Thoroughly understand the permissions in Linux [detailed]

user

In Linux, different users correspond to different permissions. There are two types of users by default: root users and ordinary users

• root (super user): you can do anything under the Linux system, almost unlimited
• Ordinary users: can only do things within the authority, so we often have permission denied, because the authority is not enough, we need sudo to elevate the authority for a short time

Ordinary users can switch to the root user by executing the su command, and temporarily elevate their privileges by executing the sudo command, and execute the command after sudo as root

Command prompt in linux:

authority management

The file itself has natural permission attributes, read permission, write permission, execute permission

Files can be divided into three categories by visitor:

1. Owner: the owner of the file user
2. Belonging group: which group the file belongs to
3. Other users: other

The owner, group, and other users here are roles, while root users and ordinary users are specific people, just like programmers are a role and we are specific people

It is easy for the owner and other users to understand. Regarding the group they belong to, it is often used for collaboration within the group, and the groups do not interfere with each other. Take Tencent’s Tianmei and Photon as an example. These two groups are in a competitive relationship. To work and develop on one server, the two groups must not interfere with each other and can only operate files in the group.

access permission

Take the class file as an example: here the king user forms a group

The first digit identifies the file type in linux

• d: directory file (folder)
• -: normal file
• l: soft link (like a Windows shortcut)
• b: block device file (such as hard disk, optical drive, etc.)
• p: pipeline file
• c: character device file (such as serial devices such as screens)
• s: socket interface

Permissions for 2nd to 10th places

• 读: Read For a file, it has the permission to read the content of the file; for a directory, it has the permission to browse the directory information
• 写: Write has the right to modify the content of the file for the file; it has the right to delete the file in the moved directory for the directory
• 执行: execute For a file, it has the permission to execute the file; for a directory, it has the permission to enter the directory

The characters represent:

Octal representation:

File Permission Settings

chmod command

• Function: Set the access permission of the file
• usage:chmod [参数] [权限] [文件]

Only the owner of the file and the root user can change the permissions of the file

• u:owner
• g: belongs to the group
• o: other users
• a: all users

chmod u-rwx 文件名      #去掉文件拥有者的所有权限chmod g-rwx 文件名      #去掉文件所属组的所有权限chmod o-rwx 文件名      #去掉文件其他用户的所有权限 chmod a+r 文件名        #增加所有用户的读权限chmod a+rwx 文件名      #增加所有用户的读写执行权限  chmod u-x,g+x  文件名   #去掉拥有者的执行权限，增加所属组的读权限 

Increase the execution permission of the owner u of the class file, and remove the write permission of the group g to which it belongs

At the same time, you can use octal to change the corresponding permissions, and change all class files to readable, writable and non-executable

We can also change the owner and group of the file. There is no need to change other users here, because the change of the file owner and group will change other users

chown command

• Function: change file owner
• usage:chown [用户名] [文件名]

chgrp command

• Function: Change the group to which the file belongs
• usage:chgrp [所属组名] [文件名]

Sudo is also required here

The owner and the group to which it belongs are modified together, with a colon in between:

default permissions

We can find that the access permissions of the two ordinary files are the same, and the access permissions of the two directory files are also the same

In linux, the starting permissions of the file:

• Ordinary file: 0666 (starting authority)
• Directory file: 0777 (starting authority)

But in fact, the file permissions we saw above are not this value. The permissions of ordinary files are 0664, and the permissions of directory files are 0775. This is because the umask is also affected when creating files or directories.

umask command

Function: view or modify the mask of the file

[king@VM-12-11-centos class]$ umask   #普通用户的权限掩码为00020002

The initial permission corresponding to the permission mask of 1 will become 0

umask can also change the mask

[king@VM-12-11-centos ~]$ umask 0003[king@VM-12-11-centos ~]$ umask       #设置后仅本次登录有效0003

directory permissions

• Readable permission: If the directory does not have readable permission, you cannot use commands such as ls to view the contents of the files in the directory
• Writable permissions: If the directory does not have writable permissions, files cannot be created in the directory, and files cannot be deleted in the directory
• Executable permissions: If the directory does not have executable permissions, you cannot cd into the directory

The executable permission here is also a common test point. What is required to enter the directory is the executable permission.

sticky bit

Then the problem comes. For the owner of a directory, allowing other users to create and modify files in the directory requires the directory to have write permissions. Once other users have write permissions to the directory, they can delete files in the directory at will. , regardless of whether the user has write permission for the file

For problems like this linux introduces the sticky bit

chmod o+t [目录]

Allow other to create files in the directory, so the directory must have w permission for other, but not allow other to delete other directories, so you need to add restrictions to the directory and add sticky bits

When a directory is set sticky bit, the files in this directory can only be used by:

• root user delete
• The owner of the file deletes
• The owner of the directory deletes

For example, in our Linux system, the tmp directory under the / directory is set with a sticky bit to store temporary files of multiple users. Users can change their own temporary files, but cannot change other users' temporary files.

Summary of permissions

1. The executable permission of the directory indicates whether you can execute commands in the directory. If the directory does not have -x permissions, you cannot execute any commands on the directory, and you cannot even cd into the directory, even if the directory still has -r read permissions.

And if the directory has -x permissions but not -r permissions, the user can execute commands and cd into the directory. However, since there is no read permission for the directory, even if the ls command can be executed in the directory, there is still no permission to read the documents in the directory.

2. For a directory: read permission: view the directory, write permission: create and delete files in the directory, execute permission: enter the directory

3. Permissions are restricted by people, deciding whether a thing is allowed to be done by a specific person

4. In the directory where the sticky bit is set, other users can create files, but cannot delete other people's files