Linux General permissions and special permissions explained

Source: Internet
Author: User

1. File permissions

File permissions are primarily defined for three types of objects:

Owner: Master, u

Group: Genus, G

Other: Others, O

Each of these files defines three permissions for each class:

Readable:r

Writable:w

Excutable:x

Three file permissions:

R: Use the File View class tool to get its contents

W: can modify its contents

X: This file can be brought to the kernel to start as a process

Three types of directory permissions:

R: You can use LS to view the list of files in this directory

W: You can create files in this directory or delete files in this directory

X: You can use Ls-l to view a list of files in this directory, and you can enter this directory by CD

x: Give directory x permission only, do not give file X permission

2. Directory Permissions:

[Email protected] ~]# ll-d Luyubo

Drwxr-xr-x 2 root root 4096 4 13:48 Luyubo

D indicates file type

Rwxr-xr-x each of the three groups

RWX represents the owning user right

R-x represents the permissions of the owning group

R-x represents other user rights

2 indicates the number of reference connections

Root indicates the owning user

Root indicates the owning group

4096 indicates file size

4 13:48 indicates time

Luyubo represents a directory

3.chmod command:

Usage: chmod [options] ... mode [, Mode] ... File...

Or: chmod [options] ... Octal mode file ...

Or: chmod [options] ...--reference= reference file ...

Modify all permissions for a class of users: u= g= o= ug= a= u=,g=

Modify a class of users a bit or some bit permissions u+ u-g+ g-o+ o-a+ A +

Change the mode of each file to the specified value.

-C, --changes similar to--verbose, but displays results only when there are changes

--no-preserve-root No special treatment for root directory (default)

--preserve-root Disable recursive operation of the root directory

-F,--silent, --quiet Remove most of the error messages

-V, --verbose displays diagnostic information for all files processed

--reference= Reference Files Use the mode of the specified reference file, rather than specifying the permission mode yourself

-R, --recursive to change all files and subdirectories recursively

--help Display this help message and exit

--version display version information and exit

Chown the owner of the settings file

[Email protected] ~]# chown Luyubo Luyubo

How to use the 4.CHGRP command

Usage: chgrp [options] ... User group File ...

Or: chgrp [options] ...--reference= reference file ...

Sets the owning group for each specified file to the specified value.

If you use--reference, the owning group for each file is set to be the same as the specified reference file.


-C, --changes similar to--verbose, but displays results only when there are changes

--dereference affects the object indicated by the symbolic link, not the symbolic link itself (default value)

-H, --no-dereference affects the symbolic link itself, not the destination indicated by the symbolic link

(this option is useful when the system supports changing the owner of a symbolic link.)

--no-preserve-root No special treatment "/" (default value)

--preserve-root does not allow recursive operation on "/"

-F,--silent, --quiet Remove most of the error messages

--reference=rfile Use the owning group of the reference file, not the specified value

-R, --recursive recursively process all files and subdirectories

-V, --verbose displays diagnostic information for all files processed


The following options are used when the-r option is specified to set how to traverse the directory architecture.

If you specify more than one option, only the last one will take effect.


-H if the command line argument is a symbolic link to a directory, traverse the symbolic link

-L iterates through each of the encountered symbolic links to the directory

-P do not traverse any symbolic links (default)


--help Display this help message and exit

--version display version information and exit

CHGRP group information for the settings file

[Email protected] ~]# chgrp Luyubo Luyubo

5. Introduction to default Permissions

The Umask value can be used to retain the Create file permission

New file Permission: 666-umask If the result has an execute (odd) permission on a bit, its permissions +1

New DIR Permission: 777-umask

Non-privileged user umask is 002 permission is: 775

Root umask is 022 permissions: 755

Because the root privilege is too large, the risk is very large, so the default permissions are lower than the average user's

Umask: View Current Mask value #执行结果是: 022

Umask #: For example umask 023 permission is 754

Umask–s Mode display #大s以字母方式显示

Umask–p output can be called #执行结果是: Umask 022

Global Settings:/ETC/BASHRC user settings: ~/.BASHRC

Special permissions on the 6.Linux file system

1.suid,sgid,sticky

Three common permissions: R, W, x user, group, other

Security context

The process has a group of owners and genera;

(1) Any executable program file can be started as a process: depending on whether the initiator has EXECUTE permission on the program file

(2) after initiating as a process, the owner of the process is the initiator, and the group of the process belongs to the initiator

(3) permissions for the process to access the file, depending on the initiator of the process

(a) initiator of the process, owner of the same document: The application file belongs to the master permission

(b) The initiator of the process, belonging to the group of documents; Apply file group permissions

(c) application file "other" permission

2.SUID:

1. Any executable program file can be started as a process: depending on whether the initiator has execute permissions on the program file

2. After initiating as a process, the owner of the process is the owner of the original program file.

3.SUID is valid only for binary executable programs

4.SUID settings are meaningless on the directory

Permission settings: chmod u+s file ... chmod u-s file ...

Example: Set the owner permission of the binary Echo

[Email protected] ~]# chmod U+s/bin/echo

3.SGID:

1. Any executable program file can be started as a process: depending on whether the initiator has execute permissions on the program file

2. After starting as a process, the owner of its process is the group of the original program file

3. Permission setting: chmod g+s file ... chmod g-s file ...

Example: Set the group permission for the echo of the binary program

[Email protected] ~]# chmod G+s/bin/echo

4.suid:user, occupying the owner's execution permission bit s: Owner has x permission s: Owner does not have X permission

4. Catalogue SGID:

1. By default, when a user creates a file, its group is the primary group to which this user belongs

2. Once a directory has been set Sgid, users who have write access to this directory are the groups of the group to which the files created in this directory belong to

3. Typically used to create a collaboration directory

4. Permission setting: chmod g+s DIR ... chmod g-s DIR ...

For example: Set all new files in the/data/testdir/directory to the G1 group.

[Email protected] data]# chgrp G1 testdir/
[Email protected] data]# chmod g+s testdir/

5.sgid:group, occupying a group's execute permission bit s:group has x permission s:group no x permission

5.Sticky bit:

1. Directories with Write permissions typically users can delete any file in that directory, regardless of the permissions or ownership of the file

2. In the directory settings sticky bit, only the file owner or root can delete the file

3.sticky settings do not make sense on the file

4. Permission setting: chmod o+t DIR ... chmod o-t DIR ...

5. For example: Our Bo directory plus T permissions:

[Email protected] home]# chmod o+t bo/
[Email protected] home]# ll-d bo/
DRWXRWXRWT 2 root root 4096 August 4 20:58 bo/

Switch user to Tom try to delete the current file is not permission, but our permission is 777, this is the role of sticky

6.sticky:other, occupying other's execution permission bit t:other has x permission t:other no x permission

7. FILE-specific properties

1.chattr +i cannot be deleted, renamed, changed

2.chattr +a can only increase

3.lsattr Display Specific Properties

8. Access Control List ACLs

1.acl:access control List for flexible rights management

2. In addition to the file owner, group and others, you can set permissions on more users

3.centos7.0 the XFS and Ext4 file systems created by default have ACL capabilities.

4.centos7.x Previous versions, the default manually created Ext4 file system has no ACL functionality. To be manually added: Tune2fs–o acl/dev/sdb1 mount–o acl/dev/sdb1/mnt

5.ACL Effective Order: Owner, custom Facl, genus Group, custom Facl Group, others

6.ACL command:

Getfacl Viewing ACLs

Setfacl-x Delete Permissions

Setfacl-b completely empty the ACL above the file

setfacl-d Set default ACL permissions, new file takes effect

Setfacl-k Delete set default ACL permissions

Setfacl-m u:::rw File Setting Owner permissions

Setfacl-m M:::RW File Set mask permission

Set mask to affect only the owner and other, the other permissions can not be higher than the mask, or equal

Set ACL after the group permissions are not group permissions, is the Mask permission

The group permission on the 7.ACL file is the mask value (custom user, custom group, with maximum permissions for the group), not traditional group permissions

8.getfacl can see special permissions: Flags

9. The default ACL permission gives x, and the file does not inherit the X permission.? base ACL cannot be deleted

10.setfacl-k dir Delete default ACL permissions

11.setfacl-b file1 Clear All ACL permissions

Mask only affects the maximum permissions of people and groups other than the owner and other the mask needs to be logical and operational with the user's permissions before it becomes a limited permission (effective Permission) The settings of the user or group must exist within the M-ask permission set scope to take effect. Setfacl-m Mask::rx File

The--set option will remove the existing ACL entries, with a new alternative, it is important to note that you must include the Ugo settings, not just add ACLs like-M.

For example:

[Email protected] home]# setfacl--set u::rw,u:tom:rw,g::r,o::-bo/

9. Backup and Restore ACLs

1. The main file Operations Command CP and MV both support ACLs, but the CP command needs to be prefixed with the-p parameter. However, common backup tools, such as tar, do not preserve ACL information for directories and files

[Email protected] data]# Getfacl-r testdir/> Acl.txt
[Email protected] data]# Setfacl-r-B testdir/
[Email protected] data]# setfacl-r--set-file=acl.txt testdir/
[Email protected] data]# Getfacl-r testdir/


This article is from the "Linux Learning path" blog, so be sure to keep this source http://luyubo.blog.51cto.com/7634254/1834540

Linux General permissions and special permissions explained

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.