[Linux] Understanding Permissions [Detailed Explanation of File Permissions and Directory Permissions, and Detailed Explanation of Umsk Program Mask Knowledge]

1. The concept of Linux permissions

There are two types of users under Linux: super user (root) and ordinary user.

• Super user: Can do anything under the linux system, Unrestricted
• Ordinary users: Do limited things under Linux.
• The superuser command prompt is "#", The command prompt for ordinary users is "$".

Second,su [nickname]: Switching bar

Command : su [user name]
function : switching function

To switch from root user to normal user, usesu user .
To switch from ordinary user user to root user use su root ( root can be omitted). At this time, the system will prompt you to enter the password of the root user.

3. Linux permission management

document

(1) Classification of file visitors (people)

• Owner of files and file directories:u—User (Chinese civilian legal issues)< /span>
• Files and file directoriesUsers in the group to which the owner belongs:g—Group a>(not much to say)
• 它用户：o—Others (Foreigner)

---

(2)File type and access permissions (thing attributes)

(1) First place: file type

• -:Ordinary files[Including text, source code, pictures, videos, (dynamic and static libraries) libraries, executable programs, etc., covering all file types]

• l:Soft link Linked file (similar to Windows shortcut)
  

  Like desktop shortcuts under windows
  
  

• b：块设备文体（例子例文）Hardware,光驱etc.)

• p:pipe file
  pipe file andEssentially used to transmit information (all brothers)Data line｜

• c：Character settingText item (for examplescreen etc. Kushiguchi equipment)

• s:shroudtext

---

About file suffix

• windows is related to file suffix

• In the Linux system, the file information displayed by -ll and -ls is related to the first file type and has nothing to do with the file suffix.
  

Use cat to check that it is indeed an executable program
But mv to a .txt file
When using tools such as gcc/g++, you need to consider the corresponding suffix< /span>

---

Conditions for executable programs

Executable conditions:

1. First,the file itself is an executable file

2. First place: File type has -x executable permission

However, the compiler instructions and tools on the system need to consider the corresponding file suffixes.

=> Linux file types are not distinguished by suffixes (it does not mean that Linux does not use suffixes)

• Attitude towards file suffixes: Although Linux does not use it to identify file types, we still recommend its use! :
  1. The corresponding file suffix is ​​required when using the tool
  2. People need it (people can see it at a glance)

---

(2) Positions 2-10: Basic permissions

• 读（r/4）[ Read ]

  For files, read the file content; for directories, browse the directory Information

• 写（w/2）[ Write ]

  For files, Modify the file content; For directories, Delete the contents of the moved directory File

• 执行（x/1）[ execute ]

  For files, execute the file; for directories, enter the directory

• “—” Display Problems found/limited

---

(3) Representation method of file permission value

1. Character representation method
   

2. Octal numerical representation method
   

---

(4) Related setting methods for file access permissions

(1)chmod [parameter] permission file name: Set file access permissions

Function:Set file access permissions
Format: chmod [parameter] permission file name

Common selection:

• R -> Recursively modify permissions of directory files
  [Note:Only the owner and root of the file can change the permissions of the file ]

(2)The format of the chmod command permission value

① User identifier +/-= permission character

• +:Add the permission represented by the permission code to the permission scope
• -:Cancel the permission represented by the permission code from the permission range
• =:Grant the permission represented by the permission code to the permission scope

Use code:

• u:owner
• g：For the same group of owners
• o：它用户
• a：Possession use

//实例
# chmod u+w /home/abc.txt
# chmod o-x /home/abc.txt
# chmod a=x /home/abc.txt

chmod a=x /home/abc.txt

---

②Three octal numbers

//实例
# chmod 664 /home/abc.txt
# chmod 640 /home/abc.txt

chmod 640 /home/abc.txt

---

(3)chown [parameter] user name file name : modify the owner of the file

Function: Modify the owner of the file
Format: chown [parameter] user name file name

//实例
# chown user1 f1
# chown -R user1 filegroup1

---

(4)chgrp [Parameter] User group name File name: Modify the group to which the file or directory belongs

Function: Modify the group to which a file or directory belongs
Format: chgrp [Parameter] User group name File name

Common selection:

• -R Recursively modify the group to which a file or directory belongs

//实例
# chgrp users /abc/f2

chgrp users /abc/f2

---

(5) file [option] file or directory: identify file type

Function Description: Identify file type.
Syntax: file [option] file or directory

Common options:

• -c Display the instruction execution process in detail, facilitate debugging or analyzing the program execution situation.

• -z Try to decipher the contents of the compressed file

---

sudo assign permissions

4. Use sudo to assign permissions:

(1) Modify the /etc/sudoers file allocation file: format: host where the user who accepts permission logs in = (user who executes the command) command

# chmod 740 /etc/sudoers
# vi /etc/sudoer

(2) Use sudo to call the authorized command: $ sudo –u username command

//实例
＄sudo -u root /usr/sbin/useradd u2

---

Directory permissions

Directories are also files

1. will match the user first, corresponding user permissions 2-10

• -xExecutable permissions:If the directory does not have executable permissions, you cannot cd into the directory.

  Creating a directory gives almost everyone in the owner's group -x permissions, and executable-x permissions You will definitely be able to enter the file
  

• -rReadable permissions: If the directory does not have readable permissions, you cannot use commands such as ls to view the contents of the files in the directory.

  -ll ls-l are allView the attributes of the corresponding file, -rThe read permission depends on whether you have the right to view the file Properties

  Yes -x can enter the file, but without -r permission, the file attributes cannot be viewed through ls
  

• -wWritable permissions: If the directory does not have writable permissions, files cannot be created in the directory and files cannot be deleted in the directory.

  Without-wwrite permission, you cannot create files and other activities in the file
  

---

★ 5. Summary on permissions

• The executable permission of the directory means whether you can execute commands in the directory.

1. -xDetermine whether the directory can be entered

   If the directory does not have-x permissions, you cannot execute any commands on the directory, or even cd into the directory , Even if the directory still has -r read permissions [ It is easy to make mistakes here, If you think you have read permission, you can enter the directory and read the files in the directory ]

2. -rThe right to determine whether file attribute information can be viewed

   And if the directory has -x permissions but does not have -r permissions, the user can execute the command. cd into the directory. However, since there is no read permission for the directory, even if you can execute the ls command in the directory, you still do not have permission to read the documents in the directory

   In other words, -x permission is the prerequisite for subsequent operations.

3. -w determines whether to create and delete files in the directory

There are some discussions about delete: root can make modifications even if it does not have permission, and can do anything

---

So, here comes the question~~

• Question 1
  In other words, As long as the user has directory< a i=4>, the user can delete the file in the directory , regardless of whether the user has write permission for the file.

  • This doesn’t seem very scientific. Why can you, Li Si, delete a file created by me, Zhang San? Let’s use The following process confirms it

---

Although the file directory is indeed yours, the owner of the file is root. And the file does not have any permissions, so ordinary users cannot make any modifications to it.

Since nothing can be done and there is no use keeping it, then I, an ordinary user, will delete the files created by your root account.

Question: Why can ordinary users delete the files set by the root account? Even if you are a root file, I can delete it even if I want to, even though I don’t have any permission-x -r -w Why can I delete it?

Answer: The answer is what we said earlier. As long as the user has write permission to the directory , the user can delete the directory file, regardless of whether the user has write permission for this file.

Although the file directory is indeed yours, the owner of the file is root, and the file owner has the right to set file permissions.

But the directory where the file is located belongs to me, although the file is not mine.
For this directory, I am the owner-u and I have the corresponding write permissions , so I can modify the contents of this directory a>

Whether a file can be deleted does not depend on the file itself!!! It depends on the directory where the file is located and whether the owner has -wPermission!!

• Question 2
  But should we delete files set by root without our permission? Is this reasonable?

  • It's reasonable. Your root account can enter other people's directories without their permission. If others don't agree to let you write files in it, then others also have the right to delete the files you create.

  • The question now is not whether the deletion is reasonable or not, but why you want to create files in other people's directories casually?

But in reality there is no such problem

only has permission for itself and no one else. Ordinary users cannot mess with each other.

This will only happen to root users and super users, but you also have the right to delete it

---

6. /tmp directory: file sharing

The home directory only has permission for you and no other users have permission to access it.

So it can only andneed to share files in non-home directories in the system a> . For example, the /tmp directory in the system (permissions are open to u, g, o) so it has permissions , everyone can delete files in tmp

-w

Deleting a file has nothing to do with this file! If you want others to read or write, you can do it ---- But we can’t prevent others from deleting it. Me!

• Question 3: Can’t we just remove other’s w permission?

  • In/tmp 目录, None-w Although it cannot be deleted (it can solve the above problem because the /tmp directory is fully open to u, g, o permissions, avoid (Reducing the possibility that the files you created may be deleted by others),

  • But the prerequisite for you to be able to create files in the root owner's tmp is also because-w.

    It is gone-w, and new files cannot be created in it. How can it be shared?

In order to solve this unscientific problem, Linux introduced the concept of sticky bits.

---

7. Sticky bitchmod o+t

[root@localhost ~]# chmod +t /home/ # 加上粘滞位
[root@localhost ~]# ls -ld /home/
drwxrwxrwt. 3 root root 4096 9月 19 16:00 /home/
[root@localhost ~]# su - litao
[litao@localhost ~]$ rm /home/abc.c #litao不能删除别人的文件
rm：是否删除有写保护的普通空文件 "/home/abc.c"？y
rm: 无法删除"/home/abc.c": 不允许的操作

Give other a new permission:t

Sticky bit: A permission bit set for others in self-recording sharingt, with the meaning ofx, and also further restricts the directory permissions:

The files in this directory are onlysuperuser root and the owner of the fileThe owner of the No one else is allowed! has the right to delete! ! directory or

粘滞位 ( 用chmod o+t )

---

8. umask

Introduction of umask preface

• In Linux systems,executable programs only account for a part of the proportion. Only those that must use executable programs will be added-x, the user can add what is not needed, or other generation software can add it.

Directories and executable programs are naturally needed-x, and the system will automatically bring them to you

So

• The starting permission of Newdirectory file is from777Start (with -x), In fact: 775
• The starting permissions of newordinary files are from666Start (without -x), actually: 664

Why is this? The reason is that when creating a file or directory, it is also affected by the umask file mask.

---

(1) Umask permission value: View or modify the file mask [Permission mask: Customize the default permissions when a file is created]

Function:
View or Modify file mask< /span>Customize the default permissions when the directory is created,

//实例
# umask 755
# umask    ★查看
# umask 044     ★设置

(2) Umask process and principle

• new constructiontext夹 默认权limit=0666

• NewDirectory Default permission=0777

  [Only care about the last 3]

[ is not subtraction , is borrowed for subtraction to get 663 instead of 664 ]

(1) What is program mask?

• 【 umask[value]:[value] octal binary: permission mask 】

• Program mask = code that will not appear in the end. Permissions that appear in the umask should not appear in the final permissions.

(2) Specific implementation of program mask

First do the bitwise inversion~(any bitwise AND followed by 0 will be converted into 0), then do the bitwise AND &

Assume the default permission is mask, then the permissions of the actually created file are: mask & ( ~umask )

Format: umask permission value
Description: Subtract the permission mask from the existing access permissions After coding , , the default permissions when creating the file can be generated.

Ultra-grade root 默认掩码值为 0022，General use 默认为 0002 .

umask permission value: modify the file mask and subtractthe existing access permission After permission masking , can generate the default permissions when creating a file.

It can be seen that The final permission is determined by the starting permission and the umask permission mask