View and read permissions
View of permissions
ls -l file #View file permissions ls -ld dir #View directory permissions
Read permission
The attributes of a file are called meta data
A type of metadata that uses a byte to record content
- |rw-r--r--| . | 1 |root| root | 0 | Jul 22 10:44 | file ********************************************************************** [1] [2] [3] [4] [5] [6] [7] [8] [9]
d |rwxr-xr-x| . | 2 |root| root | 6 | Jul 22 10:44 | dir ********************************************************************** [1] [2] [3] [4] [5] [6] [7] [8] [9]
[1] # file type
- -Ordinary file
-d directory
-l soft connection
-Block b equipment
-c character device
-Socket socket
-p pipe|
[2] # user permissions
rw-|r--|r-- user|group|other
[3] selinux # system startup
[4]
- File: the number of times the file content is recorded by the system
- Directory: the number of subdirectories in the directory
[5] # file owner
[6] # file owning group
[7]
- Files: file content size
- Directory: metadata size of sub files in the directory
[8] # file content modified time
[9] File name
Types and functions of common permissions
User identity to file
u: #user file owner, column 5 information seen by ls -l
g: The #g#group file has a group, and ls -l sees the sixth column of information
o: #other is a general term for other users who are neither the owner nor belong to the owning group
Permission bit and type
rw-r--r--
-# permission not enabled
r # readable
- File: you can read the contents of the file
- Directory: you can ls list files in the directory
w # writable
- File: you can change the contents of the file
- Directory: you can create or delete files in the directory
x # executable
- File: the program recorded in the file can be called with the file name
- Directory: you can enter the directory
Set normal permissions
chmod is used to set file permissions
chmod replication permissions:
chmod --reference=/tmp /mnt/songdir #Copy the permissions of the / tmp directory to / mnt/songdir chmod -R --reference=/tmp /mnt/songdir #Copy the permissions of / tmp directory to / mnt/songdir and its sub files ## -R means recursion
chmod setting permission:
##Character mode: chmod <a|u|g|o><+|-|=><r|w|x> file #a means all users ********************************************************************** chmod u-rw /mnt/file1 chmod u-rw,g+x,o+wx /mnt/file2 chmod a-rw /mnt/file3 chmod -R u=rwx,g=rx,o=--- /mnt/songdir/
Permission Boolean representation
rwx = 111
--- = 000
Binary representation:
rwx = 111 = 7
rw- = 110 = 6
r-x = 101 = 5
r-- = 100 = 4 = r
-wx = 011 = 3
-w- = 010 = 2 = w
--x = 001 = 1 = x
--- = 000 = 0
##Digital mode: chmod 644 /mnt/songdir1 #rw-r--r--
System default permission settings
The significance of the system itself lies in sharing resources
From the perspective of security, the less resources the system shares, the less open power, and the higher system security
We should not only ensure the security of the system, but also create value for the system, so we should open the power that should be open by default and retain the unsafe power by default
Reserved power
umask is used in the system to represent the reserved rights of the system
umask umask Permission value
File default permissions = 777 - umask - 111
Directory default permissions = 777 - umask
umask temporary changes
umask 077 #Reserved power temporarily changed to 077
umask permanent changes
Permanent changes require editing the system files / etc/bashrc and / etc/profile
vim /etc/bashrc ******************************************************************* 74 if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then 75 umask 002 #umask for ordinary users 76 else 77 umask 022 #umask of root user 78 fi 79
vim /etc/profile ******************************************************************* 59 if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then 60 umask 002 #umask for ordinary users 61 else 62 umask 022 #umask of root user 63 fi 64
After modification, the system needs to re read the configuration file information:
source /etc/bashrc #source makes the changed content immediately recognized by the system source /etc/profile
User and user group management of files
chown username file #Change file owner chown groupname file #Change the group to which the file belongs chown username:groupname file #Change the owner and group of the file (: can be replaced by.) chown|chgrp -R user|group dir #Change the owner or group of the directory itself and the contents in the directory
special competencies
stickyid (sticking position)
Stickyid works on directories. If stickyid is enabled for a directory, the files in this directory can only be deleted by the file owner
##Start stickyid chmod 1 Original permissions dir chmod o+t dir
sgid (forced bit)
sgid acts on the directory and automatically assigns the newly created files in the directory to the group to which the directory belongs
##Turn on sgid chmod 2 Original permissions dir chmod g+s dir
Note: after the sgid of the directory is enabled, the group to which the file belongs is created first
suid (Adventure bit)
Suid acts on binary executable files (c programs). When suid is enabled, binary executable files are run as the owner of the file, regardless of the execution user
open suid chmod 4 Original permissions file chmod u+s file
acl(Access Control Lists) permission list
acl function: you can set special permissions of special users for special files in the list
acl list opening ID
-rw-rw---- 1 root root 0 Jul 18 09:03 file1 ******************************************************************* ^ No,"+"representative acl List not open ******************************************************************* -rw-rw----+ 1 root root 0 Jul 18 09:03 file1 ******************************************************************* ^ have"+"representative acl List open *******************************************************************
acl list permission read
When the acl permission list of a file is open, you cannot use ls -l to view the permissions of the file
getfacl file1 ******************************************************************* # file: file1 #File name # owner: root #File owning group # group: root #File owner permissions user::rw- #Special specified user permissions user:westos:rw- #The file has group permissions group::r-- #Permissions for specially specified user groups group:song:--- #Permissions for specially specified user groups mask::rw- #Maximum permission threshold that can be given to special users and special user groups other::r-- #Permissions of others
Control of acl list
setfacl -m u:lee:rw file1 #Set acl permissions setfacl -m g:westos:rw file1 #Set acl permissions setfacl -m u::rwx file1 #Set acl permissions setfacl -m g::0 file1 #Set acl permissions setfacl -x u:lee file1 #Delete special permissions for user lee in the list setfacl -b file1 #Close acl permission list
acl permission priority
Owner > special designated user > groups with permission > groups without permission > other
mask control in acl
The maximum threshold that can be given to a specified user when mask
After setting the acl list of files, use chmod to narrow down the file ownership group, and the mask will change
Default permissions for acl lists
setfacl -m u:aha:rwx /mnt/songdir #Only valid for the / mnt/westosdir directory itself setfacl -Rm u:aha:rwx /mnt/songdir #Takes effect for the / mnt/westosdir directory and content that already exists in the directory ******************************************************************* The above commands only take effect for existing files, and will not take effect for new files ******************************************************************* setfacl -m d:u:lee:rwx /mnt/songdir/ #Effective for new files in the / mnt/songdir / directory
attr permissions
attr permissions are used to restrict all users
lsattr dir|file #View attr permissions chattr +i|+a|-i|-a dir|file #Set attr permissions ******************************************************************* i #No changes can be made a #Can you add or delete