chmod [options] permission file name
-R recursively modify the permissions of a directory and its subdirectories and files
-v display process
Permission
u the owner of the
file g the group to which the file belongs
o other users
a all, everyone
- Add permission
-revoke permission
Example: The current file permissions rw-r–r-- (644)
need to be modified to rwxr-xr-x (755)
Relative method:
chmod u+x,g+x,o+x file name
chmod a+x file name
Absolute method:
chmod u=rwx,g=rx,o=rx file name
Numerical method:
chmod 755 file name
Exercise:
Create an empty file ugo under /tmp, permission rxw—x
chown modifies the owner of the file and the group to which it belongs
chown [options] user name [:group name] file name
-R recursively modify the permissions of the directory and its subdirectories and files
-v display process
Example:
Create a directory test in the /tmp directory,
first modify the owner of the directory adm
[root@ops14 20200714]# ll /tmp | grep test
drwxr-xr-x. 2 root root 6 Jul 14 16:27 test
[root@ops14 20200714]# chown adm /tmp/test
[root@ops14 20200714]# ll /tmp | grep test
drwxr-xr-x. 2 adm root 6 Jul 14 16:27 test
Then modify the group to which the directory belongs to lp
[root@ops14 20200714]# chown :lp /tmp/test
[root@ops14 20200714]# ll /tmp | grep test
drwxr-xr-x. 2 adm lp 6 Jul 14 16:27 test
Finally, modify the owner to root and the group to be adm
[root@ops14 20200714]# chown root:adm /tmp/test
[root@ops14 20200714]# ll /tmp | grep test
drwxr-xr-x. 2 root adm 6 Jul 14 16:27 test
Exercise:
1. Create a directory /tmp/0903 under /tmp
mkdir /tmp/0903
2. Create an empty file ugo.txt under /tmp/0903
touch /tmp/0903/ugo.txt
3. Check the ugo permissions of ugo.txt
ll -d ugo.txt
4. Change the permissions of ugo.txt to rx--xr--
chmod 514 ugo.txt
rw-r–r-- 644
r-x—xr-- 514
1. Check the detailed information of /tmp/0903 first
ll -d /tmp/0903
2. Modify the owner of /tmp/0903 to lp
chown lp /tmp/0903
3. Modify the group to which /tmp/0903 belongs to adm
chgrp adm /tmp/0903
4. Modify the owner root to belong to the group lp
chown root:lp /tmp/0903
chgrp modify the group to which the file belongs
chgrp [options] group name file name
-R recursively modify the permissions of the directory and its subdirectories and files
-v display process
umask permission mask
is used to control the initial permissions of new files and directories
View umask
[root@ops14 20200714]# umask
0022
1. The umask of the root user is 0022 by default, and the common user is 0002.
2. The umask value is stored in the /etc/bashrc or /etc/profile file
Permission setting algorithm
The default permission of new files = full permissions-the full permissions of the umask
directory is 777, and the full permissions of ordinary files are 666
Example:
umask=022
permissions for new directories=777-022=755
permissions for new files=666-022=644
umask=002
permissions for new directories=777-002=775
permissions for new files=666-002=664
ACL permissions
Access Control List, an access control list
supplement to traditional ugo permissions, can precisely control a user's access to a file
Note: Starting from the Linux 2.6 version of the kernel, the default is to enable ACL permissions
ACL authority management command
getfacl View ACL authority
[zhoukai@ops14 20200714]$ getfacl aaa
file: aaa
owner: zhoukai
group: zhoukai
user::rw-
group::rw-
other::r–
setfacl Set ACL permissions
Syntax:
setfacl [options] [{-m|-x} acl entry] file or directory
-m modify ACL rules
-x delete a rule
-b Delete index rules
-d Set the default ACL rules of the directory (only valid for newly created files in the directory)
-R Recursive setting
Example:
Add ACL rules to make zhoukai unreadable, unwritable and unexecutable for the file aaa
setfacl -mu:zhoukai:— aaa
Add ACL rules to make zhoukai group readable and writable file aaa
setfacl -mg:zhoukai:rw aaa
Delete the ACL of the zhoukai group
setfacl -xg:zhoukai aaa
Delete the ACL of the zhoukai user
setfacl -xu:zhoukai aaa
S permission
super (super permission) is a special permission of the system. It is
divided into three types: suid, sgid, and sticky. The numerical codes are 4, 2, 1 in sequence
SUID permission: used for system commands (suid=4).
Function: let users execute commands as the owner of the
file. After adding SUID permission to a command file, all users will use the command’s ownership when executing this command. To execute as the master, the x bit corresponding to the permission will become s
Example: User zhoukai does not have permission to view /etc/shadow. After using suid, you can view
the path to find the cat command
#which cat #chmod
-v u+s /usr/bin/cat
#su – zhoukai
$cat /etc/shadow
$exit
#chmod -v us /usr/bin/cat
Summary:
chmod u+s command file to add suid permission
chmod us command file to revoke suid permission
SGID permissions: the inherited permissions of the group to which the directory belongs (mandatory bit of the group) sgid=2
When a directory is added with sgid permissions
, the group of files created by all users in this directory will inherit the group to which this directory belongs
(mainly used for file sharing ), if the SGID permission is set, the x bit of the group permission will become s
Add sgid permission
chmod g+s directory name
Revoke sgid permission
chmod gs directory name
Example:
use root user to create a test directory in the current directory,
set the group of the test directory to adm,
set the other permission of
the directory to rwx, add sgid permission to the directory and
switch to zhoukai user, create a, bc in the test directory
and view file permissions
sticky t permission sticky=1
function:
after adding t permission to a directory, you can only delete your own files, and you cannot modify or delete other people’s files.
After setting t permission to the directory, the x bit of other permission will become t
The /tmp directory in the system has t permission by default
ls -ld /tmp
Add t permission chmod o+t directory name
Revoke t permission chmod ot directory name
Example:
Use the root user to empty the /tmp directory
rm -rf /tmp/*
Check the permissions of the /tmp directory
ls -ld /tmp #found that the /tmp directory has t permissions
Create users s1 and s2
[root@ops14 tmp]# useradd s1
[root@ops14 tmp]# useradd s2
Switch to s1, create a,b under /tmp
#su s1
$touch ab
Exit s1
$exit
Switch to s2, try to delete a and b #su
s2
$rm -fv ab
Hidden permissions
Prevent root from deleting or modifying files and directories
by mistake.
Hidden permissions can not be seen with ls. View hidden permissions
lsattr
Example:
lsattr /etc/hosts #This file has no hidden permissions
Common hidden permissions have two
i permissions,
which can only be viewed, but cannot be deleted or modified.
A permissions
can be viewed and appended, but other operations cannot be performed
(usually used for system log files)
Modify hidden permissions
chattr +i file name add i permission
chattr -i file name cancel i permission
chattr +a file name add a permission
chattr -a file name cancel a permission
Example:
[root@ops14 20200714]# cp -v /etc/hosts
./'/etc/hosts' ->' ./ hosts'
[root@ops14 20200714]# chattr +i hosts
[root@ops14 20200714]# lsattr hosts
----i----------- hosts
[root@ops14 20200714]# echo hello >> hosts ##Not enough permissions
-bash: hosts: Permission denied
[root@ops14 20200714]# rm- fv hosts ##Operation not allowed
rm: cannot
remove'hosts ': Operation not permitted [root@ops14 20200714]# chattr -i hosts ##
Remove i authority [root@ops14 20200714]# chattr +a hosts ##Add a Permissions
[root@ops14 20200714]# lsattr hosts
-----a---------- hosts
[root@ops14 20200714]# echo hello >> hosts ##You can append
[root@ops14 20200714]# rm -fv hosts ##Operation not allowed
rm: cannot
remove'hosts ': Operation not permitted [root@ops14 20200714]# echo hello.txt> hosts ##Not allowed operation-
bash: hosts: Operation not permitted
[root@ops14 20200714]# chattr -a hosts #
#Cancel a permission [root@ops14 20200714]# rm -fv hosts ##Successfully deleted removed'hosts
'
Summary:
The function of hiding permissions is to prevent important files from being deleted due to mistakes made by the
root user. The hiding permissions are effective for all users (including root users)