File and Directory Rights Management
Levels and permissions introduction
Level of files and directories
- User Owner (u)
- Group Owner (g)
- Other (o)
Permissions for files and directories
- Read (r)
- Write (w)
- Execution (x)
When creating a file or directory, permissions are based on two factors:
-
Basic privileges
-
umask
The basic permissions automatically assigned to a file or directory are not the final default permissions for files and directories. When a file or directory is created, the basic permissions are changed by umask. A combination of basic permissions and umask creates default permissions for files and directories.
Basic privileges
| Jurisdiction | Symbol | numerical value |
|---|---|---|
| No permission | — | 0 |
| implement | –x | 1 |
| write | -w- | 2 |
| Write and execute | -wx | 3 |
| read | r– | 4 |
| Read and execute | r-x | 5 |
| Read and Write | rw- | 6 |
| Read, write, execute | rwx | 7 |
-
The basic permission of a directory is 777 (drwxrwxrwx), which anyone grants to read, write, and execute. This means that the owner, group, and other users of the directory can list the contents of the directory and create, delete, and edit them. Of course, files in a directory can also be authorized to change permissions to organize other users to edit.
-
The basic permission for a file is 666 (-rw-rw-rw-), and anyone can grant read and write permissions. This means that the file owner, group and other users can read and edit the file.
-rwxr-xr-x. 1 root root 10271880 Oct 19 23:23 vmlinuz-4.18.0-348.el8.x86_64
- Represents a file rwx Indicates that the file owner has read, write, and execute permissions r-x Indicates that the group has read and execute permissions, but no write permissions in the file r-x Indicates that other users have read and execute permissions, but no write permissions in the file . Indicates that the file is set selinux Security Context
drwxr-xr-x. 3 root root 21 Dec 18 21:55 loader
d Indicates a directory rwx Indicates that the directory owner has read, write, and access to the contents of the directory r-x Indicates that the group has write and access to the directory, but does not have read access to the contents of the directory r-x Indicates that other users have permission to write to and access the directory, but do not have permission to read the contents of the directory . Indicates that the directory is set selinux Security Context
umask
Umask automatically removes permissions from the basic permission values to improve the overall security of the linux system. Variables that primarily control how file permissions are set for newly created files and directories. The umask symbols and numbers are represented as follows:
| Jurisdiction | Symbol | numerical value |
|---|---|---|
| Read, write, execute | rwx | 0 |
| Read and Write | rw- | 1 |
| Read and execute | r-x | 2 |
| read | r– | 3 |
| Write and execute | -wx | 4 |
| write | -w- | 5 |
| implement | –x | 6 |
| No permission | — | 7 |
[sunyinpeng@foundation ~]$ umask 0002 [sunyinpeng@foundation ~]$ umask -S u=rwx,g=rwx,o=rx
[root@foundation ~]# umask 0022 [root@foundation ~]# umask -S u=rwx,g=rx,o=rx
The default umask for standard users is 0002; The default umask for the root user is 0022.
The first number of umask s represents special permissions. The last three numbers represent deleted permissions in user owner (u), group owner (g), and other (o), respectively.
Examples include basic permissions and default permissions generated after umask combination assignment
When standard users create directories
Umask is set to 002(rwxrwxr-x) and the basic permissions for the directory are set to 777(rwxrwxrwx). The default permission to create a directory is 775(drwxrwxr-x). It can be understood as the basic permission value minus the umask value.
[sunyinpeng@foundation ~]$ mkdir umask_directory [sunyinpeng@foundation ~]$ ls -l total 0 drwxrwxr-x. 2 sunyinpeng sunyinpeng 6 Dec 20 21:27 umask_directory
drwxrwxr-x permissions: Directory owners and groups can list the contents of a directory and create, delete, and edit items in that directory (and subdirectories). Other users can only list and move the contents of the directory down to it.
When standard users create files
umask is set to 002 (rw x RW x r-x), the basic permissions for the file are set to 666(-rw-rw-rw-), and the final default permission is 644(-rw-rw-r-).
[sunyinpeng@foundation ~]$ touch umask_file [sunyinpeng@foundation ~]$ ls -l umask_file -rw-rw-r--. 1 sunyinpeng sunyinpeng 0 Dec 20 21:35 umask_file
-rw-rw-r--Permissions: File owners and groups can read and edit the file, while other users can only read the file.
root user creates directory
umask is set to 022 (rwx-r-x r-x) and the basic permissions for the directory are set to 777 (rwx RWX rwx). The final default permission is 755(rwxr-xr-x).
[root@foundation ~]# mkdir umask_directory [root@foundation ~]# ls -l total 0 drwxr-xr-x. 2 root root 6 Dec 20 21:40 umask_directory
drwxr-xr-x permissions: The directory owner can list the contents of a directory and create, delete, and edit them in that directory (and subdirectories). Groups and other users can only list and move the contents of the directory.
When root user creates a file
umask is set to 022 (rw x R-X r-x), the basic permissions for the file are set to 666(rw-rw-rw-), and the final permissions are 644(-rw-r-r--).
[root@foundation ~]# touch umask_file [root@foundation ~]# ls -l umask_file -rw-r--r--. 1 root root 0 Dec 20 21:54 umask_file
-rw-r-r--Permissions: File owners can read and edit files, while groups and other users can only read files.
There must be a question about what to do to manage umask values to give default file permissions. Next, analyze
Manage UMASK
Displays the current numeric and symbolic values of umask
[sunyinpeng@foundation ~]$ umask 0002 [sunyinpeng@foundation ~]$ umask -S u=rwx,g=rwx,o=rx [root@foundation ~]# umask 0022 [root@foundation ~]# umask -S u=rwx,g=rx,o=rx
umask of bash
bash generally has two states, login and non-login.
You can use echo $0 to confirm that bash is a non-login shell state and - bash is a login shell state.
[root@foundation ~]# echo $0 bash
The default umask for non-login is in the / etc/bashrc file, and the default umask for login is in / etc/profile.
[root@foundation ~]# grep umask /etc/bashrc
# By default, we want umask to get set. This sets it for non-login shell.
umask 002
umask 022
[root@foundation ~]# grep umask /etc/profile
# By default, we want umask to get set. This sets it for login shell
umask 002
umask 022
umask for a specific user
The umask for a particular user defaults to the user's home directory. Configuration in bashrc file.
[root@foundation ~]# find / -name .bashrc /etc/skel/.bashrc /root/.bashrc /home/sunyinpeng/.bashrc
umask for new home directory creation
The umask permissions specified in the newly created user home directory default to/etc/login.defs file.
[root@foundation ~]# grep UMASK /etc/login.defs # UMASK is also used by useradd(8) and newusers(8) to set the mode for new UMASK 022 # If HOME_MODE is not set, the value of UMASK is used to create the mode.
Access Control List
On Linux, each directory or file can only have one user owner and group owner at a time, for example:
[root@foundation ~]# ll total 0 drwxr-xr-x. 2 root root 6 Dec 20 21:40 umask_directory -rw-r--r--. 1 sunyinpeng sunyinpeng 0 Dec 20 21:54 umask_file
In this case, to grant users access to specific files or directories belonging to different users or groups, while keeping other files and directories private, you can use ACL s, known as access control lists.
For example, the following file is a user-specific file that jerry users and lisa groups are granted the same permissions as the user-specific owner and group.
[root@foundation ~]# getfacl umask_file # file: umask_file # owner: sunyinpeng # group: sunyinpeng user::rw- group::r-- other::r-- [root@foundation ~]# setfacl -m u:jerry:rw- umask_file [root@foundation ~]# setfacl -m g:lisa:r-- umask_file [root@foundation ~]# getfacl umask_file # file: umask_file # owner: sunyinpeng # group: sunyinpeng user::rw- user:jerry:rw- group::r-- group:lisa:r-- mask::rw- other::r--
Example
Existing two groups stday_groups and student_groups, 10 users student0-student9, users and groups are distributed as follows:
| Groups | user |
|---|---|
| stday_groups | student0 |
| student1 | |
| student2 | |
| student3 | |
| student4 | |
| student5 | |
| student_groups | student6 |
| student7 | |
| student8 | |
| student9 |
The / opt/material directory needs to be created in the environment and managed by the privileged user root, where two files confidential and topsecret need to be created.
The group to which the confidential file belongs is stday_groups, the student0 user within the group is fully managed. Other users within the group cannot do anything except read the file. Other users do not have any rights to the file.
The group to which the topsecret file belongs is student_groups, with the full management of student6 users within the group, no other users within the group can do anything except perform, in addition to stday_ The student0 and student1 in the groups group have read and write permissions to the file, but no other users have any permissions to the file.
[root@foundation ~]# mkdir /opt/meterial [root@foundation ~]# ls -ld /opt/meterial/ drwxr-xr-x. 2 root root 6 Dec 26 23:20 /opt/meterial/ [root@foundation ~]# touch /opt/meterial/confidential [root@foundation ~]# touch /opt/meterial/topsecret [root@foundation ~]# ls -l /opt/meterial/ total 0 -rw-r--r--. 1 root root 0 Dec 26 23:24 confidential -rw-r--r--. 1 root root 0 Dec 26 23:24 topsecret [root@foundation ~]# chown student0:stday_groups /opt/meterial/confidential [root@foundation ~]# chmod u=rwx,g=r,o=- /opt/meterial/confidential [root@foundation ~]# ls -ld /opt/meterial/confidential -rwxr-----. 1 student0 stday_groups 0 Dec 26 23:24 /opt/meterial/confidential [root@foundation ~]# chown student6:student_groups /opt/meterial/topsecret [root@foundation ~]# chmod u=rwx,g=x,o=- /opt/meterial/topsecret -rwx--x----. 1 student6 student_groups 0 Dec 26 23:24 /opt/meterial/topsecret [root@foundation ~]# setfacl -m u:student0:rw /opt/meterial/topsecret [root@foundation ~]# setfacl -m u:student1:rw /opt/meterial/topsecret [root@foundation ~]# getfacl /opt/meterial/topsecret getfacl: Removing leading '/' from absolute path names # file: opt/meterial/topsecret # owner: student6 # group: student_groups user::rwx user:student0:rw- user:student1:rw- group::--x mask::rwx other::---