Special permissions for linux--files

Special Permissions for Files--suid,guid,sticky,facl

SUID (full name: Set user ID upon execution)

1. function

Theoretical understanding: When a user runs a program, if the program has SUID permissions, then when the program runs as a process, the owner of the process is not the initiator, but the program file's own owner.

Simple to understand: is to have no access to the normal user to run this program, you can access the resources without access rights.

2. Syntax

Format: chmod u+ | -S FILE ...

#:chmod u+ owner has execute permission x, plus lowercase s, no x, enlarge write S

GUID (set group ID upon execution)

1. Function: When the directory belongs to the group has write permission, then all belong to this directory of the genus Group, and in the group as a new file or directory in this directory, the new file is not a group of users of the basic group, but this directory belongs to the group.

2. Syntax

Format: Sgid:chmod g+ | -S FILE ...

#:chmod g+ owner has x, shown as lowercase s, no x, shown in uppercase S.

STICKY

1. function

Theoretical Understanding: For a group or global writable directory, all users in the group or all users on the system can create new files or delete all existing files in this directory, if you set sticky permissions for such directories, each user can create new files, and only delete their own files; ( Manage sticky permissions for files )

Flexible Understanding: After setting the Sticky-bit for a file , the owner must perform the delete, move, and so on, although other users have write permission.
After a sticky-bit is set on a directory , the files stored in that directory are allowed to be deleted, moved, and so on only by the owner.

2. Syntax

chmod o+ | -T FILE ...

If other users have execute permission, display as lowercase t, Otherwise, display as uppercase t;

Facl: additional weighting mechanisms for documents

1. function

theoretical Understanding: in addition to the original u,g,o, another layer of ordinary users can control the empowerment mechanism to another user or group;

Flexible Understanding:Facl:Filesystem Acess Control List:Linux(and otherUnixwaitPOSIXcompatible operating systems) There is a list of access controls known as(ACL)permission control method, which is a general paradigm outside of the allocation of permissions. For example, by default you need to confirm3groups of permissions:owner,Groupand the Other. and usingACL, using the file extension properties to save additional access control permissions, you canAdd permissions to other users or groups, not just simple of the"Other"or a group in which the owner does not exist. Can allow the specified userA,B,Chave write permissions instead of having their entire group have write permissions. (Specify which users or groups have permissions to access files)

2. Syntax

option:-m: Empower

-X: Revoke Permissions

empowering the right to use User: setfacl-m u:username:mode FILE ...

empowering groups:setfacl-m g:groupname:mode FILE ...

Revoke empowerment: setfacl-x u:username FILE ...

Setfacl-x g:groupname FILE ...

3. Example

(1) Set permissions on users

~]$ setfacl-m u:username:rw-test.txt (for normal file settings)

~]$ setfacl-m d:u:username:rw-test/(for directory settings)

(2) Set permissions on groups

~]$ setfacl-m g:group:r--Test.txt

~]$ setfacl-m d:group:r--tset/

(3) View permissions

~]$ getfacl filenema/directory (view file name or directory name)

umask

1. Actual scenario: When we log in to the system and create a file total There is a default permission, then how does this permission come from? That 's what Umask did. umask Sets the default permissions for user-created files, and when new files are created, their initial permissions are determined by the file creation mask.

reasons for the existence of 2.umask:

in order to avoid user-created file permissions is 777, so that any user can casually manage, use other people's files, such permission does not have any meaning.

Role of 3.umask: Modify the Default user rights for newly created files

4. Two points to note:

(1) The new file by default is not execute permissions, the system does not allow you to create a text file to give it permission to execute, must be created with the chmod command to increase this permission.

(2) If the result of the decrease has execute permission, it is added by default by 1.

file default Permissions 666 actual permissions:666-umask

Directory default Permissions 777 actual permissions:777-umask

eg: For file umask=023

file:666-023=643, with execute permission, the default plus 1 is 644.

directory:777-023=743, does not matter the execution permission, or 743.

Special permissions for linux--files