Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Default and special permissions for Linux system files

2025-01-28 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

Default permission umask [root@CentOS7 data] # touch file1; ll file1-rw-r--r--. 1 root root 0 Oct 9 13:55 file1 [root@CentOS7 data] # mkdir dir1; ll dir1-ddrwxr-xr-x. 2 root root 6 Oct 9 13:55 what is dir1umask

As you can see from the above example, the default permissions for new files and directories are 644 and 755, respectively. Why is this so? This is about to talk about umask, the default umask value in the Linux system is 022, which directly affects the default permissions of the files or directories created by the user, which is contrary to the effect of chmod. Umask masks the corresponding permission bits of the file, or "takes away" the relevant permissions from the corresponding permission bits of the file, while chmod gives the relevant permissions to the file.

How to calculate the umask value

In the Linux system, the maximum permissions of directories and files are 777 and 666.Because for security reasons, new files are not allowed to have execution permissions, so from the permission bits of files, files have less execution (x) permissions than directories.

Let's set different umask values and create a file:

[root@CentOS7 data] # umask 222 [root@CentOS7 data] # touch file1; ll file1-r--r--r-- 1 root root 0 Sep 30 16:41 file1

You can find that when you subtract 222 from 666, you get 444, but is it really calculated this way? Take a look at the following example:

[root@CentOS7 data] # umask 123 [root@CentOS7 data] # touch file2; ll file2-rw-r--r-- 1 root root 0 Sep 30 16:48 file2 [root@CentOS7 data] # mkdir dir1; ll dir1-ddrw-r-xr-- 2 root root 6 Sep 30 16:49 dir1

From the results, it can be found that the newly created file permissions are not 666-123-543, but 644, while the permissions of the directory are normally subtracted from the value of 777-123-654. Why? Let's convert the file's maximum value 666 and umask value 123 to binary bitwise expansion to see:

110 110 110 color-> 666 (file maximum permission value) 001 010 011 color-> 123 (umask value) 110 100 100 color-> 644 (permission to create a new file)

From the results, it is verified that "umask is to cover up the corresponding permission bits of the file", 1 means masking, 0 is vice versa.

To facilitate memory, you can use the following method of calculation:

Directory: the default permission is the result of 777 minus umask value

File: the default permission is 666 minus the umask value, and the value corresponding to the permission bit is added by 1 if it is odd, for example: 666-123 permission 543, the result is 644.

How to use umask

Temporary effect: umask 022

Permanent: ~ / .bashrc (user settings, recommended), / etc/bashrc (global settings)

Sometimes you need to give a very strict permission to a newly created file, such as 000, you can use the following methods:

[root@CentOS7 data] # umask 666; touch file3 [root@CentOS7 data] # ll file3- 1 root root 0 Sep 30 22:26 file3 [root@CentOS7 data] # umask0666or [root@CentOS7 data] # touch file4; chmod 000 file4 [root@CentOS7 data] # ll file4- 1 root root 0 Sep 30 22:33 file4

Although both of the above methods can create a new file with 1000 permissions, they both seem tedious, especially the previous method. If you are only temporarily setting the umask value, you can use the following method:

[root@CentOS7 data] # (umask 666; touch file5) [root@CentOS7 data] # ll file5- 1 root root 0 Sep 30 22:42 file5 [root@CentOS7 data] # umask0022

This method only temporarily changes the umask value, not the current umask value.

Special permissions suid sgid stickysuid function: acts on an executable binary program, and when the user executes this program, the user will inherit the permissions of the owner of this program.

In general, whether a file can be accessed depends on the identity of the user, not on the file itself. However, this is not the case with files with suid permissions, and the most obvious is the / etc/shadow file. We all know that this file is used to save the user's password, by default, ordinary users do not have any permissions on this file, but when the user executes the passwd binary program, they can change the password and save the encrypted password to the file, which is the special permission of the passwd binary program.

[hechunping@CentOS7 ~] $ll / etc/shadow- 1 root root 1271 Sep 30 23:18 / etc/shadow [hechunping@CentOS7 ~] $passwdChanging password for user hechunping.Changing password for hechunping. (current) UNIX password: New password: Retype new password: passwd: all authentication tokens updated successfully. [hechunping@CentOS7 ~] $ll / etc/shadow- 1 root root 1271 Sep 30 23:23 / etc/shadow

From the above execution results, we can find that the permission of the / etc/shadow file is 000. however, the ordinary user hechunping can still execute the passwd command to change his password, that is to say, the content of the file has also been changed, but from the perspective of the permissions of the file, it is impossible to change it. This is due to suid permissions, which can be analyzed by viewing the permissions of the executable file / usr/bin/passwd:

[root@CentOS7 data] # ll `which passwd`-rwsr-xr-x. 1 root root 27832 Jun 10 2014 / usr/bin/passwd

You can see that the executable file owner section has an "s", which represents the special permission of suid, and its function is to inherit the owner's permissions when the user executes the program, so the ordinary user hechunping can also change his password.

Sgid function: acts on an executable binary program, and when the user executes this program, it will inherit the permissions of the group to which the program belongs. Acts on a directory in which the group that creates a new file and directory automatically inherits the group of the parent directory. Test 1: when the subordinate group of the directory is the primary group of the current user, the group of the newly created files in the directory is also the primary group of the current user [root@CentOS7 data] # ll / data/-ddrwxr-xr-x 2 root root 19 Oct 1 13:18 / data/ [root@CentOS7 data] # touch test1; ll test1-rw-r--r-- 1 root root 0 Oct 1 13:19 test1 Test 2: change the group of the directory to another group, and the group of the newly created files in the directory is still the main group of the current user [root@CentOS7 data] # chgrp hechunping / data/; ll / data/-ddrwxr-xr-x 2 root hechunping 32 Oct 1 13:19 / data/ [root@CentOS7 data] # touch test2; ll test2-rw-r--r-- 1 root root 0 Oct 1 13:20 test2 Test 3: when the directory has sgid permission, the group of the new files and directories under the directory automatically inherits the group of the parent directory. [root@CentOS7 data] # chmod gears / data/; ll / data/-ddrwxr-sr-x 2 root hechunping 45 Oct 1 13:20 / data/ [root@CentOS7 data] # touch test3; ll test3-rw-r--r-- 1 root hechunping 0 Oct 1 13:21 test3 [root@CentOS7 data] # mkdir dir1; ll dir1-ddrwxr-sr-x 2 root hechunping 6 Oct 1 13:23 dir1sticky function: acts on a directory where files can only be deleted by the file owner or root. Test 1: give the / data directory 777 permissions, and the files created by root in this directory can be deleted by ordinary users hechunping [root@CentOS7 data] # chmod 777 / data/ Ll / data/-d drwxrwxrwx 2 root root 6 Oct 1 13:56 / data/ [root@CentOS7 data] # touch file1 [root@CentOS7 data] # su-hechunpingLast login: Tue Oct 1 13:52:22 CST 2019 on pts/0 [hechunping@CentOS7 ~] $rm-rf / data/file1 [hechunping@CentOS7 ~] $ls / data/ [hechunping@CentOS7 ~] $exitlogout Test 2: after the sticky permission is set to the / data directory, the ordinary user hechunping cannot delete the files of the root user in that directory But you can delete your own files. [root@CentOS7 data] # chmod ostent / data/ Ll / data/-ddrwxrwxrwt 2 root root 6 Oct 1 13:57 / data/ [root@CentOS7 data] # touch file2 [root@CentOS7 data] # su-hechunpingLast login: Tue Oct 1 13:56:57 CST 2019 on pts/0 [hechunping@CentOS7 ~] $rm-rf / data/file2 rm: cannot remove'/ data/file2': Operation not permitted [hechunping@CentOS7 ~] $ll / data/total 0Muhashi rkashi-1 root root 0 Oct 1 13:58 file2ps: in Linux system The / tmp directory sets the sticky permission settings file-specific properties by default

Although the permissions are set for ordinary users, after some files have set special properties, root can not delete, change and other operations, through the chattr command to achieve.

Chattr changes file properties on the Linux file system

[example 1] use the chattr command to set the attributes of the file to achieve operations that cannot be deleted, changed, and renamed:

[root@CentOS7 data] # touch file1; chattr + I file1 [root@CentOS7 data] # rm-rf file1 rm: cannot remove 'file1': Operation not permitted [root@CentOS7 data] # mv file1 file1.bakmv: cannot move' file1' to 'file1.bak': Operation not permitted [root@CentOS7 data] # echo "hello" > file1-bash: file1: Permission denied

[example 2] set the attributes of the file through the chattr command to achieve the operation that can only append content:

[root@CentOS7 data] # touch file1;chattr + a file1 [root@CentOS7 data] # echo "hello" > > file1 [root@CentOS7 data] # > file1-bash: file1: Operation not permitted [root@CentOS7 data] # rm-rf file1 rm: cannot remove 'file1': Operation not permitted [root@CentOS7 data] # mv file1 file1.bakmv: cannot move' file1' to 'file1.bak': Operation not permitted [root@CentOS7 data] # echo "world" > > file1

[example 3] list the specific attributes of the file

[root@CentOS7 data] # lsattr file1-a-file1ps: if you want to remove a specific property set with chattr, replace "+" with "-".

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 227

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report