Some Linux file permission management methods you may not know

Why do we need permission management?

1. Computer resources are limited, and we need to allocate computer resources reasonably.

2. Linux is a multi-user system. For every user, the protection of personal privacy is very important.

rwx permissions for the directory

Current user: vagrant:vagrant

Create a testdir directory and enter the testdir directory. Create a file test.

$ mkdir testdir
$ cd testdir
$ touch test

Change the testdir permission to 000 and try to execute ls testdir

$ chmod 000 testdir
$ ls testdir/
ls: cannot open directory testdir/: Permission denied

Change the testdir permission to 400 and try to execute ls testdir

$ chmod 400 testdir
ls -l testdir/
ls: cannot access testdir/test: Permission denied
total 0
-????????? ? ? ? ? ? test

Result: The file list in the directory can be read, but the specific file information (permissions, size, user group, time, etc.) cannot be seen, although the current user is the owner of /testdir/test and has rwx permissions.

The r permission on a directory allows you to read the list of files in the directory.

Go ahead and try to change into the testdir directory.

$ cd testdir/
-bash: cd: testdir/: Permission denied

It seems that the r permission does not allow us to enter the directory.

Let's try adding an x ​​permission.

~$ chmod 500 testdir/
~$ cd testdir/
~/testdir$ ls -l
total 0
-rw-rw-r-- 1 vagrant vagrant 0 Nov 19 08:16 test

Entered successfully.

Having x permissions on a directory allows us to enter the directory. In this working directory, we can view the file list and file attribute information.

Try to delete the test file or create a new file test1.

~/testdir$ rm test
rm: cannot remove 'test': Permission denied
~/testdir$ touch test1
touch: cannot touch 'test1': Permission denied

Having rx permissions on a directory does not allow us to change the contents of the directory. The list of files in a directory can be considered the contents of the directory.

A user with the w permission for a directory can add or delete the contents of the directory.

~/testdir$ chmod 700 .
~/testdir$ rm test
~/testdir$ touch test1
~/testdir$ ls -l
total 0
-rw-rw-r-- 1 vagrant vagrant 0 Nov 19 08:30 test1

umask

In the above example, the permissions of the new file we created are 664 (-rw-rw-r--). Why is the default permission 664? What if I want to change the default permissions of the new file?

Console input umask:

$ umask
0002

umask is the two's complement of the permissions. The default permissions for files are 666 - umask.

If we do not want other users to have r permissions for the files we create, we can change the complement code to 0006.

~/testdir$ umask 0006
~/testdir$ touch test2
~/testdir$ ls -l | grep test2
-rw-rw---- 1 vagrant vagrant 0 Nov 19 08:38 test2

Why aren't the default file permissions 777 - umask? Because newly created files do not have executable permissions by default, if we only consider rw permissions, this operation will naturally be 666.

By default, directories have x permissions. When the umask is 0002, the default permissions of the created directories should be 777 - 0002 = 775:

~/testdir$ mkdir dir1
~/testdir$ ls -l | grep dir1
drwxrwxr-x 2 vagrant vagrant 4096 Nov 19 08:39 dir1

Special permissions

SUID

Generally speaking, file permissions are rwx. Let's check the permissions of passwd (change password command):

~/testdir$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 47032 May 16 2017 /usr/bin/passwd

If you look carefully, you will find that the x bit of its user permission is actually s. This permission is called SUID and is only valid for binary programs.

When a user has the execute permission for a file, executing the file will temporarily obtain the support of the file owner's permissions.

For example: All users' passwords are stored in the file /etc/shadow, and the default permission of the file is -r-------- root root. Only the root user has mandatory write permission. Then why can ordinary users still modify their passwords? Because the passwd command has SUID permissions, when a user executes the command, he or she will obtain the permission support of the file owner root and thus modify his or her own password.

SGID

When the x position of group becomes s, it means that the file has SGID permission.

SGID permissions are valid for binary programs. Similar to SUID, when a user has the x permission for a file, when executing the file, the user group to which the file belongs will obtain the permission support.

In addition to binary programs, SGIDs can also be set on directories.

If the user has SGID permissions for the directory:

The user's effective user group in this directory will become the user group of this directory.

If the user has the w permission for the directory, the user group of the files created by the user in the directory is the same as the user group of the directory.

This permission is important for project development.

SBIT

This permission is currently only valid for directories:

When a user has w,x permissions for this directory, after the user creates a folder or directory under this directory, only the user and root have permission to delete the file.

If the x permission bit of Others is t, it means that the folder has SBIT permission.

For example, the /tmp directory:

$ ls -l / | grep tmp
drwxrwxrwt 4 root root 4096 Nov 19 09:09 tmp
$ sudo -s
# touch test
root@vagrant-ubuntu-trusty-64:/tmp# exit
exit
vagrant@vagrant-ubuntu-trusty-64:/tmp$ rm test
rm: remove write-protected regular empty file 'test'? y
rm: cannot remove 'test': Operation not permitted

How to set the above three permissions

If you add another number before the three numbers in the normal permission settings, the number in front will represent these permissions:

• 4 is SUID
• 2 is SGID
• 1 for SBIT

for example:

# chmod 777 /tmp
# ls -l / | grep tmp
drwxrwxrwx 4 root root 4096 Nov 19 09:17 tmp
# chmod 1777 /tmp
# ls -l / | grep tmp
drwxrwxrwt 4 root root 4096 Nov 19 09:17 tmp
End.

Summarize

The above is the full content of this article. I hope that the content of this article will have certain reference learning value for your study or work. If you have any questions, you can leave a message to communicate. Thank you for your support for 123WORDPRESS.COM.