Shulou(Shulou.com)05/31 Report--

Editor to share with you a sample analysis of Linux file system permissions. I hope you will gain something after reading this article. Let's discuss it together.

Understand the output of ls commands

Before we discuss how to modify permissions, we need to know how to view permissions. The long list argument (- l) of the ls command provides us with a lot of information about the file.

$ls-lAhtotal 20K RWXR Murray XR Murray + 1 root root 0 Mar 4 19:39 file1-rw-rw-rw-. 1 root root 0 Mar 4 19:39 file10-rwxrwxr--+ 1 root root 0 Mar 4 19:39 file2-rw-rw-rw-. 1 root root 0 Mar 4 19:39 file8-rw-rw-rw-. 1 root root 0 Mar 4 19:39 file9drwxrwxrwx. 2 root root 4.0K Mar 4 20:04 testdir

To understand what this means, let's break down the output about permissions into sections. It is easier to understand each part individually.

Let's look at each component of the last line in the output above:

Drwxrwxrwx. 2 rootroot 4.0K Mar 4 20:04 testdir Section 1, Section 2, Section 3, Section 4, Section 6, Section 7 drwxrwxrwx.rootroot

Section 1 (left) shows the type of file.

Symbol type d directory-general file l soft link

The info page of ls fully lists the different file types.

There are three ways to access each file:

Owner

Group

Sections 2, 3, and 4 of all others deal with user (owner), group, and other user permissions. Each section can contain a combination of r (read), w (write), and x (execute) permissions.

Each permission is also assigned a numeric value, which is important when discussing permissions in octal representation.

Permission octal value r4w2x1

Section 5 describes other alternative access methods, such as SELinux or file access control lists (FACL).

There are no other access methods for access method characters-combination of SELinux.FACL+ methods +

Sections 6 and 7 are the names of owners and groups, respectively.

Use the chown and chmodchown commands

The chown (change ownership) command is used to change the ownership of users and groups of files.

To change the ownership of the users and groups of the file foo to root, we can use the following command:

$chown root:root foo$ chown root: foo

Running the command after the user name followed by a colon (:) sets both user and group ownership.

To set only the user ownership of the file foo to the root user, enter:

$chown root foo

To change only the group ownership of the file foo, precede the group with a colon:

$chown: root foochmod command

The chmod (change Mode) command controls file permissions for owners, groups, and all other users who are neither owners nor members of the group associated with the file.

The chmod command can set permissions in octal (for example, 755,644, and so on) and symbols (for example, u+rwx, g-rwx, o=rw).

The octal representation assigns four "points" to read, two "points" to write, and one point to execution. If you want to assign read permission to the user (owner), assign 4 to the first slot, but if you want to add write permission, you must add 2. If you want to add execute, add 1. We do this for each permission type: owner, group, and other.

For example, if we want to assign "read", "write" and "execute" to the owner of the file, but only "read" and "execute" to group members and all other users, we should use 755 (octal format). This is the ownership limit of the owner (4, 2, 1), but the ownership limit of groups and other permissions is only 4 and 1 (4, 1).

It is subdivided into: 4, 2, 1, 7, 7, 4, 1, 5 and 4, 1, 5, 5.

If we want to assign "read" and "write" to the owner of the file, but only "read" to the members of the group and all other users, we can use chmod as follows:

$chmod 644 foo_file

In the following example, we use symbolic notation in different groups. Note that the letters u, g, and o stand for "user" (owner), "group" and "other", respectively. We use u, g, and o with +, -, or = to add, remove, or set permission bits.

To add the execute bit to the ownership permission set:

$chmod upright x foo_file

To remove read, write, and execute from a group member:

$chmod g-rwx foo_file

To set the ownership of all other users to read and write:

$chmod o=rw special bit: set UID, set GID and stickiness bit

In addition to standard permissions, there are special permission bits that have some other uses.

Set user ID (suid)

When suid is set on a file, the operation is performed as the owner of the file, not as the user running the file. A good example is the passwd command. It needs to set the suid bit so that the operation of changing the password has root permission.

$ls-l / bin/passwd-rwsr-xr-x. 1 root root 27832 Jun 10 2014 / bin/passwd

Example of setting the suid bit:

$chmod Utility / bin/foo_file_name setting group ID (sgid)

The sgid bit is similar to the suid bit in that the operation is done under the group ownership of the directory, not as the user who runs the command.

An example of using sgid is if multiple users are working in the same directory and each file created in the directory needs to have the same group permissions. The following example creates a directory called collab_dir, sets the sgid bit, and changes group ownership to webdev.

$mkdir collab_dir$ chmod gems collab_dir$ chown: webdev collab_dir

Any file created in this directory will now have the group ownership of webdev, not the group of the user who created the file.

$cd collab_dir$ touch file-sgid$ ls-lah file-sgid-rw-r--r--. 1 root webdev 0 Jun 12 06:04 file-sgid "sticky" bit

The sticky bit indicates that only the owner of the file can delete the file, even if the group permission allows the file to be deleted. In general, this setting makes the most sense in a general or collaborative directory such as / tmp. In the following example, the t in the execute column of the all others permission set indicates that the sticky bit has been applied.

$ls-ld / tmpdrwxrwxrwt. 8 root root 4096 Jun 12 06:07 / tmp/

Remember, this doesn't stop someone from editing the file, it just prevents them from deleting the contents of the directory (LCTT translation: delete the files in the directory).

We set the stickiness to:

$chmod ostent foo_dir

You can try to set stickiness bits on the directory and give it full group permissions so that multiple users belonging to the same group can read, write, and execute on the directory.

Next, create files as each user, and then try to delete them as another user.

If everything is configured correctly, one user should not be able to delete files from another user.

Note that each of these bits can also be set in octal format: SUID = 4, SGID = 2, and stickiness = 1. (LCTT translation note: here are four octal digits)

$chmod 4744$ chmod 2644$ chmod 1755 uppercase or lowercase?

If you see uppercase S or T instead of lowercase characters when you want to set special bits (as we have seen before), it is because there is no underlying execution bit. To illustrate this, the following example creates a file with sticky bits set. We can then add and remove execution bits to demonstrate case changes.

$touch file cap-ST-demo$ chmod 1755 cap-ST-demo$ ls-l cap-ST-demo-rwxr-xr-t. 1 root root 0 Jun 12 06:16 cap-ST-demo $chmod Omurx cap-X-demo$ ls-l cap-X-demo-rwxr-xr-T. 1 root root 0 Jun 12 06:16 cap-ST-demo conditionally sets the execution bit

At this point, we set the execution bit with lowercase x without asking any questions. We have another option: use uppercase X instead of lowercase, which will set the execution bit only if there is already an execution bit at a location in the permission group. This may be a difficult concept to explain, but the following demonstration will help illustrate it. Note that after trying to add the execution bit to the group privilege, the bit is not set.

$touch cap-X-file$ ls-l cap-X-file-rw-r--r--. 1 root root 0 Jun 12 06:31 cap-X-file$ chmod glossy X cap-X-file$ ls-l cap-X-file-rw-r--r--. 1 root root 0 Jun 12 06:31 cap-X-file

In this similar example, we first use lowercase x to add execution bits to group permissions, and then use uppercase Xs to add permissions for all other users. This time, the uppercase X sets this permission.

$touch cap-X-file$ ls-l cap-X-file-rw-r--r--. 1 root root 0 Jun 12 06:31 cap-X-file$ chmod gallex cap-X-file$ ls-l cap-X-file-rw-r-xr--. 1 root root 0 Jun 12 06:31 cap-X-file$ chmod otaku X cap-X-filels-l cap-X-file-rw-r-xr-x. 1 root root 0 Jun 12 06:31 cap-X-file understands umask

Umask masks (or "blocks") bits in the default permission set to define permissions for a file or directory. For example, a 2 in the umask output indicates that it blocks the "write" bit of the file at least by default.

Using the umask command with no arguments allows us to see the current umask settings. There are four columns: the first column is reserved for special suid, sgid, or sticky bits, and the other three columns represent the permissions of the owner, group, and others.

$umask0022

To understand what this means, we can use the-S flag to perform umask (shown below) to explain the result of the mask bit. For example, because the value in the third column is 2, the write bit is masked from the group and other parts; only read and execute can be assigned to them.

$umask-Su=rwx,g=rx,o=rx

To see what the default permission set for files and directories is, let's set umask to all zero. This means that we don't mask any bits when we create the file.

$umask 000$ umask- Su=rwx,g=rwx,o=rwx $touch file-umask-000$ ls-l file-umask-000-rw-rw-rw-. 1 root root 0 Jul 17 22:03 file-umask-000

Now, when we create the file, we see that the default permissions for all parts are read (4) and write (2), respectively, equivalent to octal representation 666.

We can do the same for the directory and see that its default permission is 777. We need to use the execute bit on the directory so that we can traverse them.

$mkdir dir-umask-000$ ls-ld dir-umask-000drwxrwxrwx. 2 root root 4096 Jul 17 22:03 dir-umask-000/ has finished reading this article. I believe you have some understanding of "sample Analysis of Linux File system permissions". If you want to know more about it, please follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.