Shulou(Shulou.com)05/31 Report--

This article is about how to manage file permissions in linux. Xiaobian thinks it is quite practical, so share it with everyone for reference. Let's follow Xiaobian and have a look.

Linux is a typical multi-user multi-tasking operating system, so for Linux, the same computer resources can be provided to multiple people to use is a very common thing, but the question comes, multiple people using a computer at the same time, will they affect each other and interfere, if one of them is not careful, do destructive actions, others will also be finished? And if everyone has some private documents stored on this computer, will those documents be viewed or accessed by others? As a secure operating system, how does Linux solve these problems? As a root user, you have super privileges. What privileges do you have?

How to understand user rights

You can think of a computer as a hotel. Who is the root user of this hotel? No doubt, it is the owner of the hotel. The employees under the boss can be regarded as administrators, while the occupants can be regarded as ordinary users. When you pay for registration at the front desk and book your own room, the front desk will give you the key or room card of the specified room, which is equivalent to your account password. With the key and room card, you can open the door and use all the goods or services provided in the room. Of course, what you use can only be limited to the room. Your room card and key certainly cannot open the door of another room unless you are the owner.

This is an image metaphor, but also a microcosm, all the resources around us are limited, no one can use unlimited, so we live and work in the world, there are rules to limit your scope of action and freedom, you also need to pay a certain price to obtain the use of resources. Computer resources are the same, and account management and design must conform to this most basic rule for multi-person sharing.

Authority, understood literally, right, is your right, stipulates what you can do, limits, is to limit, stipulates what you cannot do, to exercise your right within a certain scope. Linux accounts can be divided into super user (root), administrator and ordinary user according to different permissions. Different users have different permissions based on their needs for system resources. And who gave them those privileges? This depends on who the super user (root) is in charge of, then he is the distributor of these accounts, including administrators, all need root user to allocate, here administrator account and ordinary account are not particularly different, but the general administrator account may have more permissions.

Linux account permissions have many kinds, the most basic is access to the file system, that is, file or folder permissions. Sudo privileges, which give specific accounts the ability to execute certain commands of the root account. The ssh privilege controls whether users can log in remotely via ssh.

About file permissions

Because Linux devices and documents exist in the form of files, the most basic security control in Linux is access control to files. Linux file or folder permissions are a set of mechanisms used to control user access to files, folders, or executable programs.

Linux defines three basic permissions, depending on the type of file or directory the user is manipulating:

Read, identified by r, for files, means that you can view the contents of the file, for folders, means that you can view the files under the folder, which can be represented by the value 4;

Write, identified by w, means that you can write or insert content into a file for a file, and delete, add or modify file names under a folder for a folder, which can be represented by the value 2;

Execution, marked with x, for files, means that the file can be executed as a program, for folders, means that you can access subdirectories and files and cd to this directory in the shell, which can be represented by the value 1.

At the same time, users and files have the following relationship:

File owner: The user who owns the file. The user who created the file when it was created (see whoami command).

Group: The group to which the file belongs. The group of users at the time the file was created (viewable with the id command).

Other: Other users who are neither the file owner nor a member of the group to which the file belongs.

The permissions of a file or folder are actually whether the user provisions for these three relationships have readable, writable, and executable permissions. Usually, the permissions of a file or folder can be viewed through the ls -l command:

mode: identifies the operation permissions of owner, group and other users on the file;

owner: the owner of the specified document;

group: Specify the user group to which the file belongs.

Mode uses a string of length 10 to represent "-rw-rw-r--," with the first character representing type "-" for files,"d" for directories, and "l" for linked files. The last nine digits need to be understood in groups of three:

The first bit of each group identifies whether it has read permission,'r' indicates read permission,'-' indicates prohibit read permission, the second bit identifies whether it has write permission,'w' indicates write permission,'-' indicates prohibit write permission, the third bit identifies whether it has executable permission,'x' indicates executable permission,'-' indicates prohibit executable permission. From left to right, it is divided into three groups. The first group identifies the owner's permissions, the second group indicates the group's permissions, and the third group identifies the permissions of other users.

For example, if the file public_excutable permission is "-rwxr-xr-x" as shown in the above figure, how to understand it? First of all, the permission of owner is "rwx", which means that the file has readable, writable and executable permissions. The permission of group is "r-x", which means that the file has only readable and executable permissions. The permission of other user is also "r-x", which means that the file has only readable and executable permissions.

File permissions can also be represented by octal numbers, that is, by a four-digit octal number, in which the highest digit represents special permissions, followed by owner permissions, group permissions, and others permissions. The permission value of each octal bit is the sum of the values corresponding to the corresponding permissions of the file, or is the file public_excutable an example:

0755 = rwxr-xr-x = 0(4 + 2 + 1)(4 + 1)(4 + 1)

If you want to see the numeric permissions of a file, you can do so with the stat command:

root@d076cf119be7:/ $ stat test_fileFile: test_fileSize: 0 Blocks: 0 IO Block: 4096 regular empty fileDevice: 29h/41d Inode: 13429 Links: 1Access:(0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2018-07-26 02:26:26.723187697 +0000Modify: 2018-07-26 02:26:26.723187697 +0000Change: 2018-07-26 02:26:26.723187697 +0000Birth: - How do I create and modify file permissions? umask

When we log on to the system and create a new file or directory, we are assigned default permissions. How are these initial permissions assigned? On Linux systems, administrators typically define default permissions when creating directories and files by setting umask values.

What is it, umask? The system administrator must set a reasonable umask value for you to ensure that the files you create have the desired default permissions and prevent other users from having write permissions on your files. In general, the umask command is set in the/etc /profile file, which is referenced by every user when logging in, so if you want to change the umask of all users, you can add the corresponding entry to the file. If you want to set your umask value permanently, put it in your $HOME directory in a.profile or.bash_profile or.bashrc file.

The umask value is similar to the permission value of the file, expressed by a three-digit octal number, such as 002, setting the range (000~777), in the form of a mask, defining what permissions need to be prohibited for those users. The first digit indicates the permission value of prohibiting owner, the second digit indicates the permission value of prohibiting group users, and the third digit indicates the permission value of prohibiting other users.

How to calculate default file or directory permissions from umask values?

Take umask value of 002 as an example, translated into permission string "---- -w-", which means that other users are prohibited from using write permission. For files, the default maximum permission is 666, i.e."rw-rw-". According to the mask, the write permission of other users is removed. The default permission for files is "rw- rw- r--", the value is 664. For folders, the default maximum permission is 777, i.e."rwx rwx". According to the mask, Remove the other user's write permissions, the file permissions are "rwx rwx r-x", the value is 775.

Using the umask command:

query system umask value

root $ umask0022

Set umask

root $ umask 0033 root $ umask0033 modify file or folder permissions

The above describes how to define the default permissions of a file or folder through umask. How do you change the permissions after the file is created? Linux provides the chmod command to modify file permissions. chmod can increase or decrease permissions for specified users of files or directories, such as increasing execution permissions for owners and groups:

chmod ug+x test_file

In the above example, u and g represent user, group, and user type respectively:

u - user

g - group

o - other

a - all

'+' indicates increased permissions and is the action performed:

+ Add permissions

- Lower authority.

'x' indicates file permissions to increase:

R read

w write

x Executable

Some common examples:

Add write permissions to all users:

chmod a+w test_file

Add execution permissions to other users:

chmod o+x test_file

Disable group and other user execution permissions:

chmod go-x test_file

Disable all user execution permissions:

chmod a-x test_file

You can also modify the file permissions directly:

chmod 644 test_file Change the ownership of a file or folder

The ownership of a file determines which user and user group the file belongs to. When creating a file, by default, the owner of the file is the user who created the file, and the group is the initial group of the user.

root:/home/user5 $ su user5user5:~ $ groupsuser5user5:~ $ touch testuser5:~ $ ls -la-rw-r--r-- 1 user5 user5 0 Aug 2 01:11 test

Normally, for root and owner users, you can modify the permissions of a file at will, but for owner users, it depends on whether the user has access to the chmod command.

File attribution can be modified by root account, chown command modifies file owner, chgrp modifies file attribution group,

root:/home/user5 $ chown user4 testroot:/home/user5 $ ls -la-rw----- 1 user4 user5 0 Aug 2 01:11 testroot:/home/user 5 $ chgrp user2 testroot:/home/user5 $ ls -la-rw---- 1 user4 user2 0 Aug 2 01:11 testControl of file and folder permissions

If a user wants to access a file or folder, Linux will first check the ownership relationship between the user and the access file, then check what the user's operation on the file belongs to (read, write, execute), and finally check whether the role has the permission to operate on the file according to the user's role. For example, the test file permission in the above example is as follows:

root:/home $ ls -la-rw------- 1 user4 user2 0 Aug 2 01:11 test

If user2 wants to view the file, will Linux allow it? You might want to do an experiment:

root:/home $ su user2user2:/home $ cat testcat: test: Permission denied

Why was it rejected? From the above permissions analysis, although the user2 account belongs to the user2 group, and the file also belongs to the user2 group, but the file permissions are only open to the owner read, write permission, group is no permission, so user2 is no read permission.

Folder permissions are special, x means that you can access the directory and subdirectories through cd command in shell, r means you can browse files and subdirectories under the directory, w means you can add and delete files under the folder.

drwx------ 3 testuser1 test2 4096 Aug 15 01:18 testuser1dirdrwx------ 2 testuser2 testuser2 4096 Jun 28 01:44 testuser2dir

For example, the permissions of the above folder testuser1dir are only open to the owner user testuser1 for reading, writing and access. When we switch to testuser2, can we access testuser1dir?

testuser2@d1db4cc29365:/home $ cd testuser1dirbash: cd: testuser1dir: Permission denied

Practical validation is not possible because testuser1dir has no permissions open to group users and other users, while testuser2 belongs to other users. If we need other users to be able to access the directory, what should we do?

root@:/home $ chmod o+rx testuser1dirroot@:/home $ ls -ladrwx---r-x 3 testuser1 test2 4096 Aug 15 01:18 testuser1dirtestuser2@:/home $ cd testuser1dir/testuser2@:/home/testuser1dir $ lstestdir

First switch to root account, add readable access to testuser1dir for other users, then switch to testuser2 account, try cd to that directory again, this time OK.

Thank you for reading! About "linux how to do file permissions management" this article is shared here, I hope the above content can have some help for everyone, so that everyone can learn more knowledge, if you think the article is good, you can share it to let more people see it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.