1. Modify the file owner and group
- chown : set the owner of the file
- chgrp: set the group information of the file
- Modify file owner: chown
Format: chown [OPTION]... [OWNER][:[GROUP]] FILE... (only the root user has permission to modify the file owner; in the command: available. replace) usage: OWNER example: chown duan filename Modify the owner of filename (only root user can modify) OWNER:GROUP Example: chown duan:wang filename Modify the owner and group of filename (only root user can modify) :GROUP Example: chown :wang filename Modify the group of filename (the user must be the owner of the file and belong to the wang group to modify it; root can modify it) -R: Recursive example: chown -R duan dirname Recursively modifies the owner of all files in the dirname directory (including the directory itself), but does not modify the owner of the .. directory (parent directory) in the directory chown [OPTION]... --reference=RFILE FILE...
Example: chown --reference=f1.file app1 Modify the owner and group of app1 according to the owner and group of f1.file (the owner must be modified It is the root user; to modify the group, the user must be the owner of the two files, and the user belongs to the group of the f1.file file to modify the group of app1)
Note: chown -R duan dirname/.* (disable!!! This will modify the owner of all files in the .. directory (parent directory) in the dirname directory. If the parent directory of the modified directory is / directory, it will The owners of all files are modified , causing serious losses!!)
chown -R duan /* (disabled!!!! will change the owner of all files in the system)
2. Modify the group of the file: chgrp
Format: chgrp [OPTION]... GROUP FILE... Example: chgrp duan filename Modify the group of filename (the user must be the owner of the file and belong to the duan group to modify it) chgrp [OPTION]... --reference=RFILE FILE... Modify the FILE group according to the RFILE group (the user must be the owner of the FILE file and belong to the RFILE group before it can be modified) -R Recursively modify the group of all files in the directory (including the directory itself), but do not modify the group of the .. directory (parent directory) in the directory
Note: chgrp -R duan dirname/.* (disable!!! This will modify the group of all files under the .. directory (parent directory) in the dirname directory. If the parent directory of the modified directory is / directory, it will be in the system The group of all files is modified, causing serious losses!!)
chgrp -R duan /* (disabled!!!! will modify the group of all files in the system)
2. File permissions
- General authority division
document:
-
- r: file read permission ( you can use file viewing tools to get its content)
- w: file write permission ( can modify file content)
- x: file executable permission ( this file can be brought to the kernel to start as a process)
-
- r: directory read permission (you can use ls to view the list of files in this directory)
- w: directory write permission (permission to create, delete files, and subdirectories in the directory)
- x: The executable permission of the directory (you can use ls -l to view the list of files in this directory, you can cd into this directory; it is the basic permission of the directory)
Format: Mode one (octal notation, numeric notation): chmod [OPTION]... OCTAL-MODE FILE... r : 4 (100); w : 2(010); x : 1(001) The brackets represent binary, the permission is 1, and the permission is 0 Example: chmod 666 filename with permissions rw-rw-rw- Method 2 (mode method): chmod [OPTION]... MODE[,MODE]... FILE... MODE: Modify all permissions of a class of users: u: file owner; g: group user to which the file belongs; o: other users; a: on behalf of all users u= g= o= ug= a= u=,g= reset permissions Modify one or some bit permissions of a class of users u: file owner; g: group user to which the file belongs; o: other users; a or empty: all users u+ u- g+ g- o+ o- a+ a- + - add or remove permissions -R: recursively modify permissions chmod [OPTION]... --reference=RFILE FILE... Refer to the permissions of the RFILE file and modify the FILE to be the same as the RFILE
umask essentially cancels the corresponding permissions New directory default permissions umask + default (default permission) = 777 New file default permissions umask + default (default permission) = 666 The default permission result adds 1 to the odd-numbered bits, and the even-numbered bits remain unchanged (to prevent newly created files from having executable permissions by default, which is not safe) Unprivileged user umask is 002; root umask is 022 umask: View umask value umask setting: Example: umask 002 Temporarily set the umask value to 002 umask -S mode display the display result: u=rwx,g=rx,o=x umask -p output can be called to display the result: umask 0026 can append the output to the .bashrc configuration file for use Global settings: /etc/bashrc User settings: ~/.bashrc
1. Permissions for binary executable programs to access resource files Premise: Processes have owners and groups; files have owners and groups (1) 任何一个可执行程序文件能不能启动为进程,取决发起者对程序文件是否拥有执行权限 (2) 启动为进程之后,其进程的属主为发起者,进程的属组为发起者所属的组 (3) 进程访问文件时的权限,取决于进程的发起者 (a) 进程的发起者,同文件的属主:则应用文件属主权限 (b) 进程的发起者,属于文件属组;则应用文件属组权限 (c) 应用文件“其它”权限 2. SUID 权限 加SUID权限的可执行二进制程序访问资源文件的权限: (1)任何一个可执行程序文件能不能启动为进程:取决发起者对程序文件是否拥有执行权限 (2)启动为进程之后,其进程的属主为原程序文件的属主 (3) 进程访问文件时的权限,取决于进程的属主 (a) 进程的属主,同文件的属主:则应用文件属主权限 (b) 进程的属主,属于文件属组;则应用文件属组权限 (c) 应用文件“其它”权限 权限设定: chmod u+s FILE... | chmod 4MODE FILE... 给二进制可执行程序添加SUID权限 MODE 为文件普通权限 chmod u-s FILE... | chmod MODE FILE... 给二进制可执行程序去除SUID权限 注意: 1. SUID只对二进制可执行程序有效 2. SUID设置在目录上无意义 3. 本质:继承二进制可执行程序的属主对文件资源的访问权限 3. SGID权限 i.加SGID权限的可执行二进制程序访问资源文件的权限: (1)任何一个可执行程序文件能不能启动为进程:取决发起者对程序文件是否拥有执行权限 (2)启动为进程之后,其进程的属组为原程序文件的属组 权限设定: chmod g+s FILE... | chmod 2MODE FILE... 给二进制可执行程序添加SGID权限 MODE 为文件普通权限 chmod g-s FILE... | chmod MODE FILE... 给二进制可执行程序去除SGID权限 ii. 给目录设置SGID权限 默认情况下,用户创建文件时,其属组为此用户所属的主组 一旦某目录被设定了SGID,则对此目录有写权限的用户在此目录中创建的文件所属的组为此目录的属组 权限设定: chmod g+s DIR... | chmod 2MODE DIR 给目录添加SGID权限 MODE 为目录普通权限 chmod g-s DIR... | chmod MODE DIR 给目录去除SGID权限 4. Sticky 位 具有写权限的目录通常用户可以删除该目录中的任何文件,无论该文件的权限或拥有权 在目录设置Sticky 位,只有文件的所有者或root可以删除该文件 sticky 设置在文件上无意义 权限设定: chmod o+t DIR... | chmod 1MODE DIR 给目录设置Sticky 位 MODE 为目录普通权限 chmod o-t DIR... | chmod MODE DIR 给目录去除Sticky 位 5. 权限位映射 SUID: user,占据属主的执行权限位 s: 属主拥有x权限 S:属主没有x权限 SGID: group,占据属组的执行权限位 s: group拥有x权限 S:group没有x权限 Sticky: other,占据other的执行权限位 t: other拥有x权限 T:other没有x权限
chattr +i filename 不能删除,改名,更改 去除 :chattr -i filename chattr +a filename 只能追加内容 去除 :chattr -a filename chattr +A filename 锁定不能更新atime时间 lsattr filename 显示特定属性
除了文件的所有者,所属组和其它人,ACL可以对更多的用户设置权限 CentOS7 默认创建的xfs和ext4文件系统具有ACL功能 CentOS7 之前版本,默认手工创建的ext4文件系统无ACL功能,需手动增加 tune2fs –o acl /dev/sdb1 mount –o acl /dev/sdb1 /mnt/test 1. ACL生效顺序:所有者,自定义用户,自定义组(用户属于多个组时,权限累加),文件组权限(mask权限)、其他人 2. 为多用户或者组的文件和目录赋予访问权限rwx(设置ACL权限后,文件详细信息权限后面会有‘+’) • mount -o acl /directory • getfacl file |directory 显示文件或目录ACL权限设置 • setfacl -m u:wang:rwx file|directory 添加自定义用户权限 • setfacl -Rm g:sales:rwX directory 给目录递归添加自定义组权限 注意:递归添加可执行程序用 'X' • setfacl -M file.acl file|directory 读取文件批量添加自定义权限 • setfacl -m g:salesgroup:rw file| directory 添加自定义组权限 • setfacl -m d:u:wang:rx directory 添加目录默认自定义权限(在此目录下新建的文件,默认具有此ACL权限) • setfacl -x u:wang file |directory 去除自定义用户权限 • setfacl -X file.acl directory 读取文件批量去除自定义权限 setfacl -k dir 删除默认ACL权限 setfacl –b file1 清除所有ACL权限 getfacl file1 | setfacl --set-file=- file2 复制file1的acl权限给file2 3. mask (文件属组权限) mask是自定义用户和自定义组权限的上限(所有者和other之外最大的权限,等同于文件属组权限) 设置 mask 权限 setfacl -m mask::MODE filename 设置 filename 的mask 权限 ,会将filename的属组权限也一起改变;同时ACL权限中大于mask 权限的会失效(文件所有者和other除外),设置为mask 权限相同(MODE为设置的权限值) 注:若新添加的自定义用户权限和自定义组权限高于原来mask的权限,会将mask更新为新定义的高权限,同时会相应影响之前失效的权限 4. 备份和恢复ACL 主要的文件操作命令cp和mv都支持ACL,只是cp命令需要加上-p 参数。但是tar等常见的备份工具是不会保留目录和文件的ACL信息 getfacl -R /tmp/dir1 > acl.txt 将目录中所有文件的ACL权限重定向到 acl.txt文件中 setfacl -R -b /tmp/dir1 将目录中所有文件的ACL权限清空 setfacl -R --set-file=acl.txt /tmp/dir1 恢复指定文件ACL权限 setfacl --restore acl.txt 恢复acl.txt中保存的所有文件的ACL权限 getfacl -R /tmp/dir1 显示目录下所有文件的ACL权限(包括目录本身)