1. Basic permissions UGO
=====================================================
File permission setting: can be assigned to a user or group in which way to access a file
权限对象:
属主------->u
属组------->g
其他人------>o
基本权限类型:
读(read):r ---->4
写(write):w ---->2
执行: x(exec) ----->1
Case:
r w x rw- r-- alice hr file1.txt
属主权限 属组权限 其他人权限 属主 属组 文件
前提条件:jack属于hr组
一 alice对file1.txt文件有什么权限?
二 jack对file1.txt文件有什么权限?
a. jack是所有者吗?
b. jack属于hr组吗?
三 tom对file1.txt文件有什么权限?
a. tom是所有者吗?
b. tom属于hr组吗?
c. tom为其他人吗?
1.1. Set permissions
Change the owner (owner) and group (group) of the file
chown:
[root@linux-server ~]# chown alice.hr file1.txt //修改属主、属组
[root@linux-server ~]# chown tom file1.txt //修改属主
[root@linux-server ~]# chown .it file1.txt //只改属组
[root@linux-server ~]# chown -R alice.hr dir1 //递归修改---针对目录
1.2. Change permissions
系统默认目录755 文件644
a. Use symbols
[root@linux-server ~]# chmod u+x file1.txt //属主增加执行
[root@linux-server ~]# chmod a=rwx file1.txt //所有人等于读写执行
[root@linux-server ~]# chmod a=- file1.txt //所有人都没有权限
[root@linux-server ~]# chmod ug=rw,o=r file1.txt //属主属组等于读写,其他人只读
[root@linux-server ~]# ll
-rw-rw-r--. 1 tom it 0 Nov 1 15:30 file1.txt
b. Use numbers
[root@linux-server ~]# chmod 644 file1.txt
[root@linux-server ~]# ll file1.txt
-rw-r--r--. 1 tom it 0 Nov 1 15:30 file1.txt
2. Permission case UGO
======================================================
2.1. Setting permissions case
Set permissions for the access directory /home/hr of the hr department, the requirements are as follows:
- The root user and employees in the hr group can read, write, and execute
- No other users have any permissions
[root@linux-server ~]# groupadd hr //创建一个用户组
[root@linux-server ~]# useradd hr01 -G hr //创建hr01用户添加到hr组里
[root@linux-server ~]# useradd hr02 -G hr //创建hr02用户添加到hr组里
[root@linux-server ~]# mkdir /home/hr //在/home创建一个hr目录
[root@linux-server ~]# chown .hr /home/hr //将/home/hr目录的所属组设置为hr
[root@linux-server ~]# chmod 770 /home/hr //将/home/hr目录的权限设置为770
[root@linux-server ~]# ll -d /home/hr //查看/home/hr目录本身的权限
drwxrwx---. 2 root hr 6 Nov 1 17:11 /home/hr
The meaning of r, w, x permissions to files and directories
For files:
r----cat
w --- vi 、 vim
x ---- bash /dir/file
To the directory:
r --- ls
w -----touch、rm
x ---- cd
2.2.rwx's impact on files
Practical case 1: the impact of rwx on files
[root@linux-server ~]# vim /home/file1
date
[root@linux-server ~]# ll /home/file1
-rw-r--r--. 1 root root 5 Nov 3 15:19 /home/file1
[root@linux-server ~]# su - alice #切换普通用户
[alice@linux-server ~]$ cat /home/file1
date
[alice@linux-server ~]$ /home/file1 #执行文件
-bash: /home/file1: Permission denied
[alice@linux-server ~]$ exit
logout
[root@linux-server ~]# chmod o+x /home/file1
[alice@linux-server ~]$ /home/file1
Sun Nov 3 15:26:21 CST 2019
[root@linux-server ~]# chmod o+w /home/file1
[alice@linux-server ~]$ vim /home/file1
date
123
ls
2.3.rwx's impact on directories
Practical case 2: There is no w for directories and rwx for files
[root@linux-server ~]# mkdir /dir10
[root@linux-server ~]# touch /dir10/file1
[root@linux-server ~]# chmod 777 /dir10/file1
[root@linux-server ~]# ll -d /dir10/
drwxr-xr-x. 2 root root 19 Nov 3 15:37 /dir10/
[root@linux-server ~]# ll /dir10/file1
-rwxrwxrwx. 1 root root 0 Nov 3 15:37 /dir10/file1
[root@linux-server ~]# vim /dir10/file1
jack
[root@linux-server ~]# su - alice
Last login: Sun Nov 3 15:28:06 CST 2019 on pts/0
[alice@linux-server ~]$ cat /dir10/file1
jack
[alice@linux-server ~]$ rm -rf /dir10/file1 #权限不够
rm: cannot remove ‘/dir10/file1’: Permission denied
[alice@linux-server ~]$ touch /dir10/file2 #权限不够
touch: cannot touch ‘/dir10/file2’: Permission denied
Practical case 3: There is w for directories, but no permissions for files
[root@linux-server ~]# chmod 777 /dir10/
[root@linux-server ~]# chmod 000 /dir10/file1
[root@linux-server ~]# ll -d /dir10/
drwxrwxrwx. 2 root root 19 Nov 3 15:38 /dir10/
[root@linux-server ~]# ll /dir10/file1
----------. 1 root root 5 Nov 3 15:38 /dir10/file1
[root@linux-server ~]# su - alice #切换普通用户
Last login: Sun Nov 3 15:38:53 CST 2019 on pts/0
[alice@linux-server ~]$ cat /dir10/file1
cat: /dir10/file1: Permission denied #没有权限
[alice@linux-server ~]$ rm -rf /dir10/file1
[alice@linux-server ~]$ touch /dir10/file2
小结
对目录有w权限,可以在目录中创建新文件,可以删除目录中的文件(跟文件权限无关)
注意事项
文件: x 权限小心给予
目录: w 权限小心给予
3. Basic access ACL
====================================================
File permission management: ACL sets basic permissions (r, w, x).
UGO sets basic permissions: Only for one user, one group and other people.
Setting method:
[root@linux-server ~]# touch /home/test.txt
[root@linux-server ~]# ll /home/test.txt
-rw-r--r--. 1 root root 0 Nov 3 15:53 /home/test.txt
[root@linux-server ~]# getfacl /home/test.txt #查看文件的facl权限
getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@linux-server ~]# useradd jack
[root@linux-server ~]# setfacl -m u:alice:rw /home/test.txt //增加用户alice权限
[root@linux-server ~]# setfacl -m u:jack:- /home/test.txt //增加用户jack权限
[root@linux-server ~]# setfacl -m g:hr:r /home/test.txt //增加组的权限
[root@linux-server ~]# setfacl -m o::rw /home/test.txt
-m, --modify modify the current ACL(s) of file(s)
3.2. View/Delete:
[root@linux-server ~]# ll /home/test.txt
-rw-r-rw-+ 1 root root 4 Nov 3 15:58 /home/test.txt
[root@linux-server ~]# getfacl /home/test.txt
getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rw-
user:alice:rw-
user:jack:---
group::r--
group:hr:r--
mask::rw-
other::rw-
[root@linux-server ~]# setfacl -x u:alice /home/test.txt
[root@linux-server ~]# setfacl -x g:hr /home/test.txt
-x:--remove
[root@linux-server ~]# getfacl /home/test.txt
getfacl: Removing leading '/' from absolute path names
# file: home/test.txt
# owner: root
# group: root
user::rw-
user:jack:---
group::r--
mask::r--
other::rw-
[root@linux-server ~]# setfacl -b /home/test.txt #取消所有的facl权限
-b, --remove-all
ACL extension mask
用于临时降低用户或者组(除属主和其他人)的权限
#建议方便管理其他人权限设置为空
实验:
[root@localhost ~]# touch /home/file1
[root@localhost ~]# setfacl -m u:alice:r /home/file1
[root@localhost ~]# setfacl -m u:tom:rw /home/file1
[root@localhost ~]# setfacl -m g:hr:rwx /home/file1
[root@localhost ~]# getfacl /home/file1
getfacl: Removing leading '/' from absolute path names
# file: home/file1
# owner: root
# group: root
user::rw-
user:alice:r--
user:tom:rw-
group::r--
group:hr:rwx
mask::rwx
other::r--
Open a terminal
[root@localhost ~]# su - alice
[alice@localhost ~]$ cat /home/file1
回到原来终端
[root@localhost ~]# setfacl -m m::r /home/file1 #m表示mask
[root@localhost ~]# getfacl /home/file1
getfacl: Removing leading '/' from absolute path names
# file: home/file1
# owner: root
# group: root
user::rw-
user:alice:r--
user:tom:rw- #effective:r--
group::r--
group:hr:rwx #effective:r--
mask::r--
other::r--
测试
[root@localhost ~]# su - tom
[tom@localhost ~]$ vim /home/file1