Authority meaning
We all know that using ls -l can view file or directory information, including file permissions, such as the permission "lrwxrwxrwx." of "/ bin" below, These eleven bits are usually called permission bits, and the last "." It was added after RedHat 6, so what is the meaning of these eleven expressions.
#Permissions to view root files [root@localhost /]# ls -l Total consumption 58 lrwxrwxrwx. 1 root root 7 6 May 22, 2021 bin -> usr/bin dr-xr-xr-x. 6 root root 1024 10 15:00:51 boot drwxr-xr-x. 19 root root 3080 1 May 19:18 dev drwxr-xr-x. 81 root root 4096 1 May 21:59 etc drwxr-xr-x. 3 root root 4096 10 January 25:11 home lrwxrwxrwx. 1 root root 7 6 May 22, 2021 lib -> usr/lib lrwxrwxrwx. 1 root root 9 6 May 22, 2021 lib64 -> usr/lib64 drwx------. 2 root root 16384 10 15:00:12 lost+found drwxr-xr-x. 2 root root 4096 6 May 22, 2021 media drwxr-xr-x. 3 root root 4096 10 15:00:17 mnt drwxr-xr-x. 2 root root 4096 6 May 22, 2021 opt dr-xr-xr-x. 168 root root 0 1 May 19:18 proc dr-xr-x---. 2 root root 4096 1 May 19:20 root drwxr-xr-x. 25 root root 680 1 May 19:18 run lrwxrwxrwx. 1 root root 8 6 May 22, 2021 sbin -> usr/sbin drwxr-xr-x. 2 root root 4096 6 May 22, 2021 srv dr-xr-xr-x. 13 root root 0 1 May 19:18 sys drwxrwxrwt. 8 root root 4096 1 May 21:59 tmp drwxr-xr-x. 12 root root 4096 10 15:00:17 usr drwxr-xr-x. 20 root root 4096 10 15:00:51 var
Permission bit
First - file type
The first bit of the permission bit indicates the file type. Unlike Windows, which uses the extended name to indicate the file type, Linux uses the first bit of the permission bit to indicate the file type. Some common file types in Linux are listed below.
first place | file type |
---|---|
- | Ordinary documents. |
b | Block device file, which is a special file. All storage devices are such files, such as partition file / dev/sda1 |
c | Character device files are also special device files. Input devices are generally such files, such as mouse, keyboard, etc. |
l | Soft link file. |
p | Pipeline symbol file, very rare. |
s | Socket file, which is also a special device file, will be generated when some services support socket access. |
Second to ninth
- Bits 2-4 represent the permission of the file owner, and r represents read, which is the read permission; w means write and is the write permission; x stands for execute and is the execution permission. If there is a letter, it means that there is corresponding permission, and "-" means that there is no such permission. The file owner is represented by u.
- Bits 5-7 indicate the permissions of the group to which the file belongs, and also have rwx permissions. The group to which the file belongs is represented by g.
- Bits 8-10 indicate the permissions of others, and they also have rwx permissions. Other people's permissions are represented by o.
11th
The Eleventh "." Represents whether the file is protected by SELinux.
File owner and file group
From "/ bin"
lrwxrwxrwx. 1 root root 7 6 May 22, 2021 bin -> usr/bin
The first root indicates that the file belongs to the root user.
The second root indicates that the group to which the file belongs is the root group.
Basic permission command
chmod(Change File Mode Bits)
Execution permission: all users, ordinary users can only modify their own permissions.
Command format:
[root@localhost ~]# chmod permission mode file name
Common options: - R set permissions recursively, that is, set permissions for all files in the subdirectory.
Permission mode
The format of permission mode of chmod command is "[user identity] [granting method] [permission]".
User identity:
- -u: On behalf of the owner (user).
- -g: Represents the group to which it belongs.
- -o: On behalf of others.
- -a: Represents all identities.
Giving method:
- +: add permissions.
- -: subtract permissions.
- =: set permissions.
jurisdiction:
- r: Read permissions.
- w: Write permission.
- x: Execute permissions.
Example:
[root@localhost ~]# ls -l Total consumption 8 -rwxrw-r--. 1 root root 4 1 May 22:28 abc -rw-------. 1 root root 1134 10 15:00:20 anaconda-ks.cfg [root@localhost ~]# chmod o+w abc #Give write permission to other users [root@localhost ~]# ls -l Total consumption 8 -rwxrw-rw-. 1 root root 4 1 May 22:28 abc -rw-------. 1 root root 1134 10 15:00:20 anaconda-ks.cfg [root@localhost ~]# chmod u-x abc #Subtract execution permission for owner [root@localhost ~]# ls -l Total consumption 8 -rw-rw-rw-. 1 root root 4 1 May 22:28 abc -rw-------. 1 root root 1134 10 15:00:20 anaconda-ks.cfg [root@localhost ~]# chmod o=r-- abc #Give other users read permission, minus write permission and execution permission [root@localhost ~]# ls -l Total consumption 8 -rw-rw-r--. 1 root root 4 1 May 22:28 abc -rw-------. 1 root root 1134 10 15:00:20 anaconda-ks.cfg
Digital rights
- 4: Represents "r" permission.
- 2: Represents "w" permission.
- 1: Represents "x" permission.
Common digital permissions
- 644: This is the basic permission of the file. It means that the owner of the file has read and write permission, and the group and other users have only read permission.
- 755: This is the basic permission of the directory, which means that the file owner has read, write and execute permission, and the group and other users have read and execute permission.
- 777: This is the maximum permission. In the actual production environment, it is necessary to avoid giving this permission, which has great potential security risks.
Example:
[root@localhost ~]# chmod 644 abc #Give 644 permissions to abc file [root@localhost ~]# ls -l Total consumption 8 -rw-r--r--. 1 root root 4 1 May 22:28 abc -rw-------. 1 root root 1134 10 15:00:20 anaconda-ks.cfg
chown(Change File Owner)
Role: change the owner and group of the file
Execution Authority: root user
Command format:
[root@localhost ~]# chown [option] Owner: all group files or directories #Owners and groups can use "." Or separated by ":"
Common options: - R set permissions recursively, that is, set permissions for all files in the subdirectory.
Example:
[root@localhost ~]# ls -l Total consumption 8 -rw-r--r--. 1 root root 4 1 May 22:28 abc -rw-------. 1 root root 1134 10 15:00:20 anaconda-ks.cfg [root@localhost ~]# chown u1:u1 abc #Modify the owner and group of file abc [root@localhost ~]# ls -l Total consumption 8 -rw-r--r--. 1 u1 u1 4 1 May 22:28 abc -rw-------. 1 root root 1134 10 15:00:20 anaconda-ks.cfg
chgrp(Change Group Ownership)
Function: modify the group to which the file or directory belongs.
Execution Authority: root user.
[root@localhost ~]# chgrp u1 abc #User group for modifying file abc [root@localhost ~]# ls -l Total consumption 8 -rw-r--r--. 1 root u1 4 1 May 22:28 abc -rw-------. 1 root root 1134 10 15:00:20 anaconda-ks.cfg
chown is generally used because it can modify both the owner and the group of a file or directory, while chgrp can only modify the group.
Basic functions of permissions
Read, write and execute have different effects on files and directories. (the root user always has maximum privileges.)
Effect of permissions on files
- Read: having read permission on the file means that you can read the contents of the file and execute cat, more, less, head, tail and other commands on the file.
- Write: you have write permission on the file, which means you can modify the data in the file, and you can execute vim, echo and other commands on the file. However, it should be noted that having write permission to the file does not mean that the file can be deleted. To delete a file, you need to have write permission to the parent directory of the file.
- Execute: having execute permission on a file means that the file has execute permission and can run. As long as the file has execution permission, the file is an execution file, but to run correctly, it also needs to have the correct language code in the file. Execution permission is the maximum permission of the file. Carefully give the file execution permission.
Effects of permissions on directories
- Read: having read permission to the directory means that you can view the contents under the directory, that is, you can view the sub files and sub directories under the directory, and you can execute the ls command under the directory.
- Write: having write permission on the directory means that you can modify the data under the directory, that is, you can create, modify, copy and cut sub files or sub directories in the directory. You can execute touch, rm, cp, mv and other commands under the directory. For the directory, write permission is the maximum permission of the directory.
- Execution permission: the directory cannot run. It has execution permission on the directory, which means that you can enter the directory and execute the cd command on the directory.
Available permissions for the directory
There are only three permissions available for a directory:
- 0: no permission is given.
- 5: Basic directory browsing and access rights.
- 7: Full permissions.
umask default permissions
View umask permissions for the system
[root@localhost ~]# umask 0022 #Display umask permissions with octal values [root@localhost ~]# umask -S u=rwx,g=rx,o=rx #Initial permissions for files and directories are indicated by letters
Calculation method of umask permission
We need to know the maximum permissions of new files and directories first:
- For a file, the maximum permission for creating a new file is 666, and there is no execution permission. This is because the execution permission is dangerous for the file. The system does not give it by default when creating a new file, but can only be given manually by the user.
- For a directory, the maximum default permission for creating a new directory is 777, which is for a directory, because the execution permission only represents entering the directory, which is not dangerous.
According to the official standard algorithm, the default permissions of umask need to use binary for logical non joint operation to obtain the correct permissions for new files and directories. It is relatively simple for machines and troublesome for people.
Super brother's simple algorithm: - The maximum default permission of the file can only be 666, and the value of umask is 022.
"- RW RW RW -" subtract "---- w – W -" equal to "-- rw-r – R --" - The maximum default permission of the directory can only be 777, and the value of umask is 022.
"drwxrwxrwx" subtract "---- w – W -" equal to "drwxr-xr-x" - The maximum default permission of the file is 666. If the umask value is modified to 033, there is no execution permission, so it can not be reduced.
"- RW RW RW -" subtract "---- Wx Wx" equals "-- rw-r – R --"
Modify umask permissions
Generally, there is no need to modify umask permissions. There are two methods to modify umask permissions.
Use the umask command directly (temporarily)
[root@localhost ~]# umask 011 [root@localhost ~]# umask 0011 [root@localhost ~]# umask 022 [root@localhost ~]# umask 0022
Modify profile (permanent)
The configuration of umask default permissions is modified in "/ etc/profile", and "/ etc/profile" is one of the environment variable configuration files.
# By default, we want umask to get set. This sets it for login shell # Current threshold for system reserved uid/gids is 200 # You could check uidgid reservation validity in # /usr/share/doc/setup-*/uidgid file if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then umask 002 else umask 022 fi
The UID of the default root user in Linux is 0; The ordinary user UID created starts from 500. According to the description in the configuration file, when the user UID is greater than 199, the umask value is 002 by default; When the user UID is less than or equal to 199, the umask value defaults to 022. Modify the configuration file to permanently modify the umask value, but it is generally not recommended.
ps: Shang Silicon Valley linux video course Study notes