a decimal number, which is 754.

For example, we want a.txt this file to have the following permissions:

Other users of the same group as themselves
Is readable yes Yes Yes
Can be written yes Yes
Executable

So, we first get permission string according to the above table: rw-rw-r--, then convert to binary number is 110 110 100, and then every three bits into a decimal number, we get 664, so we execute the command:

[Email protected] ~]# chmod 664 a.txt

According to the above rules, rwx together is 4+2+1=7, a rwxrwxrwx permission to open the file, the value is represented as 777, and the file "---------" with completely open permission is represented as 000. Here are a few examples:

-RWX------: equals the number represents 700.
-rwxr―r--: equals the number represents 744.
-rw-rw-r-x: equals the number represents 665.
Drwx―x―x: equals the number represents 711.
DRWX------: equals the number represents 700.

In text mode, you can execute the chmod command to change permissions on files and directories. Let's take a look at the ls-l in the directory:

[Email protected] ~]# ls-l

Total dosage 368

-rw-r--r--1 root root 12172 August 23:18 conkyrc.sample
Drwxr-xr-x 2 root root 48 September 4 16:32 Desktop
-r--r--r--1 root root 331844 October 21:08 libfreetype.so.6
Drwxr-xr-x 2 root root 48 August 22:25 MyMusic
-rwxr-xr-x 1 root root 9776 November 5 08:08 Net.eth0
-rwxr-xr-x 1 root root 9776 November 5 08:08 net.eth1
-rwxr-xr-x 1 root root 512 November 5 08:08 Net.lo
Drwxr-xr-x 2 root root 48 September 6 13:06 VMware

You can see that the permissions of the file Conkyrc.sample file are 644, and then change the permissions of this file to 777. Execute the following command

[Email protected] ~]# chmod 777 Conkyrc.sample

Then ls-l look at the results after the execution:

[Email protected] ~]# ls-l

Total dosage 368

-rwxrwxrwx 1 root root 12172 August 23:18 conkyrc.sample
Drwxr-xr-x 2 root root 48 September 4 16:32 Desktop
-r--r--r--1 root root 331844 October 21:08 libfreetype.so.6
Drwxr-xr-x 2 root root 48 August 22:25 MyMusic
-rwxr-xr-x 1 root root 9776 November 5 08:08 Net.eth0
-rwxr-xr-x 1 root root 9776 November 5 08:08 net.eth1
-rwxr-xr-x 1 root root 512 November 5 08:08 Net.lo
Drwxr-xr-x 2 root root 48 September 6 13:06 VMware

You can see that the permissions for the Conkyrc.sample file have been modified to rwxrwxrwx

If you want to add special permissions, you must use a 4-digit number to represent it. The corresponding values for special permissions are:

s or S (SUID): Corresponds to the value 4.
s or S (SGID): corresponds to the value 2.
T or T: corresponds to the value 1.

Use the same method to modify the file permissions.

For example:

[Email protected] ~]# chmod 7600 conkyrc.sample
[Email protected] ~]# ls-l

Total dosage 368

-rws--s--t 1 root root 12172 August 23:18 conkyrc.sample
Drwxr-xr-x 2 root root 48 September 4 16:32 Desktop
-r--r--r--1 root root 331844 October 21:08 libfreetype.so.6
Drwxr-xr-x 2 root root 48 August 22:25 MyMusic
-rwxr-xr-x 1 root root 9776 November 5 08:08 Net.eth0
-rwxr-xr-x 1 root root 9776 November 5 08:08 net.eth1
-rwxr-xr-x 1 root root 512 November 5 08:08 Net.lo
Drwxr-xr-x 2 root root 48 September 6 13:06 VMware

Add the permission to modify all the files in a directory at once, including the file permissions in subdirectories to be modified, to use the parameter-R to initiate recursive processing.

For example:

[[email protected] ~]# chmod 777/home/user Note: Set the/home/user directory to RWXRWXRW only
[[email protected] ~]# chmod-r 777/home/user Note: The permissions for the entire/home/user directory and its files and subdirectories are set to RWXRWXRWX

Use the command Chown to change the ownership of a directory or file

Files and directories can not only change permissions, their ownership and user groups can also be modified, and set permissions similar to the user can be set through the graphical interface, or execute the chown command to modify.

Let's take a look at the contents of Ls-l first:

[Email protected] ~]# ls-l

Total dosage 368

-rwxrwxrwx 1 root root 12172 August 23:18 conkyrc.sample
Drwxr-xr-x 2 root root 48 September 4 16:32 Desktop
-r--r--r--1 root root 331844 October 21:08 libfreetype.so.6
Drwxr-xr-x 2 root root 48 August 22:25 MyMusic
-rwxr-xr-x 1 root root 9776 November 5 08:08 Net.eth0
-rwxr-xr-x 1 root root 9776 November 5 08:08 net.eth1
-rwxr-xr-x 1 root root 512 November 5 08:08 Net.lo
Drwxr-xr-x 2 root root 48 September 6 13:06 VMware

You can see that the owning user group for the conkyrc.sample file is root and the owner is root.
Execute the following command to transfer ownership of the Conkyrc.sample file to the user:

[Email protected] ~]# chown user conkyrc.sample
[Email protected] ~]# ls-l

Total dosage 368

-rwxrwxrwx 1 user root 12172 August 23:18 conkyrc.sample
Drwxr-xr-x 2 root root 48 September 4 16:32 Desktop
-r--r--r--1 root root 331844 October 21:08 libfreetype.so.6
Drwxr-xr-x 2 root root 48 August 22:25 MyMusic
-rwxr-xr-x 1 root root 9776 November 5 08:08 Net.eth0
-rwxr-xr-x 1 root root 9776 November 5 08:08 net.eth1
-rwxr-xr-x 1 root root 512 November 5 08:08 Net.lo
Drwxr-xr-x 2 root root 48 September 6 13:06 VMware

To change the owning group, you can use the following command:

[Email protected] ~]# chown:users conkyrc.sample
[Email protected] ~]# ls-l

Total dosage 368

-RWXRWXRWX 1 user users 12172 August 23:18 conkyrc.sample
Drwxr-xr-x 2 root root 48 September 4 16:32 Desktop
-r--r--r--1 root root 331844 October 21:08 libfreetype.so.6
Drwxr-xr-x 2 root root 48 August 22:25 MyMusic
-rwxr-xr-x 1 root root 9776 November 5 08:08 Net.eth0
-rwxr-xr-x 1 root root 9776 November 5 08:08 net.eth1
-rwxr-xr-x 1 root root 512 November 5 08:08 Net.lo
Drwxr-xr-x 2 root root 48 September 6 13:06 VMware

To modify permissions for a directory, use the-R parameter, as you did before.

Linux file permissions detailed

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.