content
Shell commands and how they work
Commands to temporarily escalate temporary privileges
1. Classification of file visitors
2. File types and access rights
3. Representation of file permission values
4. Related settings of file access permissions
Shell commands and how they work
Strictly speaking, Linux is an operating system, which we call "kernel", but we ordinary users cannot directly use the kernel. Instead, it communicates with the kernel through the kernel's "shell" program, the so-called shell.
How to understand? Why can't you use the kernel directly?
From a technical point of view, the simplest definition of Shell: command line interpreter (command Interpreter)
Mainly include:
Translate user commands to the kernel for processing.
At the same time, the core processing results are translated to the user
Note: shell is a general term for all shell programs, bash is a specific shell. For example: centos 7 shell: bash
Compared with the windows GUI , we operate windows not by directly operating the windows kernel, but by clicking through the graphical interface to complete our operations (for example, to enter the D drive, we usually double-click the D drive letter. Or run an application) .
The shell has the same function for Linux , mainly to parse our instructions and parse the instructions to the Linux kernel. The feedback results are run through the kernel and parsed to the user through the shell.
How the shell works
1. The shell interprets the command line, interprets it to the operating system, and translates the result to the user
2. The shell protects the operating system, not all commands of the user will be passed to the operating system, and commands that are harmful to the system will be Blocked
3. The operating principle of the shell: Create a sub-process, that is, a sub-shell. The sub-shell will inherit many environments from the parent shell, such as variables, command full paths, file descriptors, current working directory, traps, etc. The benefits are Any problem with the child process will not affect the parent process shell
Permission issues in Linux
There are two kinds of users under Linux: super user (root) and ordinary user
Their features:
1. Superusers can do anything under Linux without restrictions
2. Ordinary users will be restricted
3. The command prompt of root user is "#", while the command prompt of ordinary user is "$"
User switch command
Syntax: su [username]
Function: switch user
su is the abbreviation of switch user
Switch to root: With su -, we can switch to the root user (enter the root account password at this time, the password will not be echoed on the screen)
Switch back to normal user: use su - username to switch back to normal user, (you do not need to enter a password at this time, but we do not recommend switching back in this way, because more bash processes will be created when using the su - command)
Recommended switch back to normal user: Enter exit or hit Ctrl+d to return to normal user
Switch from normal user to root user:
Switch from root user back to normal user:
But we generally do not exit like this. We recommend Ctrl+d or hitting exit to return to ordinary users, because the system will create more bash processes when executing the su command.
Commands to temporarily escalate temporary privileges
Syntax: sudo [options]
Function: Temporarily elevate privileges, execute subsequent commands, and execute as root
Linux rights management
1. Classification of file visitors
Owner of files and file directories: u - User
User of the group that the owner of the file and file directory is in: g - Group
Other users: o --others
Identify the owner and the group they belong to?
The concepts of owner and other users are very well understood. But what is the relationship between the group and the owner?
Let's take a simple example. In a company, two project teams want to complete the same code task. They are in a competitive relationship with each other, but the company provides them with only one server, and the code they complete needs to be submitted. Go up, this is the code you wrote, you must only want you and your team leader to see it, but not your competitor team, which leads to the concept of the group you belong to.
We can see that group A is the group to which the file belongs, and you are the owner, and group B and beyond are others.
We can view the permission information of some files:
2. File types and access rights
We can use the ll command to view the first 10 characters of a file, which correspond to the file type and access rights.
Note: There is no need to add others, because with the owner and the group to which they belong, the rest are other groups
a) File Type:
In Linux, we do not distinguish the type of file by the suffix of the file, but by its detailed file type, which is the first of the above 10 characters to distinguish the file type
d: folder
-: Normal file
l: Soft link (similar to Windows shortcut)
b: block device files (such as hard disks, optical drives, etc.)
p: pipe file
c: character device file (such as a serial port device such as a screen)
s: socket file
b) Basic permissions
i. Read (r/4): For a file, Read has the right to read the content of the file; for a directory, it has the right to browse the directory information
ii. Write (w/2): For files, Write has the right to modify the content of the file; for directories, it has the right to delete files in the mobile directory
iii. Execute (x/1): execute has the permission to execute the file for the file; for the directory, has the permission to enter the directory
iv. "—" means not having the permission
for example:
3. Representation of file permission values
We can know that a single letter rwx represents a certain meaning, and - represents a non-executable meaning. We can just use the combination of 01 in binary to express these permission relationships more conveniently.
a) Method of character representation
| Linux representation | illustrate | Linux representation | illustrate |
| r-- | read only | -w- | write only |
| --x | executable only | rw- | read and write |
| -wx | Writable and executable | r-x | readable and executable |
| rwx | Readable, Writable and Executable | --- | No permission |
b) Octal number representation method
We can see that a total of 8 different permission relationships can be represented in binary. For the sake of convenience, we will use octal to represent it.
| character notation | binary | Octal Numeric Notation | illustrate |
|---|---|---|---|
| r - - | 100 | 4 | read only |
| - w - | 010 | 2 | writable only |
| - - x | 001 | 1 | executable only |
| r w - | 110 | 6 | read and write |
| r - x | 101 | 5 | readable and executable |
| - w x | 011 | 3 | Writable and executable |
| r w x | 111 | 7 | Readable, Writable and Executable |
| - - - | 000 | 0 | No permission |
4. Related settings of file access permissions
chmod command
Syntax: chomd [options] permissions filename
Function: set file access permissions
Common options: -R recursively modify the permissions of directory files
Description: Only the owner of the file and the root user can change the permissions of the file
chmod command permission value format
Format one: chmod +/- = permission character
①+: Add the authority indicated by the authority code to the authority scope.
②- : Cancel the authority indicated by the authority code from the authority scope.
③=: Grant the authority indicated by the authority code to the authority scope.
User symbols:
①u: Owner.
②g: belongs to the group.
③o: other.
④a: All users.
Note: chmod can modify permissions for the owner, group, and other users at the same time, separated by commas
Format 2: Three-digit octal number
Convert the corresponding octal to binary, and then convert to the corresponding character permission
chown command
Syntax: chown [options] username filename
Function: Change the owner of the file
Common options: -R recursively modify the owner of the directory file
Note: The chown command can modify the owner and group of the file at the same time, and separate the user names of the owner and the group with a colon
chgrp command
Syntax: chgrp [options] username filename
Function: Change the group of the file
Common options: -R recursively modify the group to which a file or directory belongs
Modify the mask of the file
umask directive
Syntax: umask permission value
Function: View or modify the mask of the file
The default permissions for new folders are 0666
The default permissions for new directories are 0777
But we have observed that the newly created files and directories are not the default starting permissions. What is the reason here?
In fact, for the files and directories you create, the permissions you see are often not the above values. The reason is that it is also affected by umask when creating a file or directory. Assuming that the default permission is mask, the actually created file permission is: mask & ~umask
Description: After subtracting the permission mask from the existing access permission, the default permission when creating a file can be generated. The default mask value for super users is 0022, and the default mask value for ordinary users is 0002.
We can also modify the permissions of the file by modifying the umask code value of the file
directory permissions
① Read permission : If the directory does not have read permission, you cannot use commands such as ls to view the contents of the files in the directory.
②Writable permission : If the directory does not have writable permission, you cannot create files in the directory, nor can you delete files in the directory.
③Executable permission : If there is no directory executable permission, you cannot cd to the directory
So, here comes the question~~
In other words, as long as the user has write access to the directory, the user can delete files in the directory, regardless of whether the user has write access to the file.
This doesn't seem very scientific. Why can you, Li Si, delete a file created by me, Zhang San?
in conclusion:
If the directory itself has w permissions to other, other can delete anything in any directory
If the directory itself does not have w permission to other, other cannot be deleted
Our needs:
other can create and write files in a specific directory, but does not want anyone to delete their own files
In order to solve this unscientific problem here, Linux introduces the concept of sticky bits
sticky bit
Syntax: chmod +t directory name
Function: Add sticky bit to directory
It can only be set on a directory, generally restricting other permissions. For a directory with a sticky bit set, in this directory, only the owner and root user of the file can delete it, and others cannot delete it.
Example:
When a sticky bit is added to a directory, the last bit will be marked with the permission flag of t. Even if other people have writable permission to the file, they cannot be deleted, which is a good way to protect the information.
Summary on permissions:
① The executable permission of a directory indicates whether you can execute commands in the directory.
②If the directory does not have -x permission, you cannot execute any commands on the directory, or even cd into the directory, even if the directory still has -r read permission (it is easy to make mistakes in this place, thinking that you can enter the directory with read permission to read the files in the directory) document)
③ If the directory has -x permission but not -r permission, the user can execute commands and cd into the directory. But since there is no read permission for the directory
④ So in the directory, even if you can execute the ls command, you still do not have permission to read the documents in the directory.