Linux file permissions
User rights by creating user division eh user ID (User ID, commonly abbreviated to UID) to keep track of. Use when landing system login name.
Linux system creates a different user account for a variety of functions, which are not really user accounts. These accounts are calledSystem Account, A variety of service processes running on the system to access resources with special accounts. All services running in the background are required to log on to the system with a Linux system user account.
Adding new users
The main tool used to add new users to the Linux system is useradd.
Remove users from the system can use the userdel command. By default, userdel command will only delete user information / etc / passwd file, but does not delete any file system belonging to the account. If the -r switch, userdel will delete the user's HOME directory and mail directory.
Octal value of 664 represents the pattern of the owner and group member has read and write permissions, while other users have only read access.
umask value is just a mask. It will not want to grant permission to block out the security level.
Umask value should be subtracted from the full value of the subject.
File, the value is the full authority of666(All users have read and write privileges);
but on the directory, it is the777(All users have read, write, execute permissions).
File permissions from the beginning was 666, after subtracting the value of umask 022, the rest of the file permissions became 644.
Since the default directory permissions is 777, the resulting directory permissions is different from the role after umask file permissions generated. umask
value of 026 is subtracted from 777, 751 to stay as set directory permissions.
chmod command to change security settings for files and directories.
Permissions symbol pattern
of the first set of characters defines a rights object action:
U behalf of the user
G on behalf of the group
O on behalf of other
A representative of all of the above-described
next, followed by the notation behind you want to add the existing permissions are based on permissions (+), or on the basis of existing permissions
to remove the permissions (.), or the permission set to the following values (=).
The third symbol representative role to set permissions on.
X: If the object is a directory or if it has execute permissions, giving execute permission.
s: reset the UID or GID running.
t: keep the file or directory.
u: Set permissions with the same owner.
g: Set permissions to groups like genera.
o: Set permissions as with other users.
chown command to change the file owner.
chown command also supports changing the file owner and owning group of comrades.
chgrp command can change the default file or directory belongs to the group.
/ usr / sbin / groupadd shared create a new group shared on the system
/ usr / sbin / usermod -G shared rich user will be added to the rich set of shared
/ usr / sbin / groupmod -n sharing modify shared shared group called sharing
can modify there are group GID (plus -g option) or group name (plus the -n option).
Way to share files on a Linux system is to create a group.
Linux also stores three additional bits of information for each file and directory.
set user ID (SUID): when the file is used by a user, the program will run the main file owner permissions.
set the group ID (SGID): the file, the program will run with the privileges of the file owner group; For a directory, the new directory will be created in the default directory as the default is a group is a group.
sticky bit: after the end of the process files also reside in memory (adhesion).
SGID bit is very important for file sharing. SGID bit is enabled, you can force the creation of a shared directory in a new document belong to the genus of the group's catalog, the group has become a genus of each user group.
SGID may be provided by the chmod command. Before it was added to 3 octal value of the standard (Composition 4 octal value), or in symbolic mode symbol s.
mkdir command to create a shared directory.
chgrp command to change the default directory is a group package
group contains all users who need to share files (you must be a member of the group). Finally, the SGID bit directory to ensure
the directory as new documents are shared by default is a group.
To make this environment to work properly, all group members are required to bring their umask value is set to file for genus group members can
write. In the previous example, umask changed to 002, it is a group of files is writable.
Done this, group members will be able to create a new shared directory files. Like expected, the new file will inherit the directory
belong to the group, rather than the user's default is a group. Now all user groups can access the shared files.
summary
This chapter discusses some of the security management system Linux command line command. Linux to restrict access to files, directories, and devices through a user ID and group ID.
useradd command to create a new user account, groupadd command to create a new group account. Modify existing user accounts, we use the usermod command. Similar groupmod command to change group account information.
Each file has three security levels: file owner, you can access files belong to the default group and other users on the system.
Each security level access rights defined by three bits: read, write, and execute, corresponding to the symbol rwx. If a permission is denied permissions corresponding single symbol instead of a broken line (such as read-only permission r- behalf).
chmod command to change the security settings for files and directories. Only the owner can change the file permissions on the file or directory.
But the root user can change the security settings on any file system or directory. chown and chgrp command can be used to change the default file of the owner and group.
Set group ID bits to create a shared directory. SGID bits will be forced to create a new file or directory is a group of inherited by the parent directory under a directory, instead of creating these files belong to the user group. This can provide an easy way to share files between users of the system.
