default permissions and hidden permissions for files and directories
A file has several attributes, including basic permissions such as read-write Run (R, W, X), and whether it is a directory (d) with a file (-) or a link file (l), and so on! The method to modify the properties is also briefly mentioned (Chgrp, Chown, chmod), and this section will be supplemented!
In addition to the basic R, W, x permissions, in the Linux ext2/ext3 file system, we can also configure other system hidden properties, which can be configured using Chattr, and lsattr to view, the most important property is to configure its non-modifiable features! So that even the owner of the file can not be modified! This attribute is quite important, especially on security!
file default permissions: Umask
Ok! So now we know how to create or change the properties of a directory or file, but do you know what his default permissions will be when you create a new file or directory? Oh! That's about the umask thing! So what's umask doing? Basically, umask is specifying "The user's default permissions when creating files or directories", so how do you know or configure Umask? His specified conditions are specified in the following way:
[[email protected] ~] # umask
0022 <== The last three numbers are related to general permissions!
[[email protected] ~] # umask -S
u = rwx, g = rx, o = rx
There are two ways to consult, one can directly enter the Umask, you can see the number of the configuration of the right to configure the score, one is to join the-s (symbolic) this option, will be the symbol type of the way to display the permission! Oddly enough, how do umask have four sets of numbers? Aren't there only three groups? That's right. The first group is special permission to use, we do not talk about him first, so look at the back of the three groups can.
On the properties of the default permissions, the directory is not the same as the file. From the sixth chapter we know that X permissions are very important to the catalogue! However, the creation of general files should not have permission to run, because the general file is usually used in the records of the data! Of course, you don't need permission to run. Therefore, the default is as follows:
- If the user is created as "file" then the default "no operational (x) permissions", that is, only the RW two items, which is the maximum of 666 points, the default permissions are as follows:
-rw-rw-rw-
- If the user is created as a "directory", then because X is related to whether it can enter this directory, the default is all permissions are open, that is, 777 points, the default permissions are as follows:
Drwxrwxrwx
Note that Umask's score refers to the permission that the default value needs to be reduced! "Because R, W, X are 4, 2, 1 points, so lo!" That is, when you want to take off the permission to write, is to enter 2 points, and if you want to take off the ability to read, that is, 4 points, then to take off the read and write permission, that is, 6 points, and to take off the operation and write permissions, that is, 3 points, so understand? May I ask you, what is 5 points? Oh! is the right to read and run!
If the above example is explained, because Umask is 022, so the user is not removed any permissions, but group and others permissions are taken off 2 (that is, w this permission), then when the user:
- When creating the file: (-rw-rw-rw-)-(-----w--w-) ==>-rw-r--r--
- When creating the Catalog: (drwxrwxrwx)-(d----w--w-) ==> drwxr-xr-x
Don't you believe it? Let's Test it out!
[[email protected] ~]# umask 0022
[[email protected] ~]# touch test1 [[email protected] ~]# mkdir test2 [[email protected] ~]# ll
-rw-r--r-- 1 root root 0 Sep 27 00:25 test1
drwxr-xr-x 2 root root 4096 Sep 27 00:25 test2
the utilization and importance of Umask: special production
Imagine a situation, if you and your classmates in the same host in the work, because you two are on the same topic, the teacher also help you two accounts to create the same group status, and the/home/class/directory as your two people's thematic directory. Imagine, is there any possibility that the files you have made cannot be edited by your classmates? If so, then it is nerve-racking!
This problem happens very often! In the case of the above, it is good to see the test1 permission is a bit? It's 644! If the umask is set to 022, the new data only the user has the W permission, the same group of people only r this readable permission, and can not be modified Oh! "How do you work together to create the topic Ah!" You say yes!
So, when we need to create a new file for the same group of users to edit together, then the Umask group will not be able to take out 2 of this w permission! So Luo, Umask will have to be 002 or something! So that the new file can be enough to-rw-rw-r--the permissions of the appearance Oh! So how do you configure Umask? Simple very, directly after the Umask input 002 is good!
[[email protected] ~]# umask 002
[[email protected] ~]# touch test3
[[email protected] ~]# mkdir test4
[ro[email protected] ~]# ll -rw-rw-r-- 1 root root 0 Sep 27 00:36 test3
drwxrwxr-x 2 root root 4096 Sep 27 00:36 test4
So, this umask is very related to the default permissions for new files and directories! This concept can be used on any server, especially in the future when you set up a file server, for example, SAMBA server or FTP server is a very important concept! This involves the question of whether your users will be able to make further use of the files. Don't take it lightly!
In the default case, root umask will take away more properties, root umask default is 022, which is based on security considerations ~ to general identity users, usually their umask is 002, that is, retain the same group of write power! In fact, the configuration of the default Umask can refer to/etc/bashrc the contents of this file, however, it is not recommended to modify the file.
file Hidden properties:
What the? File also has hidden properties? Just those nine permissions are going crazy, and there are hidden properties, really deadly ~ but there is no way, there is a hidden property of the file Ah! However, these hidden properties are really very helpful to the system-especially on the system security, the important tight! However, it is emphasized that the following CHATTR command can only be applied on the Ext2/ext3 file system, and other file systems may not be able to support this command. Let's talk about how to configure and check these hidden properties!
chattr (Profile hide property)
[[email protected] ~] # chattr [+-=] [ASacdistu] file or directory name
Options and parameters:
+: Add a special parameter, other existing parameters will not move.
-: Remove one special parameter, other existing parameters will not move.
=: The configuration is fixed, and there are only the following parameters
A: When the attribute A is configured, if you have access to this file (or directory), its access time atime
It will not be modified to avoid excessive disk access by machines with slower I / O. This is helpful for slower computers
S: General files are written to the disk asynchronously (for the principle, please refer to the description of sync in Chapter 5). If you add S,
Attribution, when you make any changes to the file, the change will be "synchronized" to the disk.
a: When a is configured, this file can only add data, and cannot delete or modify data, only root
To configure this property.
c: After this property is configured, this file will be "compressed" automatically and will be automatically decompressed when read.
But when it is stored, it will be compressed and then stored (it seems to be quite useful for large files!)
d: When the dump program is run, configuring the d attribute will prevent the file (or directory) from being backed up by dump
i: This i is amazing! He can make a file "cannot be deleted, renamed, or configured.
Write or add data! 『It is of great help to system security! Only root can configure this attribute
s: When the file is configured with the s attribute, if the file is deleted, it will be completely removed from the hard disk
Space, so if you delete it by mistake, you ca n’t save it!
u: In contrast to s, when u is used to configure a file, if the file is deleted, the data content is actually still
Stored on disk, you can use to rescue the file!
Note: The common property configuration is the configuration values of a and i, and many configuration values must be root to configure.
#Please try to create a file under / tmp, add the parameter of i, and try to delete it.
[[email protected] ~] # cd / tmp
[[email protected] tmp] # touch attrtest <== Create an empty file
[[email protected] tmp] # chattr + i attrtest <== attributes to i
[[email protected] tmp] # rm attrtest <== try deleting
rm: remove write-protected regular empty file `attrtest’? y
rm: cannot remove `attrtest‘: Operation not permitted <== Operation is not permitted
# see it? Woohoo! There is no way to delete this file even root! Quickly de-configure!
Please cancel the i attribute of the file!
[[email protected] tmp] # chattr -i attrtest
This command is important, especially on the data security of the system! Because these properties are hidden properties, you need to lsattr to see the property! Among them, the person thinks the most important belongs to +i and +a this attribute. +i can make a file unable to be changed, it is very important for people who need strong system security! There are quite a few properties in it that need root to configure!
In addition, if it is log file such a login, it is more necessary to +a this can be added, but cannot modify the old data and deleted parameters!
lsattr (show file hidden properties)
[[email protected] ~] # lsattr [-adR] file or directory
Options and parameters:
-a: show the attributes of hidden files;
-d: If the directory is connected, only the attributes of the directory itself are listed instead of the file names in the directory;
-R: List the data with subdirectories too!
[[email protected] tmp] # chattr + aij attrtest
[[email protected] tmp] # lsattr attrtest
---- ia --- j --- attrtest
With the chattr configuration, you can use lsattr to look up hidden properties. However, these two orders must be used with special care, otherwise it will cause great distress. For example: One day you are in a good mood, suddenly will/etc/shadow this important password record file to him configured to have the attribute of I, then after a few days, you suddenly want to add a user, but has been unable to add! Don't doubt, go ahead and take out the attributes of I!
File Special permissions: SUID, SGID, Sbit
[[email protected] ~]# ls -ld /tmp ; ls -l /usr/bin/passwd
drwxrwxrwt 7 root root 4096 Sep 27 18:23 /tmp
-rwsr-xr-x 1 root root 22984 Jan 7 2007 /usr/bin/passwd
Isn't it supposed to be just rwx? There are other special privileges (s and t) Ah? Ah ..... The head is beginning to faint again ~ @[email protected] because the meaning of the two permissions of S and T is more relevant to the account and process! The bottom of the instructions to see first, if you do not understand it does not matter, first know where S is placed in the Suid/sgid and how to configure it!
Set UID
When s this flag appears on the file owner's x permission, for example, just mentioned/usr/bin/passwd this file's permission state: "-rwsr-xr-x", at this time is called the Set UID, referred to as the special permission of SUID. So what is the special function of the SUID permission for a file? Basically suid has this limitation and function:
- SUID permissions are valid only for binary program;
- The runner is required to have the operational permission of X for the program;
- This permission is valid only in the course of running the program (RUN-TIME);
- The runner will have the permissions of the program owner (owner).
It's okay to say something so hard that you might have no idea about SUID, but let's give an example to illustrate it. Our Linux system, all account passwords are recorded in/etc/shadow this file, the permissions of this file: "-R--------1 root root", meaning that this file is only root readable and only root can be forced to write. Since this file only has root can be modified, then bird Brother's Vbird This general account user can modify their own password? You can use your own account input "passwd" This command to see, hey! The general user of course can change their password!
Well! There is no conflict ah! Obviously/etc/shadow can not let Vbird this general account to access, why Vbird can also modify the password in this file? This is the function of SUID! With the above functional description, we can know
- Vbird for/USR/BIN/PASSWD This program is the X-permission, indicating Vbird can run passwd;
- The owner of the passwd is the root account;
- Vbird Run the passwd process, will "temporarily" Get root permissions;
- /etc/shadow can be modified by the passwd run by Vbird.
But if Vbird uses cat to read/etc/shadow, can he read it? Because cat does not have SUID permissions, Vbird cannot read/etc/shadow when it runs "Cat/etc/shadow". We use one to illustrate the following:
Figure 4.4.1, SUID program run process
In addition,SUID can only be used on binary program, not enough on the shell script! This is because shell script just calls in a lot of binary run files to run! So the permissions section of the SUID will have to look at the configuration of the program that the shell script calls in, not the shell script itself. Of course, SUID for the catalogue is also invalid ~ This should pay special attention.
Set GID
When the S flag in the file owner's X project is SUID, that s in group X is called Set GID, SGID ROM! That's right! ^_^. For example, you can use the commands below to observe files with SGID permissions:
[Email protected] ~]# ls-l/usr/bin/locate-rwx--s--x 1 root slocate 23856 Mar 2007/usr/bin/locate
SGID is useful for binary programs; Unlike SUID, SGID can be configured for files or directories! If it is for the file, SGID functions as follows:
- The program runner is required to have X permission for the program;
- The runtime will be supported by the program group during the run!
For example, the above/usr/bin/locate this program can search/var/lib/mlocate/mlocate.db the contents of this file (detailed description will be described in the next section), mlocate.db the following permissions:
[Email protected] ~]# ll/usr/bin/locate/var/lib/mlocate/mlocate.db-rwx--s--x 1 root slocate 23856 Mar 2007 /usr/bin/locate-rw-r-----1 root slocate 3175776 Sep 04:02/var/lib/mlocate/mlocate.db
In addition to binary program, in fact SGID can also be used in the directory, which is also a very common use! When a directory is configured with SGID permissions, he will have the following features: very similar to SUID, if I use Vbird this account to run locate, then Vbird will get slocate group support, so you can read mlocate.db! It's very interesting!
- Users can enter this directory if they have r and X permissions on this directory;
- The user's active group (effective group) in this directory will become a group of that directory;
- Purpose: If the user has permission to W in this directory (can create a new file), the new file created by the consumer will be the same as the group for this directory.
SGID is very important for project development! Because this involves group permissions issues.
Sticky Bit
This Sticky Bit, Sbit is currently only valid for the directory, has no effect on the file. Sbit the role of the directory is:
- When the user has W, x permission, that is, the Write permission for this directory;
- When a user creates a file or directory under that directory, only himself and Root have the right to delete the file
In other words: When a user in a directory is a group or someone else's identity, and has the permission of the directory W, which means that "a user of the directory created by anyone in the directory or file can be" delete/rename/move "and so on. "However, if you add the a directory to the Sbit permission item, you can only delete/rename/move the files or directories you create, and you cannot delete others ' files.
For example, the permissions of our/tmp itself is "DRWXRWXRWT", under such permission content, anyone can add, modify the file in/TMP, but only the file/directory creator and Root can delete their own directories or files. This feature is also very important AH! You can do a simple test like this:
- Log into the system as root and enter/tmp;
- Touch test, and change the test permission to become 777;
- Log in as a general user and enter/tmp;
- Try to delete test this file!
suid/sgid/sbit Permissions Configuration
Now you should know that the digital type changes permissions in a combination of "three numbers", so if you add a number before these three numbers, the first number represents these permissions!
- 4 for SUID
- 2 for SGID
- 1 for Sbit
Suppose you want to change a file permission to "-rwsr-xr-x", because s in the user's rights, so is SUID, so before the original 755 plus 4, that is: "chmod 4755 filename" to configure! In addition, there are big S and big T produced Oh! Refer to the example below!
[[email protected] ~] # cd / tmp
[[email protected] tmp] # touch test <== Create a test slot
[[email protected] tmp] # chmod 4755 test; ls -l test <== Join permissions with SUID
-rwsr-xr-x 1 root root 0 Sep 29 03:06 test
[[email protected] tmp] # chmod 6755 test; ls -l test <== Join permission with SUID / SGID
-rwsr-sr-x 1 root root 0 Sep 29 03:06 test
[[email protected] tmp] # chmod 1755 test; ls -l test <== Join SBIT!
-rwxr-xr-t 1 root root 0 Sep 29 03:06 test
[[email protected] tmp] # chmod 7666 test; ls -l test <== has empty SUID / SGID permissions
-rwSrwSrwT 1 root root 0 Sep 29 03:06 test
The last example is to be very careful! How does it appear in uppercase S and T? It's not all lowercase, is it? Because S and T are all substituted for x this permission, but you have not found that, we are issued 7666 Oh! That is, the user, group, and others do not have X as a running flag (because of 666), so this S, T means "empty"! What do you say? SUID is "This file is running, with the permissions of the file owner", but the file owner can not run, where the permissions to other people to use? Of course it's empty! ^_^
In addition to the digital method, you can also use the symbolic method to deal with Oh! Among them SUID is U+s, and SGID is G+s, sbit is O+t luo! Take a look at the following example:
# Configure permissions to look like -rws--x--x:
[[email protected] tmp] # chmod u = rwxs, go = x test; ls -l test
-rws--x--x 1 root root 0 Aug 18 23:47 test
# 承 上, add SGID and SBIT in the above file permissions!
[[email protected] tmp] # chmod g + s, o + t test; ls -l test
-rws--s--t 1 root root 0 Aug 18 23:47 test
observation file type: Files
If you want to know the basic data of a file, such as an ASCII or data file, or binary, and there is no use of the dynamic function library (share library) and so on, you can use the file command to review Oh! For example:
[[email protected] ~] # file ~ / .bashrc
/root/.bashrc: ASCII text <== Tell us that it is an ASCII plain text file!
[[email protected] ~] # file / usr / bin / passwd
/ usr / bin / passwd: setuid ELF 32-bit LSB executable, Intel 80386, version 1
(SYSV), for GNU / Linux 2.6.9, dynamically linked (uses shared libs), for
GNU / Linux 2.6.9, stripped
# There is so much data in the running file! Include suid permissions for this file, compatible with Intel 386
# Level hardware platform, dynamic library link using Linux kernel 2.6.9, etc.
[[email protected] ~] # file /var/lib/mlocate/mlocate.db
/var/lib/mlocate/mlocate.db: data <== This is a data file!
Through this command, we can simply first determine the format of the file Oh!
Linux Learning CentOS (eight)----default permissions and hidden permissions for files and directories (GO)