Some linux file permission management methods that you may not know

Why do you need permission management?

Computer resources are limited, so we need to allocate them reasonably.

2.Linux is a multi-user system. For each user, the protection of personal privacy is 10 points important

rwx permissions for the directory

Current user: vagrant:vagrant

Create the testdir directory and go to the testdir directory. Create the file test.

$ mkdir testdir
$ cd testdir
$ touch test

Modify testdir permission to 000. Try ls testdir

$ chmod 000 testdir
$ ls testdir/
ls: cannot open directory testdir/: Permission denied

Modify testdir permissions to 400. Try ls testdir

$ chmod 400 testdir
ls -l testdir/
ls: cannot access testdir/test: Permission denied
total 0
-????????? ? ? ? ? ? test

Result: The list of files in the directory can be read, but the specific file information (permissions, size, user group, time, etc.) is not visible, even though the current user is the owner of /testdir/test and has rwx permissions.

r permissions that have a directory can read a list of files in the directory.

Go ahead and try going to the testdir directory.

$ cd testdir/
-bash: cd: testdir/: Permission denied

It appears that the r permissions do not give us access to the directory.

Let's add an x permission to try it.

~$ chmod 500 testdir/
~$ cd testdir/
~/testdir$ ls -l
total 0
-rw-rw-r-- 1 vagrant vagrant 0 Nov 19 08:16 test

Successful entry.

Having x permissions on the directory gives you access to the directory. In this working directory, we can view the list of files and file properties information.

Try deleting the test file or creating a new file test1.

~/testdir$ rm test
rm: cannot remove  ' test': Permission denied
~/testdir$ touch test1
touch: cannot touch  ' test1': Permission denied

Having r x permissions on the directory does not allow you to change the contents of the directory. The list of files in the directory can be viewed as the contents of the directory.

w permission to add or delete contents of a directory.

~/testdir$ chmod 700 .
~/testdir$ rm test
~/testdir$ touch test1
~/testdir$ ls -l
total 0
-rw-rw-r-- 1 vagrant vagrant 0 Nov 19 08:30 test1

umask

In the above example, the permissions of the new file we created are 664 (-ES81en-ES82en-ES83en --). Why is the default permissions 664? What if I want to change the default permissions of the new file?

Console input umask:

$ umask
0002

umask is the complement of permissions. The default permissions for files are 666-ES91en.

If we create a file that does not want other users to have r permissions, then we can change the complement to 0006.

~/testdir$ umask 0006
~/testdir$ touch test2
~/testdir$ ls -l | grep test2
-rw-rw---- 1 vagrant vagrant 0 Nov 19 08:38 test2

Why aren't the default permissions for files 777-ES99en? Since the new file does not have executable permissions by default, this wave would be 666 if rw permissions were taken into account only.

By default, the directory has x permissions. When umask is 0002, the default permissions for the created directory should be 777-0002 = 775:

~/testdir$ mkdir dir1
~/testdir$ ls -l | grep dir1
drwxrwxr-x 2 vagrant vagrant 4096 Nov 19 08:39 dir1

Special privileges

SUID

File permissions are rwx in general. Let's check the permissions of passwd (change password command) under 1:

$ chmod 000 testdir
$ ls testdir/
ls: cannot open directory testdir/: Permission denied

0

If you look carefully, the x bit of user permission is s. This permission, called SUID, is only valid for base 2 programs.

When the user has the execution limit for the file, the execution of the file briefly obtains the support for the file's owner rights.

For example: the password of all users exists in the file /etc/shadow, and the default permission of this file is -ES130en -- root root, only root users have mandatory write permission, then why ordinary users can change their password? Because the passwd command has SUID permissions, a user executes the command with root permissions support from the file owner, thereby changing his password.

SGID

When the x location of group becomes s, the file has SGID permissions.

SGID permissions are valid for base 2 programs. Similar to SUID, when a user has x permissions for a file, it executes the file and gets permission support for the user group to which the file belongs.

In addition to base 2 programs, SGID can also be set in a directory.

If the user has SGID permissions on the directory:

The valid user group of users in this directory will become the user group of that directory.

If the user has w permissions for that directory, the user group for the files that the user creates in that directory is the same as the user group for that directory.

This permission is important for project development.

SBIT

This permission is currently only valid for directories:

When the user has w,x permissions on this directory, after the user creates a folder or directory in this directory, only he and root have permissions to delete the file.

If the x permission bit for Others is t, then the folder has SBIT permission.

For example, the /tmp directory:

$ chmod 000 testdir
$ ls testdir/
ls: cannot open directory testdir/: Permission denied

1

How to set the above three permissions

If you add a number to the "three numbers" in the normal permissions setting, the number in front represents the permissions:

4 for SUID 2 for SGID 1 SBIT

Such as:

$ chmod 000 testdir
$ ls testdir/
ls: cannot open directory testdir/: Permission denied

2

conclusion