The concept and management of Linux permissions

1. The concept of Linux permissions

There are two types of users under Linux: super user (root) and ordinary user.

• Super user : can do anything under the Linux system without restrictions
• Ordinary users : Do limited things under Linux.

The command prompt of the super user is "#", and the command prompt of the ordinary user is "$".
Command : su [username]
Function : switch users.

For example, to switch from the root user to the ordinary user, use su user. To switch from the ordinary user user to the root user, use su root (root can be omitted). At this time, the system will prompt you to enter the password of the root user.

2. Linux permission management

2.1 Classification of file visitors (people)

• Owner of files and file directories: u—User (Chinese Civilian Legal Issues)
• The user of the group where the owner of the file and file directory belongs: g—Group (not much to say)
• Other users: o—Others (foreigners)

  2.2 File types and access rights (thing attributes)

2.2.1 File types

d: Folder
-: Ordinary file
l: Soft link (similar to Windows shortcut)
b: Block device file (such as hard disk, optical drive, etc.)
p: Pipe file
c: Character device file (such as screen and other serial devices)
s: Set interface file

2.2.2 Basic permissions

i. Read (r): For files, Read has the permission to read the file content; for directories, it has the permission to browse the directory information.
ii. Write (w): For files, Write has the permission to modify the file content; for directories, Write has the permission to delete files in the moved directory.
iii. Execute (x): For files, execute has the permission to execute the file; for directories, it has the permission to enter the directory.
iv. “-” indicates that the user does not have the permission.

2.3 Representation method of file permission value

2.4 Related setting methods for file access permissions

1. chmod (emphasis)

Function : Set the access permission of the file
Format : chmod [parameter] permission file name
Common options:
R -> Recursively modify the permissions of the directory file
Description: Only the owner and root of the file can change the permissions of the file

The format of the chmod command permission value:
① User identifier +/-= permission character

+: Add the authority represented by the authority code to the
authority range -: Remove the authority represented by the authority code from the authority range
=: Grant the authority represented by the authority code to the authority range
User symbols:
u: owner
g: owner in the same group
o: other users
a: all users

Example: chmod u+rwx file.txt
Read, write and execute permissions will be added to the file owner.

Example: chmod go-w file.txt
The write permissions of the group to which the file belongs and other users will be removed.

Example: chmod 755 file.txt
Set the permissions of the file file.txt to:

• File owner: read, write, execute (4 + 2 + 1 = 7)
• Group: read, execute (4 + 1 = 5)
• Other users: read, execute (4 + 1 = 5)

2. chown

Function: Modify the owner of the file
Format: chown [parameter] user name file name

chown user1 f1
chown -R user1 filegroup1

3. chgrp

Function: Modify the group to which a file or directory belongs.
Format: chgrp [parameter] user group name and file name.
Common options: -R recursively modify the group to which a file or directory belongs.

i. Change the file's group ownership to a specific group:

chgrp staff file.txt

ii. Recursively change the group ownership of all files and directories in a directory and its subdirectories to a specific group:

chgrp -R staff directory/

4. umask

Function: View or modify the file mask.
Default permissions for new folders = 0666.
Default permissions for new directories = 0777.
But in fact, the permissions you see for the files and directories you create are often not the above values. The reason is that when creating files or directories, they are also affected by umask. Assuming that the default permission is mask, the actually created file permissions are: mask &~umask
Format: umask Permission value
description: After subtracting the permission mask from the existing access permissions, the default permissions when creating the file can be generated . The default mask value for super users is 0022, and for ordinary users, it is 0002.

Show the current permission mask (symbolic form): umask -s
Show the current permission mask (octal form): umask -p
Set the new permission mask to 0022::umask 0022

2.5 Directory permissions

• Executable permissions: If the directory does not have executable permissions, you cannot cd into the directory.
• Readable permissions: If the directory does not have readable permissions, you cannot use commands such as ls to view the contents of the files in the directory.
• Writable permissions: If a directory does not have writable permissions, files cannot be created in the directory and files cannot be deleted in the directory.

So, here comes the question~~
In other words, as long as the user has write permissions for the directory, the user can delete the files in the directory, regardless of whether the user has write permissions for the file.
This does not seem very scientific. Why can a file created by me, Zhang San, be deleted by you, Li Si? Let’s use the following process to verify it.

[mzh@VM-8-6-centos dir]$ ll
total 4
drwxrwxr-x 2 hsl hsl 4096 Sep 10 19:40 abc
--w-rw---- 1 hsl hsl    0 Sep 10 19:40 test.c
-rw-rw-r-- 1 hsl hsl    0 Sep 10 19:40 test.cpp
-rw-rw-r-- 1 hsl hsl    0 Sep 10 19:40 test.txt
[mzh@VM-8-6-centos dir]$ rm test.c
rm: remove write-protected regular empty file ‘test.c’? y
[mzh@VM-8-6-centos dir]$ ll
total 4
drwxrwxr-x 2 hsl hsl 4096 Sep 10 19:40 abc
-rw-rw-r-- 1 hsl hsl    0 Sep 10 19:40 test.cpp
-rw-rw-r-- 1 hsl hsl    0 Sep 10 19:40 test.txt
[mzh@VM-8-6-centos dir]$ 

2.6 Sticky bit

[root@localhost ~]# chmod +t /home/ # 加上粘滞位
[root@localhost ~]# ls -ld /home/
drwxrwxrwt. 3 root root 4096 9月 19 16:00 /home/
[root@localhost ~]# su - litao
[litao@localhost ~]$ rm /home/abc.c #litao不能删除别人的文件
rm：是否删除有写保护的普通空文件 "/home/abc.c"？y
rm: 无法删除"/home/abc.c": 不允许的操作

When a directory is set to the " sticky bit " (using chmod +t) , the files in the directory can only
be deleted by 1. the super administrator
; 2. the owner of the directory;
3. the owner of the file.

2.7 Summary about permissions

• The executable permissions of a directory indicate whether you can execute commands in the directory.

• If the directory does not have -x permissions, you cannot execute any commands on the directory, or even cd into the directory, even if the directory still has -r read permissions (it is easy to make a mistake here, thinking that you can enter the directory and read the files in the directory if you have read permissions) )

• And if the directory has -x permissions but does not have -r permissions, the user can execute commands and cd into the directory. However, since there is no read permission for the directory, even if you can execute the ls command in the directory, you still do not have permission to read the documents in the directory.