1. File permissions
File permissions are primarily defined for three types of objects:
Owner: Master, u
Group: Genus, G
Other: Others, O
Each of these files defines three permissions for each class:
Readable:r
Writable:w
Excutable:x
Three file permissions:
R: Use the File View class tool to get its contents
W: can modify its contents
X: This file can be brought to the kernel to start as a process
Three types of directory permissions:
R: You can use LS to view the list of files in this directory
W: You can create files in this directory or delete files in this directory
X: You can use Ls-l to view a list of files in this directory, and you can enter this directory by CD
x: Give directory x permission only, do not give file X permission
2. Directory Permissions:
[Email protected] ~]# ll-d Luyubo
Drwxr-xr-x 2 root root 4096 4 13:48 Luyubo
D indicates file type
Rwxr-xr-x each of the three groups
RWX represents the owning user right
R-x represents the permissions of the owning group
R-x represents other user rights
2 indicates the number of reference connections
Root indicates the owning user
Root indicates the owning group
4096 indicates file size
4 13:48 indicates time
Luyubo represents a directory
3.chmod command:
Usage: chmod [options] ... mode [, Mode] ... File...
Or: chmod [options] ... Octal mode file ...
Or: chmod [options] ...--reference= reference file ...
Modify all permissions for a class of users: u= g= o= ug= a= u=,g=
Modify a class of users a bit or some bit permissions u+ u-g+ g-o+ o-a+ A +
Change the mode of each file to the specified value.
-C, --changes similar to--verbose, but displays results only when there are changes
--no-preserve-root No special treatment for root directory (default)
--preserve-root Disable recursive operation of the root directory
-F,--silent, --quiet Remove most of the error messages
-V, --verbose displays diagnostic information for all files processed
--reference= Reference Files Use the mode of the specified reference file, rather than specifying the permission mode yourself
-R, --recursive to change all files and subdirectories recursively
--help Display this help message and exit
--version display version information and exit
Chown the owner of the settings file
[Email protected] ~]# chown Luyubo Luyubo
How to use the 4.CHGRP command
Usage: chgrp [options] ... User group File ...
Or: chgrp [options] ...--reference= reference file ...
Sets the owning group for each specified file to the specified value.
If you use--reference, the owning group for each file is set to be the same as the specified reference file.
-C, --changes similar to--verbose, but displays results only when there are changes
--dereference affects the object indicated by the symbolic link, not the symbolic link itself (default value)
-H, --no-dereference affects the symbolic link itself, not the destination indicated by the symbolic link
(this option is useful when the system supports changing the owner of a symbolic link.)
--no-preserve-root No special treatment "/" (default value)
--preserve-root does not allow recursive operation on "/"
-F,--silent, --quiet Remove most of the error messages
--reference=rfile Use the owning group of the reference file, not the specified value
-R, --recursive recursively process all files and subdirectories
-V, --verbose displays diagnostic information for all files processed
The following options are used when the-r option is specified to set how to traverse the directory architecture.
If you specify more than one option, only the last one will take effect.
-H if the command line argument is a symbolic link to a directory, traverse the symbolic link
-L iterates through each of the encountered symbolic links to the directory
-P do not traverse any symbolic links (default)
--help Display this help message and exit
--version display version information and exit
CHGRP group information for the settings file
[Email protected] ~]# chgrp Luyubo Luyubo
5. Introduction to default Permissions
The Umask value can be used to retain the Create file permission
New file Permission: 666-umask If the result has an execute (odd) permission on a bit, its permissions +1
New DIR Permission: 777-umask
Non-privileged user umask is 002 permission is: 775
Root umask is 022 permissions: 755
Because the root privilege is too large, the risk is very large, so the default permissions are lower than the average user's
Umask: View Current Mask value #执行结果是: 022
Umask #: For example umask 023 permission is 754
Umask–s Mode display #大s以字母方式显示
Umask–p output can be called #执行结果是: Umask 022
Global Settings:/ETC/BASHRC user settings: ~/.BASHRC
Special permissions on the 6.Linux file system
1.suid,sgid,sticky
Three common permissions: R, W, x user, group, other
Security context
The process has a group of owners and genera;
(1) Any executable program file can be started as a process: depending on whether the initiator has EXECUTE permission on the program file
(2) after initiating as a process, the owner of the process is the initiator, and the group of the process belongs to the initiator
(3) permissions for the process to access the file, depending on the initiator of the process
(a) initiator of the process, owner of the same document: The application file belongs to the master permission
(b) The initiator of the process, belonging to the group of documents; Apply file group permissions
(c) application file "other" permission
2.SUID:
1. Any executable program file can be started as a process: depending on whether the initiator has execute permissions on the program file
2. After initiating as a process, the owner of the process is the owner of the original program file.
3.SUID is valid only for binary executable programs
4.SUID settings are meaningless on the directory
Permission settings: chmod u+s file ... chmod u-s file ...
Example: Set the owner permission of the binary Echo
[Email protected] ~]# chmod U+s/bin/echo
3.SGID:
1. Any executable program file can be started as a process: depending on whether the initiator has execute permissions on the program file
2. After starting as a process, the owner of its process is the group of the original program file
3. Permission setting: chmod g+s file ... chmod g-s file ...
Example: Set the group permission for the echo of the binary program
[Email protected] ~]# chmod G+s/bin/echo
4.suid:user, occupying the owner's execution permission bit s: Owner has x permission s: Owner does not have X permission
4. Catalogue SGID:
1. By default, when a user creates a file, its group is the primary group to which this user belongs
2. Once a directory has been set Sgid, users who have write access to this directory are the groups of the group to which the files created in this directory belong to
3. Typically used to create a collaboration directory
4. Permission setting: chmod g+s DIR ... chmod g-s DIR ...
For example: Set all new files in the/data/testdir/directory to the G1 group.
[Email protected] data]# chgrp G1 testdir/
[Email protected] data]# chmod g+s testdir/
5.sgid:group, occupying a group's execute permission bit s:group has x permission s:group no x permission
5.Sticky bit:
1. Directories with Write permissions typically users can delete any file in that directory, regardless of the permissions or ownership of the file
2. In the directory settings sticky bit, only the file owner or root can delete the file
3.sticky settings do not make sense on the file
4. Permission setting: chmod o+t DIR ... chmod o-t DIR ...
5. For example: Our Bo directory plus T permissions:
[Email protected] home]# chmod o+t bo/
[Email protected] home]# ll-d bo/
DRWXRWXRWT 2 root root 4096 August 4 20:58 bo/
Switch user to Tom try to delete the current file is not permission, but our permission is 777, this is the role of sticky
6.sticky:other, occupying other's execution permission bit t:other has x permission t:other no x permission
7. FILE-specific properties
1.chattr +i cannot be deleted, renamed, changed
2.chattr +a can only increase
3.lsattr Display Specific Properties
8. Access Control List ACLs
1.acl:access control List for flexible rights management
2. In addition to the file owner, group and others, you can set permissions on more users
3.centos7.0 the XFS and Ext4 file systems created by default have ACL capabilities.
4.centos7.x Previous versions, the default manually created Ext4 file system has no ACL functionality. To be manually added: Tune2fs–o acl/dev/sdb1 mount–o acl/dev/sdb1/mnt
5.ACL Effective Order: Owner, custom Facl, genus Group, custom Facl Group, others
6.ACL command:
Getfacl Viewing ACLs
Setfacl-x Delete Permissions
Setfacl-b completely empty the ACL above the file
setfacl-d Set default ACL permissions, new file takes effect
Setfacl-k Delete set default ACL permissions
Setfacl-m u:::rw File Setting Owner permissions
Setfacl-m M:::RW File Set mask permission
Set mask to affect only the owner and other, the other permissions can not be higher than the mask, or equal
Set ACL after the group permissions are not group permissions, is the Mask permission
The group permission on the 7.ACL file is the mask value (custom user, custom group, with maximum permissions for the group), not traditional group permissions
8.getfacl can see special permissions: Flags
9. The default ACL permission gives x, and the file does not inherit the X permission.? base ACL cannot be deleted
10.setfacl-k dir Delete default ACL permissions
11.setfacl-b file1 Clear All ACL permissions
Mask only affects the maximum permissions of people and groups other than the owner and other the mask needs to be logical and operational with the user's permissions before it becomes a limited permission (effective Permission) The settings of the user or group must exist within the M-ask permission set scope to take effect. Setfacl-m Mask::rx File
The--set option will remove the existing ACL entries, with a new alternative, it is important to note that you must include the Ugo settings, not just add ACLs like-M.
For example:
[Email protected] home]# setfacl--set u::rw,u:tom:rw,g::r,o::-bo/
9. Backup and Restore ACLs
1. The main file Operations Command CP and MV both support ACLs, but the CP command needs to be prefixed with the-p parameter. However, common backup tools, such as tar, do not preserve ACL information for directories and files
[Email protected] data]# Getfacl-r testdir/> Acl.txt
[Email protected] data]# Setfacl-r-B testdir/
[Email protected] data]# setfacl-r--set-file=acl.txt testdir/
[Email protected] data]# Getfacl-r testdir/
This article is from the "Linux Learning path" blog, so be sure to keep this source http://luyubo.blog.51cto.com/7634254/1834540
Linux General permissions and special permissions explained