Article Directory
Preface
Liunx permissions are a mechanism used by the operating system to restrict access to resources. The permissions are generally divided into read, write, and execute. Each file in the system has specific permissions, users, and groups. Through such a mechanism, which users or user groups can perform corresponding operations on specific files.
1. Permission to view and read
1. Permission View
ls -l file View file permissions
ls -ld dir view directory permissions
2. Permission to read
The attribute of the file is called the metadata of the file (meta data), a kind of metadata, which uses 1 byte to record the content
3. Permission information
- File permission information
-| rw-r--r-- | . | 1 | root | root | 0 | Apr 12 10:57 | westosfile [1] [2] [3] [4] [5] [6] [7] [8] [9]
- Directory permission information
- | rw-r–r-- | . | 1 | root | root | 0 | Apr 12 10:57 | westosdir
[1] [2] [3] [4] [5] [6] [7] [8] [9]
- Explain the meaning of each
[1] File type
-Ordinary file
d directory
l soft connection
b block device
c character device
s socket socket
p pipe
[2] User permissions
rw-|r–|r–
u g o
[3] The selinux of the system is turned on
[4] For files : the number of times the file content is recorded by the system (number of hard links)
For directories : the number of subdirectories in the directory
[5] File owner
[6] File Ownership Group
[7] For files : the size of the file content
For directories : the metadata size of the sub-files in the directory
[8] The time when the content of the file was modified
[9] File name
Two, linux permission authorization
The three roles of authorization
-
u: (user) the owner of the file, the fifth column of information seen by ls -l
-
g: (group) the file's owning group, the sixth column of information seen by ls -l
-
o: (other) is a generic term for other users who are neither the owner nor a group member
Group of three
At the same time authorized to three roles, ugo
rwx|r–|r–
u g o
- User identity matches
user> group> other
Permission type
-
-Permission is not turned on
-
r Readable
For files: you can read the contents
of files For directories: you can list files in the directory with ls -
w Writable
for files: you can change the content
of the file. For directories: you can create or delete files in the directory.
Note : For directories, executable is a prerequisite for being writable. Only when you can enter the directory can you create or delete files in the directory! -
x Executable
For files: you can use the file name to call the program recorded in the file.
For directories: you can enter the directory
Three, the method of setting common permissions
chmod command-set file permissions
- chmod character way to set permissions
chmod role assignment permissions file/dir
chmod a|u|g|o +|-|= r|w|x file/dir
- chmod character way to set permissions
Representation of permission boolean value: the maximum range that can be represented by three-digit binary is an octal number
rwx=111 =7
rw- =110 =6
r-x =101 =5
r-- =100 =4 =r
-wx =011 =3
-w- =010 =2 =w
--x =001=1 =x
— =000 =0
- chmod copy permissions
chomd --reference=file1 file2 Copy the permissions of file1 to file2
Example:
chmod --reference=/tmp /mnt/westosdir
copy the permissions of the /tmp directory to /mnt/westosdir
chmod -R --reference=dir1 dir2 Copy the permissions of the dir directory to the dir2 directory and its subfiles (-R means recursion)
Example:
chmod -R --reference=/tmp /mnt/westosdir
copy the permissions of the /tmp directory to /mnt/westosdir and the sub-files in the directory
Fourth, the system default permission setting
- The meaning of the system itself-sharing resources
- From a security perspective, the fewer resources the system shares, the smaller the open power, the higher the system security
- It is necessary to ensure the security of the system and create value for the system, so the power that should be opened is opened by default, and the unsafe power is reserved by default.
1. Check the system reserved rights
umask view system reserved rights
- Default file permissions=777-umask-111
- Directory default permission=777-umask
2. Change the system reserved permission value
- Temporary change
The umask permission value temporarily sets the reserved power of the system (the larger the umask value, the higher the system security!)
- Permanent change
The steps are as follows:
vim /etc/bashrc modify the shell system configuration file
vim /etc/profile modify the system environment configuration file
source /etc/bashrc
source /etc/profile
Supplement: source command: the function is to make our changes be recognized by the system immediately
Five, file user user group management
1. Change the owner and owner group of a file
chown username file change file owner
chgrp groupname file change file ownership group
chown username:groupname file changes the owner and group of the file at the same time
2. Change the owner and owning group of the directory itself and the files in the directory
chown -R username dir changes the owner of the directory itself and the contents of the directory
chgrp -R groupname dir changes the ownership group of the directory itself and the contents of the directory
Note: Without -R, only the directory users and user groups will be changed, and the sub-files in the directory will not be changed.
Six, special permissions
stickyid
- Stickyid sticky position permission setting method
chmod o + t dir
Only for directories-if the stickyid of a directory is enabled, then the files in this directory can only be deleted by the file owner! !
sgid mandatory bit
- sgid mandatory bit permission setting method
chmod g+s file/dir
1. For directories-newly created files in the directory automatically belong to the group of the directory
2. For files-only for binary executable files (c programs), when running binary executable files, the file ownership group is used Run as the user, regardless of the executing user.
suid adventure bit
- suid adventure bit permission setting
chmod u+s file
Only for binary executable files (c programs) When running binary executable files, they run as the file owner, regardless of the executing user
Seven, acl permission list
Access control list Aiccess Control Lists
function : In the list, you can set special users to have special permissions for special files. The
acl list open flag "+"
-rw-rw---- + 1 root caiwu 0 Apr 18 09:03 westosfile
acl list function is enabled (no "+" means acl list is not enabled)
acl list permission read
getfacl file read file permissions
Note: When the file permission list is enabled, do not use ls -l to read file permissions
Display content analysis:
file: westosfile #file name
owner: root #File owner
group: root #File owning group
user::rw- #File owner permissions
user:lee:rw- group::r-- #Special designated user permissions
group::r-- #File has group permissions
group:westos:— #specially designated user group permissions
mask::rw- #The maximum authority threshold that can be given to special users and special user groups
other::r-- #Other people's permissions
Control of acl list
- Settings file specifies the permissions of special users and user groups
setfacl -mu:username:Permission file
sets the permissions of the special user of the file
setfacl -mg:groupname:Permission file
sets the permissions of the special user group of the file
- Set file user and user group permissions
setfacl -mu::permission file
sets file user permissions
setfacl -mg::Permission file
sets the permissions of the file user group
- Delete the specified user and user group of the file
setfacl -xu:username file
deletes the file specially designated user
setfacl -xg:groupname file
deletes the specified user group of the file
- Close acl list
setfacl -b file close
ACL permission priority
Owner> Specially designated users> Groups with many permissions> Groups with few permissions> Other
acl mask control
mask is the maximum threshold that can be given to the specified user authority
Problem
When the ACL list of the file is set, the power mask of the file ownership group will change with chmod.
setfacl -mm: permission file restore mask value
Default permissions for acl list
setfacl -mu:lee:rwx /mnt/westosdir
only takes effect for the /mnt/westosdir directory itself
setfacl -Rm u:lee:rwx /mnt/westosdir is effective
for the /mnt/westosdir directory and the existing contents in the directory
Note: The above commands are effective for existing files, and new files will not be set
etfacl -md:u:lee:rwx /mnt/westosdir/
takes effect for new files in the /mnt/westosdir directory
Eight, attr permissions
attr permissions restrict all users
- i Cannot make any changes
- a Can be added but not deleted
lsattr dir/file View attr permissions of files or directories
chattr +i/+a/-i/-a dir/file set attr permission