Table of contents

(1). Realize switching of user accounts

(2).Only elevate the authority of the current command

Linux permission management

1. Classification of file visitors (people)

2. File type and access rights (thing attributes)

3. Representation method of file permission value

4. File access\change the owner and group of the file/directory

Modify file permissions

Change the owner of the file

Modify the group to which the file belongs

View or modify file permission masks

Linux permissions

The concept of Linux permissions

There are two types of users under Linux: super user (root) and ordinary user.

Super user: can do anything under the linux system without restriction

Ordinary users: do limited things under linux.

The command prompt of a super user is "#", and the command prompt of a normal user is "$".

Add ordinary users: adduser

Delete ordinary users (must be the root user to delete): userdel -r user

example:
ls /home  查看所有用户

Basic operations of Linux permissions

(1). Realize switching of user accounts

Command: su [username]

Function: switch user.

For example, to switch from the root user to the normal user user, use su user. To switch from an ordinary user to a root user, use su root (root can be omitted), and to switch from an ordinary user to a super user, you need to enter the root password

Example:

(2).Only elevate the authority of the current command

But in some cases, you only want to elevate the privileges of the current command, so you don't have to switch to the super user.

Syntax: sudo command
Function: Elevate the authority of the current command.
For example, I now want to modify the account password of another ordinary user as an ordinary user.

Linux permission management

1. Classification of file visitors (people)

In the Linux system, people are divided into three categories: the owner, the group they belong to, and other users

Owner of files and file directories: u---User

Users of the group where the owner of the file and file directory belongs (group): g---Group

Other users: o---Others (users other than the file owner and the group to which the file belongs)

Notice :

The file owner, the group to which the file belongs, and other users are a kind of role. The root user and ordinary user are specific people who may act as the owner, the group to which they belong, and other users
In Linux, all users must belong to a certain group, even if you are the only one in this group (the group name is the user name)

2. File type and access rights (thing attributes)

The Linux system does not distinguish the file type by the file name suffix, but by the first character displayed by the ll command to distinguish the file type!

file type:

Ten characters indicate the file type and access rights. The first character indicates the file type. In Linux, the file type and the suffix have nothing to do, but in Windows, they are related.
d：目录文件
-：普通文件（文本，源代码，可执行程序，第三方动静态库）
l：软链接（类似Windows的快捷方式）
b：块设备文件（例如硬盘、光驱等）
p：管道文件
c：字符设备文件（例如屏幕等串口设备）
s：套接口文件
example:

As shown, the first character indicates the file type

Basic permissions:

In the Linux system, the permission attributes of files are divided into three categories: r (read), w (write), x (executable)

Read (r): For a file, Read has the permission to read the content of the file; for a directory, it has the permission to browse the directory information

Write (w): For files, Write has the right to modify the content of the file; for directories, it has the right to delete files in the moved directory

Executable (x): For files, execute has the permission to execute the file; for directories, it has the permission to enter the directory

"—" indicates that it does not have this permission

The following nine characters, each group of three characters, respectively represent the file owner, the group to which the file belongs, and the permissions of other users on file operations
r 读取权限
w 写入权限
x 可执行权限
- 无权限
example:

The myproc.c file is an ordinary file, the permissions corresponding to the owner and the group it belongs to are readable and writable, and the permissions corresponding to other are readable

3. Representation method of file permission value

a) Character representation method
r - -	仅可读
- w -	仅可写
- - x	仅可执行
r w -	可读可写
r - x	可读可执行
- w x	可写可执行
r w x	可读可写可执行
- - -	无权限
b) Octal value representation method

There are only two possibilities for the position of each character in the character representation, either true or false, and true can be represented by 1, and false can be represented by 0, so we can change these three characters into three Binary bits, and then converted to an octal bit for representation. as follows:
字符表示法	二进制	八进制数值表示法	说明
r - -		100			4			仅可读
- w -		010			2			仅可写
- - x		001			1			仅可执行
r w -		110			6			可读可写
r - x		101			5			可读可执行
- w x		011			3			可写可执行
r w x		111			7			可读可写可执行
- - -		000			0			无权限

4. File access\change the owner and group of the file/directory

Modify file permissions

chmod

 Function: Set the access permission of the file

Format: chmod [parameter] permission file name

Commonly used options: R -> Recursively modify the permissions of directory files

Only the owner of the file and root can change the permissions of the file

Method one:

user designator +/-= permission character

+: Add the authority represented by the authority code to the scope of authority

-: Cancel the permission indicated by the permission code from the permission scope

=: Grant the authority represented by the authority code to the scope of authority

User symbol:

u: owner

g: the same group as the owner

o: other users

a: all users

Subtract the read permissions of the group and other users: chmod gr, or file.txt

Plus all permissions of other people in the owner's group: chmod u+rwx, g+rwx, o+rwx file.txt

Note: root is not subject to any authority constraints (other users refer to other ordinary users except root)

Method 2: Use three octal digits

This method borrows the above-mentioned octal value to represent the knowledge of authority, as follows:

chmod 777 file.txt //Add all permissions

chmod 000 file.txt //Delete all permissions

Change the owner of the file

chown

 Function: modify the owner of the file

Format: chown [parameter] username filename

Modifying the owner of a file/directory requires the root user to operate, and ordinary users need to perform privilege escalation.

You can use the chown command to modify the owner and group of the file/directory at the same time, just separate the user names of the owner and the group with a colon.

sudo force change owner to root

Here, the file was directly given to the root user without the consent of others. The reason is that sudo was used to elevate the privileges, which is equivalent to running the program as root to have the privilege to forcibly change. However, this is for ordinary users who need to use sudo to modify file permissions. If you are a root user, you can directly change without sudo.

Use chown to continuously modify the owner and group:

Modify the group to which the file belongs

chgrp

Syntax: chgrp option username filename or directoryname

Function: Modify the group to which a file/directory belongs.

Commonly used options: -R Recursively modify the group to which the directory file belongs.

Note: Modifying the group to which a file/directory belongs also requires privilege escalation.

You can change it directly as a root user, and change the group you belong to as a normal user, you need sudo to increase the authority;

The owner's authority is root. If you want to change the readable authority of the group you belong to, you need sudo to elevate the authority:

View or modify file permission masks

umask

 Function: view or modify file mask

New folder default permission=0666, new directory default permission=0777

But in fact, the permissions you see for the files and directories you create are often not the above value. The reason is that when creating a file or directory, it is also affected by the umask. Assuming the default permission is mask, the actually created file permission is: mask & ~umask

Format : umask permission value

Explanation : After subtracting the permission mask from the existing access permission, the default permission when creating a file can be generated. The default mask value for super users is 0022, and the default mask value for ordinary users is 0002
umask //查看
umask 044//设置
The permission value of the finally created directory is 775, and the permission value of the final created ordinary file is 664 (different systems may have differences)

This picture explains why the permissions of the directory we created earlier are 775, while the permissions of ordinary files are 664.

Calculation formula: final permission = default permission & (~umask)

'-' is not really a subtraction, but a "masking"

Directory permissions:

If there is no rw permission at the same time, it is allowed to enter, but it is not allowed to create and view the list of files in the directory (note: not the content of the file, whether the content of the file can be viewed is determined by the permission of the file itself)

Indicates that what enters the file operation is the execution attribute x of the file

Sticky bit:

After the directory is set with the sticky bit $t$ , as other, you cannot delete files of other users at will. Of course, root can still delete

chmod +t [目录名]     # 添置粘滞位