Linux file permissions and FACL file access control list

The Linux system is a typical multi-user system, which ensures the security of the system by assigning different permissions to different users.
At the same time, the Linux system also makes different provisions for the permissions of different users to access the same file (including directory files).

1. File permissions

(1) Basic permissions of the file

The basic permissions of a file mainly include the file owner, the group and the read (r), write (w), and execute (x) permissions
of the file by other users (groups) . The owner is the owner of the file; Users in the user group where the file is located; other users (others) refer to other users who are neither the owner nor the group.
The basic permissions of the file can be viewed through the ls -l command

[root@hollowman ~]# mkdir hollowman
[root@hollowman ~]# ls -ld hollowman
drwxr-xr-x. 2 root root 6 Dec 20 22:27 hollowman

After ls -l, the screen displays the string analysis:
No. 1: indicates the file type, where d indicates the directory file.

d ：目录文件；
-  ：文件；
l  ：链接文档(link file)；
b ：硬盘(分区)、光盘等存储设备；
c  ：键盘、鼠标等字符设备。

Bits 2-10: 1 group for every three digits, corresponding to the read, write, and execute permissions of the owner, group, and other.
Here rwxr-xr-x: means that the owner has read and write execution (rwx) permissions; the group has only read and execute permissions (rx), and others also only have read and execute permissions (rx).

The 11th bit: Indicates whether to set the facl authority. If it is set, the plus sign (+) will be displayed; if it is not set, the dot (.) will be displayed. The third most important point is to introduce facl knowledge.
Other display instructions: the first root indicates that the owner is root, the second root indicates that the group is root, 6 indicates that the file occupies 6 bytes in size, Dec 20 22：27indicates the last modification time, and hollowman indicates the file (directory) name

Modify the basic permissions of the file:
1.chown: modify the file owner (owner) and the group (user group where the file is located).
Basic syntax:chown [选项] [属主名][:属组名] 文件名

[root@hollowman ~]# chown -R hollowman hollowman   #-R 表示对目录进行递归设置
[root@hollowman ~]# ls -ld hollowman
drwxr-xr-x. 2 hollowman root 6 Dec 20 22:27 hollowman

2. chmod: Modify the user permissions (that is, the 2-10 digits displayed by ls -l).
There are 2 ways to express the basic permissions of the file: letter representation and number representation .

• Reading: the letter means r, the number means 4;
• Write: the letter means w, the number means 2;
• Execution: The letter means x, the number means 1;
• No permission: the letter means -, the number means 0.
  If it is represented by numbers, it can be represented by the addition of the numerical representations of various permissions, such as rwx=4+2+1=7, rx=4+0+1=5

Several common usages:

chmod [-R]  [u=abc] [,g=abc] [,o=abc]  文件名  #a、b、c分别对应r(-)、w(-)、x(-)
chmod [-R]  [u {+|-} [a][b][c]] [,g {+|-} [a][b][c]] [,o {+|-} [a][b][c]]  文件名   
chmod [-R] xyz 文件名     #xyz分别对应u、g、o三中身份的数字表示的权限。

A few examples:

[root@hollowman ~]# chmod -R u=rwx,g=rwx,o=rwx hollowman/    #全权限
[root@hollowman ~]# ls -ld hollowman/
drwxrwxrwx. 2 hollowman hollowman 6 Dec 20 22:52 hollowman/  
[root@hollowman ~]# chmod -R u-x,g-w,o-r hollowman/    #u去掉x权限，g去掉w权限，o去掉r权限
[root@hollowman ~]# ls -ld
drw-r-x-wx. 16 root root 4096 Dec 20 22:27 .
[root@hollowman ~]# chmod -R 765 hollowman/   #u设置rwx权限，g设置rw-权限，o设置r-x权限。
[root@hollowman ~]# ls -ld hollowman/
drwxrw-r-x. 2 hollowman hollowman 6 Dec 20 22:52 hollowman/

(2) Special permissions for files.

In addition to the user (group) read, write, and execute permissions on the file itself, Linux also provides three special permissions: SUID, SGID, and SBIT

1.SUID

1) SUID permissions can only be set for binary execution programs (such as commands in the system), and other files including script files have no practical meaning even if SUID permissions are set.
2) After setting the SUID authority, when other users execute the file, it is equivalent to executing the program as the owner of the file (that is, the owner). Therefore, the owner should first grant the (x) permission, otherwise, other users will not be able to obtain the execution permission, and setting the SUID permission is also meaningless. .
3) The purpose of setting SUID permissions is to complete the related operations of other files as the owner (the user does not have the permission to operate other files). The files that are given SUID permissions actually play a bridging role, and only Effective in the bridging process.
4) SUID is reflected in the execution permission bit of the file owner (owner) permission (the 4th bit of ls -l). When the file is set with the SUID permission, the 4th digit displayed by looking at ls -l has the letter "x" "It has become a lowercase letter "s" (if the file owner does not have execution permission, that is, the fourth digit is "-", the letter becomes an uppercase letter S, and this SUID setting is meaningless)

One of the most commonly used and classic examples: the
/etc/shadow file stores the user's password information. ls found that no user has read, write or execute permissions. Of course, as the super administrator root is not restricted by these permissions.

[root@hollowman ~]# ls -l /etc/shadow
----------. 1 root root 1311 Dec 20 17:54 /etc/shadow

Other users want to complete the password modification action and save the password to this file. The procedures for completing password modification and saving can be completed through the two executable files /bin/passwd and /urs/bin/passwd.

[root@hollowman ~]# ls -l /bin/passwd
-rwsr-xr-x. 1 root root 34512 Aug 13  2018 /bin/passwd
[root@hollowman ~]# ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 34512 Aug 13  2018 /usr/bin/passwd

As can be seen above /bin/passwdand /usr/bin/passwdbit 4 are lowercase s, i.e. a value set SUID. In this way, we can use other users to execute this program to complete the password modification action.

How to set SUID permissions?
SUID permissions are similar to basic permissions, and there are also two permission representations, letters and numbers.
The letter representation is the character "s". Such as: the chmod u+s 可执行文件名
number notation is the number 4. Such as: chmod 4777 可执行程序名
Note: 4 digits are used here to set file permissions, the first of which is the special permission, and the last three are the basic permissions.

2.GUID

There are two situations for SGID special permissions:

1. When the GUID is set for the binary program, the user can temporarily obtain the permissions of the file belonging group (similar to SUID, but here is to obtain the belonging group membership)
2. When the GUID is set for the directory, the attribute group of the newly created file attribute in the directory can automatically inherit the attribute group of the directory.
3. SGID is reflected in the execution bit of file/directory belonging group permissions (ls -l 7th). When the file/directory is set with SGID permission, the 7th digit displayed by looking at ls -l is changed from the letter "x" Lowercase letter "s" (if the file belongs to the group without execution permission, that is, the seventh digit is "-", the letter becomes an uppercase letter S)

SGID permission settings are also two permission representations.
The letter representation is the character "s". For example, the chmod g+s 文件/目录名
number representation is the number 2. Such as: chmod 2777 文件/目录名
Note: If you use numbers to set file permissions, when you want to set both SUID and SGID (only binary programs can use it), it is equivalent to 4+2=6, such as chmod 6777 file name

Demo:
Create a test directory in the root user's home directory, you can see that the group is root

[root@hollowman ~]# mkdir test
[root@hollowman ~]# ls -ld test
drwxr-xr-x. 2 root root 6 Dec 22 23:11 test

Create a file file in the test directory, you can find out whether it belongs to the group or root

[root@hollowman ~]# touch test/file
[root@hollowman ~]# ls -l test
total 0
-rw-r--r--. 1 root root      0 Dec 22 23:12 file

Set the test directory group to hollowman, and set the GUID permissions

[root@hollowman ~]# chown :hollowman test
[root@hollowman ~]# chmod g+s test
[root@hollowman ~]# ls -ld test
drwxr-sr-x. 2 root hollowman 6 Dec 22 23:13 test

Create a newfile file in the test directory and find that the genus group has inherited the genus hollowman from the test directory

[root@hollowman ~]# touch test/newfile
[root@hollowman ~]# ls -l test/
total 0
-rw-r--r--. 1 root root      0 Dec 22 23:12 file
-rw-r--r--. 1 root hollowman 0 Dec 22 23:14 newfile

3.SBIT (sticky bit permission or file protection permission)

1. SBIT is only valid for catalog files.
2. The role of SBIT: When a directory is writable by the group (or globally writable), all users in the group (or all other users) can create new files and delete all files in this directory, this kind of authority It is fatal; when the SBIT permission is set, each user (or all other users) in the group can only create new files and delete their own files, but cannot delete other users' files.
3. SBIT is reflected in the execution position of the other user authority of the directory (ls -l 10th). When the SBIT permission is set for the directory, the 10th digit displayed by viewing in ls -l has changed from the letter "x" to a lowercase letter" t" (If the other user of the directory does not have execute permission, that is, the 10th digit is "-", the letter becomes a capital letter T)
4. SBIT permissions have been set in the /tmp directory of the Linux system, that is, only your own files are allowed to be deleted in this directory.

SBIT permission settings are still two permission representations.
The letter representation is the character "t". For example, the chmod o+t 目录名
number representation is the number 1. Such as: the chmod 1777 目录名
summary of the number method: SUID is 4, SGID is 2, SBIT is 1, when you need to set some of the three types of permissions, you only need to add the numbers representing these types of permissions (similar to rwx digital permissions settings ), chmod 7777 The name of the directory indicates that the special permissions are fully open (of course, fully open some permissions are meaningless)
alphabetic privilege setting command: the chmod [u+s],[g+s],[o+t] 文件名
alphabet sends the privilege delete command:chmod [u-s],[g-s],[o-t] 文件名

(3) Hidden permissions of files

In addition to general permissions and special permissions, files in the Linux system also have a hidden permission, which cannot be directly discovered by users by default.
Hidden permissions cannot be viewed with the regular ls command, the dedicated setting command is chattr, and the dedicated viewing command is lsattr.

[root@hollowman ~]# lsattr
------------------ ./hollowman
[root@hollowman ~]# chattr +i hollowman    
[root@hollowman ~]# lsattr
----i------------- ./hollowman

The above example sets a hidden permission of i to the hollowman directory (which means that only the contents of the sub-files in the hollowman directory can be modified and cannot be created or deleted).
Related options:

i	无法对文件进行修改；若对目录设置了该参数，则仅能修改其中的子文件内容而不能新建或删除文件
a	仅允许补充（追加）内容，无法覆盖/删除内容（Append Only）
S	文件内容在变更后立即同步到硬盘（sync）
s	彻底从硬盘中删除，不可恢复（用0填充原文件所在硬盘区域）
A	不再修改这个文件或目录的最后访问时间（atime）
b	不再修改文件或目录的存取时间
D	检查压缩文件中的错误
d	使用dump命令备份时忽略本文件/目录
c	默认将文件或目录进行压缩
u	当删除该文件后依然保留其在硬盘中的数据，方便日后恢复
t	让文件系统支持尾部合并（tail-merging）
x	可以直接访问压缩文件中的内容

Examples:

[root@hollowman ~]# touch ./hollowman/newfile
touch: setting times of './hollowman/newfile': No such file or directory
[root@hollowman ~]# chattr -i hollowman
[root@hollowman ~]# touch ./hollowman/newfile

In the above example, we created a newfile file in the hollowman directory where the hidden permission of i was set, and gave an error prompt just like its option function. Then delete the i permission, create a new file again, and the file is successfully created.

2. File Access Control List FACL (File Access Control List)

Sometimes we need to set some additional access permissions for certain users and user groups, and these permissions cannot be solved by granting permissions to files. At this time, FACL is needed.
That is to say, file permissions can solve the problem of common (user, group, other) permission setting, and FACL can solve the problem of personality (such as individual users in group, individual users or groups in other) permission setting.

1.getfacl

ACL permissions for reading files

[root@hollowman ~]# getfacl hollowman/       
# file: hollowman/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

The above example demonstrates reading the facl of the /root/hollowman directory

2.setfacl

Set the ACL permissions of the file, syntax:setfacl [-bkndRLPvh] [{-m|-x} acl权限] [{-M|-X} acl文件] 文件 ...

-m,       --modify-acl 更改文件的访问控制列表
-M,       --modify-file=file 从文件读取访问控制列表条目更改
-x,       --remove=acl 根据文件中访问控制列表移除条目
-X,       --remove-file=file 从文件读取访问控制列表条目并删除
-b,       --remove-all 删除所有扩展访问控制列表条目
-k,       --remove-default 移除默认访问控制列表
          --set=acl 设定替换当前的文件访问控制列表
          --set-file=file 从文件中读取访问控制列表条目设定
          --mask 重新计算有效权限掩码
-n,       --no-mask 不重新计算有效权限掩码
-d,       --default 应用到默认访问控制列表的操作
-R,       --recursive 递归操作子目录
-L,       --logical 依照系统逻辑，跟随符号链接
-P,       --phollowmansical 依照自然逻辑，不跟随符号链接
          --restore=file 恢复访问控制列表，和“getfacl -R”作用相反
          --test 测试模式，并不真正修改访问控制列表权限
-v,       --version           显示版本并退出
-h,       --help              显示本帮助信息

Examples:

[root@hollowman ~]# setfacl -Rm u:hollowman:rwx hollowman/  #目录设置facl要加R选项，表示递归操作
[root@hollowman ~]# getfacl hollowman/    
# file: hollowman/
# owner: root
# group: root
user::rwx
user:hollowman:rwx       #这里增加了刚添加的对hollowman用户的facl权限
group::r-x
mask::rwx    #奇怪吧，这里也新增了一个的mask权限
other::r-x

The mask permission refers to the maximum ACL permission that a user or group can have, that is, the ACL permission set for the user or group cannot exceed the permission range specified by the mask, and the excess part will be invalidated.
Generally, the mask permission will be recalculated after using the setfacl command. By default, the highest permission will be automatically obtained from all permissions (if there is only one rwx permission, the mask will be set to rwx, if the highest is rw, the mask will generally also be The default setting is rw); you can also use the -n option to not calculate the mask permissions, or you can modify the mask permissions.

[root@hollowman ~]# setfacl -Rm g:hollowman:rwx hollowman/
[root@hollowman ~]# getfacl hollowman/
# file: hollowman/
# owner: root
# group: root
user::rwx
user:hollowman:rwx
group::r-x
group:hollowman:rwx  #这里增加了刚添加的对hollowman用户组的facl权限
mask::rwx
other::r-x

Also, how do we know whether the file has facl permission through the getfacl command ?
ls -l command, you can see the 11th position, there is a plus sign (+), which means that the file is set with facl permission, but not the file with facl permission, here is a dot (.)

[root@hollowman ~]# ls -ld hollowman
drwxrwxr-x+ 2 root root 6 Dec 20 20:20 hollowman

3. FACL authority backup

The settings of FACL permissions are effective immediately and permanently, and there is no need to edit any configuration files. But if you accidentally set it wrong, what should you do? You can back up a FACL permission first, and then restore the FACL permission through the -restore option.
1) Back up the facl permissions of the hollowman directory

[root@hollowman ~]# groupadd hy   #新建一个用户组hy，以便接下来的实验
[root@hollowman ~]# getfacl -R hollowman >back.acl

2) Add a facl permission to the hy user group.

[root@hollowman ~]# setfacl -Rm g:hy:rwx hollowman/  #添加对hy用户组的facl权限
[root@hollowman ~]# getfacl hollowman/
# file: hollowman/
# owner: root
# group: root
user::rwx
user:hollowman:rwx
group::r-x
group:hollowman:rwx 
group:hy:rwx
mask::rwx
other::r-x

3) After restoring the backup of facl permissions, read the facl permissions of the hollowman directory again, and found that the permissions of the hy user group just added have disappeared.

[root@hollowman ~]# setfacl --restore back.acl    
[root@hollowman ~]# getfacl hollowman/    
# file: hollowman/
# owner: root
# group: root
user::rwx
user:hollowman:rwx
group::r-x
group:hollowman:rwx
mask::rwx
other::r-x