1. Modify the file owner and group
- chown : set the owner of the file
- chgrp: set the group information of the file
- Modify file owner: chown
Format: chown [OPTION]... [OWNER][:[GROUP]] FILE... (only the root user has permission to modify the file owner; in the command: available. replace)
usage:
OWNER example: chown duan filename Modify the owner of filename (only root user can modify)
OWNER:GROUP Example: chown duan:wang filename Modify the owner and group of filename (only root user can modify)
:GROUP Example: chown :wang filename Modify the group of filename (the user must be the owner of the file and belong to the wang group to modify it; root can modify it)
-R: Recursive example: chown -R duan dirname Recursively modifies the owner of all files in the dirname directory (including the directory itself), but does not modify the owner of the .. directory (parent directory) in the directory
chown [OPTION]... --reference=RFILE FILE...
Example: chown --reference=f1.file app1 Modify the owner and group of app1 according to the owner and group of f1.file (the owner must be modified It is the root user; to modify the group, the user must be the owner of the two files, and the user belongs to the group of the f1.file file to modify the group of app1)
Note: chown -R duan dirname/.* (disable!!! This will modify the owner of all files in the .. directory (parent directory) in the dirname directory. If the parent directory of the modified directory is / directory, it will The owners of all files are modified , causing serious losses!!)
chown -R duan /* (disabled!!!! will change the owner of all files in the system)
2. Modify the group of the file: chgrp
Format: chgrp [OPTION]... GROUP FILE... Example: chgrp duan filename Modify the group of filename (the user must be the owner of the file and belong to the duan group to modify it)
chgrp [OPTION]... --reference=RFILE FILE... Modify the FILE group according to the RFILE group (the user must be the owner of the FILE file and belong to the RFILE group before it can be modified)
-R Recursively modify the group of all files in the directory (including the directory itself), but do not modify the group of the .. directory (parent directory) in the directory
Note: chgrp -R duan dirname/.* (disable!!! This will modify the group of all files under the .. directory (parent directory) in the dirname directory. If the parent directory of the modified directory is / directory, it will be in the system The group of all files is modified, causing serious losses!!)
chgrp -R duan /* (disabled!!!! will modify the group of all files in the system)
2. File permissions
- General authority division
document:
-
- r: file read permission ( you can use file viewing tools to get its content)
- w: file write permission ( can modify file content)
- x: file executable permission ( this file can be brought to the kernel to start as a process)
content:
-
- r: directory read permission (you can use ls to view the list of files in this directory)
- w: directory write permission (permission to create, delete files, and subdirectories in the directory)
- x: The executable permission of the directory (you can use ls -l to view the list of files in this directory, you can cd into this directory; it is the basic permission of the directory)
Note: There is no execute permission on the directory, you cannot cd into the directory, you cannot view the detailed attributes of the files in the directory (only the file name), and you cannot view the file content; you cannot create or delete files, or rename files, but you can overwrite them. Existing file (with write permission to file)
X permission: will not add execution permission to files without execution permission, generally used recursively (when setting executable permission for a directory recursively, be sure to use 'X', otherwise all files will be set executable permission; together with -R use)
Example: chmod -R +X dirname #Add executable permissions to the dirname directory and its subdirectories and executable files (files with execute permissions), non-executable files will not add executable permissions
Note: The r permission and w permission are invalid for the root user, the x permission of the directory is invalid for the root user, and the binary executable program (any of the three user permission types of the file, any one has the x permission) is invalid for the root user x permission setting, root Executable; non-binary executable program files ( there is no x permission in the three user permission types of the file
2. Modify the file permissions chmod command
Format:
Mode one (octal notation, numeric notation): chmod [OPTION]... OCTAL-MODE FILE...
r : 4 (100); w : 2(010); x : 1(001) The brackets represent binary, the permission is 1, and the permission is 0
Example: chmod 666 filename with permissions rw-rw-rw-
Method 2 (mode method): chmod [OPTION]... MODE[,MODE]... FILE...
MODE:
Modify all permissions of a class of users: u: file owner; g: group user to which the file belongs; o: other users; a: on behalf of all users
u= g= o= ug= a= u=,g= reset permissions
Modify one or some bit permissions of a class of users u: file owner; g: group user to which the file belongs; o: other users; a or empty: all users
u+ u- g+ g- o+ o- a+ a- + - add or remove permissions
-R: recursively modify permissions
chmod [OPTION]... --reference=RFILE FILE... Refer to the permissions of the RFILE file and modify the FILE to be the same as the RFILE
Note:
1. Only the root user and the owner of the file can modify the permissions of the file
2. When a user operates a file, first determine whether the user is the owner, yes -> has owner authority; no -> judge whether it belongs to the group to which the file belongs, yes -> has the group authority; no -> has other users permission
Permission priority (not referring to the size of the permission): file owner permission > file belonging group permission > other user permission
3. The metadata of the file (permission, owner, group, etc.) depends on the Linux file system (ext4 file system, xfs file system support)
4. chmod -R MODE /* (disabled!!!! will break the permissions of all files in the system)
3. Default permissions (umask) for new files and directories
umask essentially cancels the corresponding permissions
New directory default permissions
umask + default (default permission) = 777
New file default permissions
umask + default (default permission) = 666 The default permission result adds 1 to the odd-numbered bits, and the even-numbered bits remain unchanged (to prevent newly created files from having executable permissions by default, which is not safe)
Unprivileged user umask is 002; root umask is 022
umask: View umask value
umask setting: Example: umask 002 Temporarily set the umask value to 002
umask -S mode display the display result: u=rwx,g=rx,o=x
umask -p output can be called to display the result: umask 0026 can append the output to the .bashrc configuration file for use
Global settings: /etc/bashrc User settings: ~/.bashrc
4. Special permissions on Linux filesystems
1. Permissions for binary executable programs to access resource files
Premise: Processes have owners and groups; files have owners and groups
(1) 任何一个可执行程序文件能不能启动为进程,取决发起者对程序文件是否拥有执行权限
(2) 启动为进程之后,其进程的属主为发起者,进程的属组为发起者所属的组
(3) 进程访问文件时的权限,取决于进程的发起者
(a) 进程的发起者,同文件的属主:则应用文件属主权限
(b) 进程的发起者,属于文件属组;则应用文件属组权限
(c) 应用文件“其它”权限
2. SUID 权限
加SUID权限的可执行二进制程序访问资源文件的权限:
(1)任何一个可执行程序文件能不能启动为进程:取决发起者对程序文件是否拥有执行权限
(2)启动为进程之后,其进程的属主为原程序文件的属主
(3) 进程访问文件时的权限,取决于进程的属主
(a) 进程的属主,同文件的属主:则应用文件属主权限
(b) 进程的属主,属于文件属组;则应用文件属组权限
(c) 应用文件“其它”权限
权限设定:
chmod u+s FILE... | chmod 4MODE FILE... 给二进制可执行程序添加SUID权限 MODE 为文件普通权限
chmod u-s FILE... | chmod MODE FILE... 给二进制可执行程序去除SUID权限
注意:
1. SUID只对二进制可执行程序有效
2. SUID设置在目录上无意义
3. 本质:继承二进制可执行程序的属主对文件资源的访问权限
3. SGID权限
i.加SGID权限的可执行二进制程序访问资源文件的权限:
(1)任何一个可执行程序文件能不能启动为进程:取决发起者对程序文件是否拥有执行权限
(2)启动为进程之后,其进程的属组为原程序文件的属组
权限设定:
chmod g+s FILE... | chmod 2MODE FILE... 给二进制可执行程序添加SGID权限 MODE 为文件普通权限
chmod g-s FILE... | chmod MODE FILE... 给二进制可执行程序去除SGID权限
ii. 给目录设置SGID权限
默认情况下,用户创建文件时,其属组为此用户所属的主组
一旦某目录被设定了SGID,则对此目录有写权限的用户在此目录中创建的文件所属的组为此目录的属组
权限设定:
chmod g+s DIR... | chmod 2MODE DIR 给目录添加SGID权限 MODE 为目录普通权限
chmod g-s DIR... | chmod MODE DIR 给目录去除SGID权限
4. Sticky 位
具有写权限的目录通常用户可以删除该目录中的任何文件,无论该文件的权限或拥有权
在目录设置Sticky 位,只有文件的所有者或root可以删除该文件
sticky 设置在文件上无意义
权限设定:
chmod o+t DIR... | chmod 1MODE DIR 给目录设置Sticky 位 MODE 为目录普通权限
chmod o-t DIR... | chmod MODE DIR 给目录去除Sticky 位
5. 权限位映射
SUID: user,占据属主的执行权限位
s: 属主拥有x权限
S:属主没有x权限
SGID: group,占据属组的执行权限位
s: group拥有x权限
S:group没有x权限
Sticky: other,占据other的执行权限位
t: other拥有x权限
T:other没有x权限
5. 设置文件特定属性(对root 用户也有效)
chattr +i filename 不能删除,改名,更改 去除 :chattr -i filename
chattr +a filename 只能追加内容 去除 :chattr -a filename
chattr +A filename 锁定不能更新atime时间
lsattr filename 显示特定属性
6. 访问控制列表(ACL)
除了文件的所有者,所属组和其它人,ACL可以对更多的用户设置权限
CentOS7 默认创建的xfs和ext4文件系统具有ACL功能
CentOS7 之前版本,默认手工创建的ext4文件系统无ACL功能,需手动增加
tune2fs –o acl /dev/sdb1
mount –o acl /dev/sdb1 /mnt/test
1. ACL生效顺序:所有者,自定义用户,自定义组(用户属于多个组时,权限累加),文件组权限(mask权限)、其他人
2. 为多用户或者组的文件和目录赋予访问权限rwx(设置ACL权限后,文件详细信息权限后面会有‘+’)
• mount -o acl /directory
• getfacl file |directory 显示文件或目录ACL权限设置
• setfacl -m u:wang:rwx file|directory 添加自定义用户权限
• setfacl -Rm g:sales:rwX directory 给目录递归添加自定义组权限 注意:递归添加可执行程序用 'X'
• setfacl -M file.acl file|directory 读取文件批量添加自定义权限
• setfacl -m g:salesgroup:rw file| directory 添加自定义组权限
• setfacl -m d:u:wang:rx directory 添加目录默认自定义权限(在此目录下新建的文件,默认具有此ACL权限)
• setfacl -x u:wang file |directory 去除自定义用户权限
• setfacl -X file.acl directory 读取文件批量去除自定义权限
setfacl -k dir 删除默认ACL权限
setfacl –b file1 清除所有ACL权限
getfacl file1 | setfacl --set-file=- file2 复制file1的acl权限给file2
3. mask (文件属组权限)
mask是自定义用户和自定义组权限的上限(所有者和other之外最大的权限,等同于文件属组权限)
设置 mask 权限
setfacl -m mask::MODE filename 设置 filename 的mask 权限 ,会将filename的属组权限也一起改变;同时ACL权限中大于mask 权限的会失效(文件所有者和other除外),设置为mask 权限相同(MODE为设置的权限值)
注:若新添加的自定义用户权限和自定义组权限高于原来mask的权限,会将mask更新为新定义的高权限,同时会相应影响之前失效的权限
4. 备份和恢复ACL
主要的文件操作命令cp和mv都支持ACL,只是cp命令需要加上-p 参数。但是tar等常见的备份工具是不会保留目录和文件的ACL信息
getfacl -R /tmp/dir1 > acl.txt 将目录中所有文件的ACL权限重定向到 acl.txt文件中
setfacl -R -b /tmp/dir1 将目录中所有文件的ACL权限清空
setfacl -R --set-file=acl.txt /tmp/dir1 恢复指定文件ACL权限
setfacl --restore acl.txt 恢复acl.txt中保存的所有文件的ACL权限
getfacl -R /tmp/dir1 显示目录下所有文件的ACL权限(包括目录本身)