1. Permission to view and read
**1. View permissions**
ls -l file name#View file permissions
ls -ld westosdir/ #directory permission view
#? Indicates that the attribute is not clear
**2. Permission to read**
"The attributes of a file are called the metadata of the file (meta data)"
"A kind of metadata uses 1 byte to record the content"
#File permission information#
#For every bit explanation#
[1] #file type
#- common file# d
directory #
l soft connection # b
fast device
#c character device #s
socket socket # p
pipe|
[2] #User authorization
# rw-|r–|r--, each group of three, followed by u, g, o
##Note: If the system's selinux is turned on, there will be a dot between 2 and 3
[3] ##For files: The number of times the file content is recorded by the system (number of hard links)
##For a directory: the number of subdirectories in the directory
[4] ##File Owner
[5] ##File Owner
[6] ##For files: files Content size; for directories: the metadata size of the sub-files in the directory
[7] ##The time the file content was modified
[8] ##File name
2. Types and functions of ordinary permissions
#1. The identity of the user to the file#
u: #user The owner of the file, the fourth column of information seen by ls -l
g: #group The file owning group, the fifth column of information seen by ls -l
o: #other Generic name for other users who are neither the owner nor a group member
#2. Permission bits#
rwx|r–|r-- #Each group of three in turn is u,g,o
#3.User identity matching#
user >group>other
#4.Permission type#
-Represents the permission is not turned on
r #Readable; For files: you can read the content of the file; For directories: You can ls to list the files in the directory
w #Writable; For files: You can change the content of the file; For Directory: you can create or delete files
x #executable in the directory ; for files: you can use the file name to call the program recorded in the file; for directories: you can enter the directory
3. Method of setting common permissions
#chmod Copy permissions# chmod --reference=/tmp /mnt/westosdir ##Copy the permissions of the /tmp directory to /mnt/westosdir
chmod -R --reference=/tmp /mnt/westosdir #Copy the permissions of the /tmp directory To /mnt/westosdir and sub-files in the directory -R stands for recursive operation
#chmod Set permissions in character mode
chmod <a|u|g|o><+|-|=><r|w|x> file ##Set file permissions in word-by-word mode
Example:
chmod u-rw /mnt /westos1
chmod u=rwx,g=rx,o=— /mnt/westosfile4
chmod -R u=rwx,g=rx,o=— /mnt/westosdir/
chmod u-rw,g+x,o+wx / mnt/westosfile2
#chmod Digital Method Setting Authorization#
Permission Bohr refers to the representation mode
rwx = 111
— = 000
The maximum range that can be represented by a three-digit binary is from 8 to the number rwx=111=7
rw-=110=6
rx=101=5
r –=100=4=r
-wx=011=3
-w-=010=2=w
–x=001=1=x
—=000=0
chmod 600 /mnt/westosfile1 #rw-------
Available watch -n 1 ls -Rl /mnt/ #monitor attribute changes in the file
watch -n 1 ls -ld /cw #monitor directory attribute changes
4. System default permission setting
The meaning of the system itself is to share resources. From a security perspective, the fewer resources the system shares, and the smaller the open power, the higher the system security. It is necessary to ensure system security and create value for the system, so the power that should be opened is opened by default. , The insecure power is reserved by default
#How reserve power# umask means the system reserves the right
The reserved permission of the directory in the linux system is 022, and the file is 133
umask #View the system default reserved permission
umask 077 #Change the system default reserved permission to 077, but closing the shell will restore the original value (temporary setting)
vim /etc/profile #(System environment configuration file) Press enter, enter /umsak, modify the value (60 ordinary users, 62 super users) permanently modify
vim /etc/bashrc #shell system configuration file (75 ordinary users, 77 Super user)
source /etc/profile
source /etc/bashrc #Make it effective, when the source acts, the content we change will be recognized by the system immediately
- Default file permissions = 777-umask-111
Directory default permissions = 777-umask - The greater the umask value, the higher the security of the system
5. File user user group management
The name of the file to be changed by the chown user
#Modify the owner of the file chgrp westos westosfile2 #Modify all user groups of the file (change to westos)
chown lee.westos westosfile3 #Modify file owner and file owner group
chown westos file #modify the owner name of the file itself
chown westos westosdir #modify the owner name of the directory itself
chown -R root westosdir/ #Modify the owner name of the directory itself and all its sub-files
watch -n 1 ls -Rl /mnt/ #monitor the attribute changes in the file under /mnt/
watch -n 1 ls -ld /cw #monitor the attribute changes of the /cw directory
Six. Special permissions
-
stickyid #Stick bit, if the stick bit of the directory is turned on, the files in the directory can only be deleted by the owner
chmod 1 original permission dir
chmod o+t dir
-
sgid #Force bit, for directories: New files in the directory automatically belong to the group of the directory
chmod 2 source file permissions dir
chmod g+s dir
-
suid #Adventure bit, only for binary executable files (c programs), when running binary executable files, they are run as the file owner, and have nothing to do with the executing user.
chmod 4 original attribute file
chmod u+s file
Seven. acl permission list
Aiccess Control Lists
-
Access control list
function: #Special
users can be set in the list to have special permissions for special files
#acl list open logo
-rw-rw---- 1 root caiwu 0 Apr 18 09:03 westosfile #There is no file permission after " +" means the acl list is not open, if there is + means the acl list is open -
acl list permissions read
getfacl westosfile
display content analysis:
file: westosfile #file name
owner: root #file owner
group: root #file owner group
user::rw- #file owner permissions
user:lee:rw- #special designation User permissions
group::r--
#File has group permissions group:westos:— #Specially specified user group permissions
mask::rw- #The maximum permission threshold that can be given to special users and special user groups
other::r- -#Other people's permissions
"Note:"
"When the file permission list is opened, do not use ls -l to read file permissions"
- Control of acl list
setfacl -b /mnt/westos/ #Close the + sign of editing permissions
setfacl -mm::rwk /mnt/westos #mask permissions rwx
setfacl -mu::rwk /mnt/westos #user permissions rwx
setfacl -mg :westos:rwk /mnt/westos #The permission of group westos is rwx
setfacl -xu:lee file #Delete lee in the list
-
acl Priority of permissions
Owner> Special designated users> Groups with more permissions> Groups with less permissions> Other
#File owner user priority is higher than the priority of the special command user, and the priority of the user group is different from the priority of the special command group. Priority with more matching permissions -
acl mask control
mask
#The maximum permission value that can be given, cannot exceed this value, and is useless setfacl -mm::rwk /mnt/westos #Restore the mask permission rwx -
The default permissions of the acl list
setfacl -mu:westos:rwx /mnt/westos/ #The directory can be read and written, but the files in the directory are not writable
setfacl -Rm u:westos:rwx /mnt/westos/ #Existing files in the directory Writable, but the file created after this command is still not writable
setfacl -md:u:westos:rwx /mnt/westos/ #Set to make the new file created after the westos directory writable (but the original file is unchanged, still not writable )
8. Attr permissions
- attr permission restricts all users
chattr +i|+a|-i|-a dir|file #Set the attr value, i cannot make any changes a can add but not delete
lsattr dir|file #view attr value