Permission understanding
- 1. The concept of Linux permissions
- Second,su [nickname]: Switching bar
- 3. Linux permission management
- document
-
- (1) Classification of file visitors (people)
- (2)File type and access permissions (thing attributes)
- About file suffix
- Conditions for executable programs
- (3) Representation method of file permission value
- (4) Related setting methods for file access permissions
- (1)chmod [parameter] permission file name: Set file access permissions
- (2) **Format of chmod command permission value**
- (3)chown [parameter] user name file name : modify the owner of the file
- (4)chgrp [Parameter] User group name File name: Modify the group to which the file or directory belongs
- chgrp users /abc/f2
- (5) file [option] file or directory: identify file type
- sudo assign permissions
- <font color=red>Directory permissions
- 8. umask
- (2) Umask process and principle
1. The concept of Linux permissions
There are two types of users under Linux: super user (root) and ordinary user.
- Super user: Can do anything under the linux system, Unrestricted
- Ordinary users: Do limited things under Linux.
- The superuser command prompt is "#", The command prompt for ordinary users is "$".
Second,su [nickname]: Switching bar
Command : su [user name]
function : switching function
To switch from root user to normal user, usesu user .
To switch from ordinary user user to root user use su root ( root can be omitted). At this time, the system will prompt you to enter the password of the root user.
3. Linux permission management
document
(1) Classification of file visitors (people)
- Owner of files and file directories:u—User (Chinese civilian legal issues)< /span>
- Files and file directoriesUsers in the group to which the owner belongs:g—Group a>(not much to say)
- 它用户:o—Others (Foreigner)
(2)File type and access permissions (thing attributes)
(1) First place: file type
-
-:Ordinary files[Including text, source code, pictures, videos, (dynamic and static libraries) libraries, executable programs, etc., covering all file types]
-
l:Soft link Linked file (similar to Windows shortcut)
Like desktop shortcuts under windows
-
b:块设备文体(例子例文)Hardware,光驱etc.)
-
p:pipe file
pipe file andEssentially used to transmit information (all brothers)Data line| -
c:Character settingText item (for examplescreen etc. Kushiguchi equipment)
-
s:shroudtext
About file suffix
-
windows is related to file suffix
-
In the Linux system, the file information displayed by -ll and -ls is related to the first file type and has nothing to do with the file suffix.
Use cat to check that it is indeed an executable program
But mv to a .txt file
When using tools such as gcc/g++, you need to consider the corresponding suffix< /span>
Conditions for executable programs
Executable conditions:
-
First,the file itself is an executable file
-
First place: File type has
-x
executable permission
However, the compiler instructions and tools on the system need to consider the corresponding file suffixes.
=> Linux file types are not distinguished by suffixes (it does not mean that Linux does not use suffixes)
- Attitude towards file suffixes: Although Linux does not use it to identify file types, we still recommend its use! :
- The corresponding file suffix is required when using the tool
- People need it (people can see it at a glance)
(2) Positions 2-10: Basic permissions
-
读(r/4)[ Read ]
For files, read the file content; for directories, browse the directory Information
-
写(w/2)[ Write ]
For files, Modify the file content; For directories, Delete the contents of the moved directory File
-
执行(x/1)[ execute ]
For files, execute the file; for directories, enter the directory
-
“—” Display Problems found/limited
(3) Representation method of file permission value
-
Character representation method
-
Octal numerical representation method
(4) Related setting methods for file access permissions
(1)chmod [parameter] permission file name: Set file access permissions
Function:Set file access permissions
Format: chmod [parameter] permission file name
Common selection:
- R -> Recursively modify permissions of directory files
[Note:Only the owner and root of the file can change the permissions of the file ]
(2)The format of the chmod command permission value
① User identifier +/-= permission character
+
:Add the permission represented by the permission code to the permission scope-
:Cancel the permission represented by the permission code from the permission range=
:Grant the permission represented by the permission code to the permission scope
Use code:
- u:owner
- g:For the same group of owners
- o:它用户
- a:Possession use
//实例
# chmod u+w /home/abc.txt
# chmod o-x /home/abc.txt
# chmod a=x /home/abc.txt
chmod a=x /home/abc.txt
②Three octal numbers
//实例
# chmod 664 /home/abc.txt
# chmod 640 /home/abc.txt
chmod 640 /home/abc.txt
(3)chown [parameter] user name file name : modify the owner of the file
Function: Modify the owner of the file
Format: chown [parameter] user name file name
//实例
# chown user1 f1
# chown -R user1 filegroup1
(4)chgrp [Parameter] User group name File name: Modify the group to which the file or directory belongs
Function: Modify the group to which a file or directory belongs
Format: chgrp [Parameter] User group name File name
Common selection:
-R
Recursively modify the group to which a file or directory belongs
//实例
# chgrp users /abc/f2
chgrp users /abc/f2
(5) file [option] file or directory: identify file type
Function Description: Identify file type.
Syntax: file [option] file or directory
Common options:
-
-c
Display the instruction execution process in detail, facilitate debugging or analyzing the program execution situation. -
-z
Try to decipher the contents of the compressed file
sudo assign permissions
4. Use sudo to assign permissions:
(1) Modify the /etc/sudoers file allocation file: format: host where the user who accepts permission logs in = (user who executes the command) command
# chmod 740 /etc/sudoers
# vi /etc/sudoer
(2) Use sudo to call the authorized command: $ sudo –u username command
//实例
$sudo -u root /usr/sbin/useradd u2
Directory permissions
Directories are also files
- will match the user first, corresponding user permissions 2-10
-
-x
Executable permissions:If the directory does not have executable permissions, you cannot cd into the directory.Creating a directory gives almost everyone in the owner's group
-x
permissions, and executable-x
permissions You will definitely be able to enter the file
-
-r
Readable permissions: If the directory does not have readable permissions, you cannot use commands such as ls to view the contents of the files in the directory.-ll
ls-l
are allView the attributes of the corresponding file,-r
The read permission depends on whether you have the right to view the file PropertiesYes
-x
can enter the file, but without-r
permission, the file attributes cannot be viewed through ls
-
-w
Writable permissions: If the directory does not have writable permissions, files cannot be created in the directory and files cannot be deleted in the directory.Without
-w
write permission, you cannot create files and other activities in the file
★ 5. Summary on permissions
- The executable permission of the directory means whether you can execute commands in the directory.
-
-x
Determine whether the directory can be enteredIf the directory does not have
-x
permissions, you cannot execute any commands on the directory, or even cd into the directory , Even if the directory still has-r
read permissions [ It is easy to make mistakes here, If you think you have read permission, you can enter the directory and read the files in the directory ] -
-r
The right to determine whether file attribute information can be viewedAnd if the directory has
-x
permissions but does not have-r
permissions, the user can execute the command. cd into the directory. However, since there is no read permission for the directory, even if you can execute the ls command in the directory, you still do not have permission to read the documents in the directoryIn other words,
-x
permission is the prerequisite for subsequent operations. -
-w
determines whether to create and delete files in the directory
There are some discussions about delete: root can make modifications even if it does not have permission, and can do anything
So, here comes the question~~
-
Question 1
In other words, As long as the user has directory< a i=4>, the user can delete the file in the directory , regardless of whether the user has write permission for the file.- This doesn’t seem very scientific. Why can you, Li Si, delete a file created by me, Zhang San? Let’s use The following process confirms it
Although the file directory is indeed yours, the owner of the file is root. And the file does not have any permissions, so ordinary users cannot make any modifications to it.
Since nothing can be done and there is no use keeping it, then I, an ordinary user, will delete the files created by your root account.
Question: Why can ordinary users delete the files set by the root account? Even if you are a root file, I can delete it even if I want to, even though I don’t have any permission-x
-r
-w
Why can I delete it?
Answer: The answer is what we said earlier. As long as the user has write permission to the directory , the user can delete the directory file, regardless of whether the user has write permission for this file.
Although the file directory is indeed yours, the owner of the file is root, and the file owner has the right to set file permissions.
But the directory where the file is located belongs to me, although the file is not mine.
For this directory, I am the owner-u and I have the corresponding write permissions , so I can modify the contents of this directory a>
Whether a file can be deleted does not depend on the file itself!!! It depends on the directory where the file is located and whether the owner has -w
Permission!!
-
Question 2
But should we delete files set by root without our permission? Is this reasonable?-
It's reasonable. Your root account can enter other people's directories without their permission. If others don't agree to let you write files in it, then others also have the right to delete the files you create.
-
The question now is not whether the deletion is reasonable or not, but why you want to create files in other people's directories casually?
-
But in reality there is no such problem
only has permission for itself and no one else. Ordinary users cannot mess with each other.
This will only happen to root users and super users, but you also have the right to delete it
6. /tmp directory: file sharing
The home directory only has permission for you and no other users have permission to access it.
So it can only andneed to share files in non-home directories in the system a> . For example, the /tmp directory in the system (permissions are open to u, g, o) so it has permissions , everyone can delete files in tmp
-w
Deleting a file has nothing to do with this file! If you want others to read or write, you can do it ---- But we can’t prevent others from deleting it. Me!
-
Question 3: Can’t we just remove other’s w permission?
-
In
/tmp 目录
, None-w
Although it cannot be deleted (it can solve the above problem because the /tmp directory is fully open to u, g, o permissions, avoid (Reducing the possibility that the files you created may be deleted by others), -
But the prerequisite for you to be able to create files in the root owner's tmp is also because
-w
.It is gone
-w
, and new files cannot be created in it. How can it be shared?
-
In order to solve this unscientific problem, Linux introduced the concept of sticky bits.
7. Sticky bitchmod o+t
[root@localhost ~]# chmod +t /home/ # 加上粘滞位
[root@localhost ~]# ls -ld /home/
drwxrwxrwt. 3 root root 4096 9月 19 16:00 /home/
[root@localhost ~]# su - litao
[litao@localhost ~]$ rm /home/abc.c #litao不能删除别人的文件
rm:是否删除有写保护的普通空文件 "/home/abc.c"?y
rm: 无法删除"/home/abc.c": 不允许的操作
Give other
a new permission:t
Sticky bit: A permission bit set for others in self-recording sharingt
, with the meaning ofx
, and also further restricts the directory permissions:
The files in this directory are onlysuperuser root and the owner of the fileThe owner of the No one else is allowed! has the right to delete! ! directory or
粘滞位 ( 用chmod o+t )
8. umask
Introduction of umask preface
- In Linux systems,executable programs only account for a part of the proportion. Only those that must use executable programs will be added
-x
, the user can add what is not needed, or other generation software can add it.
Directories and executable programs are naturally needed
-x
, and the system will automatically bring them to you
So
- The starting permission of Newdirectory file is from777Start (with
-x
), In fact: 775 - The starting permissions of newordinary files are from666Start (without
-x
), actually: 664
Why is this? The reason is that when creating a file or directory, it is also affected by the umask file mask.
(1) Umask permission value: View or modify the file mask [Permission mask: Customize the default permissions when a file is created]
Function:
View or Modify file mask< /span>Customize the default permissions when the directory is created,
//实例
# umask 755
# umask ★查看
# umask 044 ★设置
(2) Umask process and principle
-
new constructiontext夹 默认权limit=0666
-
NewDirectory Default permission=0777
[Only care about the last 3]
[ is not subtraction , is borrowed for subtraction to get 663 instead of 664 ]
(1) What is program mask?
-
【 umask[value]:[value] octal binary: permission mask 】
-
Program mask = code that will not appear in the end. Permissions that appear in the umask should not appear in the final permissions.
(2) Specific implementation of program mask
First do the bitwise inversion~
(any bitwise AND followed by 0 will be converted into 0), then do the bitwise AND &
Assume the default permission is mask, then the permissions of the actually created file are: mask &
( ~
umask )
Format: umask permission value
Description: Subtract the permission mask from the existing access permissions After coding , , the default permissions when creating the file can be generated.
Ultra-grade root 默认掩码值为 0022,General use 默认为 0002 .
umask permission value: modify the file mask and subtractthe existing access permission After permission masking , can generate the default permissions when creating a file.
It can be seen that The final permission is determined by the starting permission and the umask permission mask