First of all, I recommend a video on linux permissions: The basic permissions of Linux permissions management , which is very good. After reading it, I basically understand it.
1. File permissions and ownership
1. There are three types of permissions for a file. For convenience, numbers can be used instead. This way, by adding or subtracting numbers, a number can be used to identify the permissions of this file. For example, 7=4+2+1, which means read There are 3 permissions to write and execute, 6=4+2, which means that there are read and write permissions but no execute permissions, etc.
2. The rbac authority management of Lenovo web applications, etc., there is also user authority management under linux. Users have user names and user groups. Generally, when a user is created, a group of the user with the same name will be created at the same time.
Log in with the root account and create a new directory and a file.
#Create new directory mkdir abc #create a new file touch abc.txt #Check ls -all
When you look you will find:
#d starts with directories, - starts with files, and l starts with soft links, etc.
drwxr-xr-x 2 root root 4096 Jun 6 10:23 abc -rw-r--r-- 1 root root 0 Jun 6 10:23 abc.txt
First look at the blue part above, the first digit is the identifier, remove the first digit, and separate the last three digits. Take the abc folder as an example: d | rwx | rx | rx
Therefore, the abc folder indicates that the owner owns rwx(7), the group owns rx(5), and the other owns rx(5).
Similarly, the red part in the above file is the name of the owner and the name of the group to which it belongs, that is, the owner of the abc folder is root, and the group to which it belongs is root. at this time:
a. If the root user accesses the abc folder, it is equivalent to the owner, with 7 permissions
b. If a new user name test user group is root to access the abc folder, it is equivalent to group, with 5 permissions
c. If a new user name test user group is test to access the abc folder, it is equivalent to other, with 5 permissions
Second, the role of file permissions
Originally, I wanted to talk about it while testing, but it was too troublesome, so let’s talk about the results directly. You can create a new user yourself, and then modify the permissions to test it yourself.
1. Directory
a. Enter the directory, that is, the cd command, the required permission is the execute permission (x)
b. View the files in the directory, that is, the ls command. The required permission is read permission (r)
c. Create and delete folders/files in the directory, that is, named mkdir/touch. The required permission is write permission (w)
By the way, the next directory only affects the next level, and the next generation does not affect it. For example, a directory abc/sub/, if abc does not have w permission, but sub has w permission, you can create files in sub, of course, abc also needs to have x Permissions, otherwise you will not be able to enter, let alone create, but as long as you can enter (you can switch the root administrator method), you will no longer be affected by abc, but only by sub.
Generally, our directory will give 5 (rx) permissions, that is, read and execute permissions. Only those directories that need to be created such as image upload or cache will be given 7 (rwx) permissions.
2. Documents
a. To open the file, you can use the cat/vim command to open it. The required permission is read permission (r)
b. For file modification, you can open and save it with the cat/vim command. The required permission is write permission (w)
c. File execution, you can directly execute ./abc.out, etc., the required permission is execute permission (x)
What needs to be explained here is that whether php is executed on the command line (similar to running php abc.php) or on the web side, it is called execution, which actually reads the file into the php kernel for parsing, so as long as there is read permission (r ) is OK, also for example abc.sh, if you run ./abc.sh directly, you need execute permission (x), but running the sh abc.sh command requires read permission (r).
Generally, our files will be given 4(r) permissions, that is, read permissions. Only logs, caches, etc. that need to write content to the file will be given 6(rx) permissions.
The reason why the above does not say 755, 777, 644 permissions, but only a single permission, is because the permissions to which your website directory belongs cannot ensure any relationship with the user used during execution, that is to say, the user during execution may be owner, may be group or other
3. Permissions when php is executed
We must have a user name to log in when we are connecting to linux through ssh. Similarly, if php wants to process php-related files, it is also operated under a certain user, and where is the user created or defined, usually It is created when the php environment is installed. For example, apache, nginx and other environments will create users and user groups by default, and this user is used to read when php is read, which can be confirmed by viewing the configuration file:
#apache in the configuration file httpd.conf User www Group www #nginx in the configuration file nginx.conf user www www;
Or view the process through the command:
#View apache process ps -ef|grep httpd #View nginx process ps -ef | grep nginx #View php-pfm for ps -ef|grep php-pfm
Taking apache as an example will show:
root 1663 1 0 09:14 ? 00:00:00 /www/wdlinux/apache/bin/httpd//main process www 1697 1663 0 09:14 ? 00:00:05 /www/wdlinux/apache/bin/httpd//subprocess www 1698 1663 0 09:14 ? 00:00:05 /www/wdlinux/apache/bin/httpd
The first column shows which user is executing it, mainly under non-root. The above description is that the www user is running the apache process to process the php file. Generally speaking, apache/nginx will start the main thread as root, and then fork out sub-threads to process specific services. When the sub-process is created, it will set the effective user through the setuid and setgid commands according to the user name and user group in the configuration file. name and effective user group. It should be noted that the word "valid", for example, a user named test belongs to the group test, and the user name set in the apache configuration file is named test, but the user group is set to abc, then it is possible to I am very confused. Is the group according to the user name or the group set in the configuration file? The answer is set, because it has been changed through setgid. Specifically, Google Baidu search for keywords such as "valid user", "actual user", "setuid function".
It should be noted here that if php-pfm is installed, you should also check the user name and user group when php-pfm is executed. (No installation, so no practice)
The default may be nobody or apache and other users and user groups, the above has been modified. At this point, you should use ls-all in the website directory to confirm which user the website file belongs to. Let’s explain it in several cases:
a. For example, the website owner is like this:
drwxr-xr-x 2 www www 4096 Jun 6 10:23 system drwxr-xr-x 2 www www 4096 Jun 6 10:23 tmp -rw-r--r-- 1 www www 0 Jun 6 10:23 index.php ...
The owner of the website is www, and the php executor is also www, which means that it has owner permissions. 55 in 755 in the system folder above does not work at all, as long as it is 7xx, it will be executed with 7 (rwx) permissions.
b. If the website owner is:
drwxr-xr-x 2 test www 4096 Jun 6 10:23 system drwxr-xr-x 2 test www 4096 Jun 6 10:23 tmp -rw-r--r-- 1 test www 0 Jun 6 10:23 index.php ...
The website owner is test, the group it belongs to is www, the php executor is www, and the execution group is www, which means that in the same group, with group permissions, 7 and 5 in 755 in the system folder above do not work , as long as it is x5x, it will be executed with 5 (rx) permissions.
c. If the website owner is:
drwxr-xr-x 2 test test 4096 Jun 6 10:23 system drwxr-xr-x 2 test test 4096 Jun 6 10:23 tmp -rw-r--r-- 1 test test 0 Jun 6 10:23 index.php ...
The owner of the website is test, the group it belongs to is test, the php executor is www, and the execution group is www, that means it doesn't matter at all, with other permissions, 75 in 755 in the system folder above does not work, as long as it is xx5 will be executed with 5 (rx) permissions.
Therefore, it is not simple to say that the modification permissions are 755, 644 or something. It is also necessary to confirm the executor of the program and the owner of the website to determine the permissions.
At present, in order to save trouble (well, lanmpv3, etc.) in many integrated environments, the execution permission of php and the directory where the website is located are both set to www. At this time, it is generally 755 after the directory is created, and 644 after the file is created. When php is executed, it works. The directory permissions are 7 (all directories have create and delete permissions) and file permissions are 6 (all files have write permissions). Isn't this kind of insecure? Normally, the directory should be 5, the file should be 4, and the permission should be set to 7 when there are special needs. If the situation mentioned above occurs, the first modification method is to modify the apache/nginx user and user group, and the second is to modify the owner and all groups of the website files to ensure the security of the website.
The above is just a basic permission description.