Default and Special Permissions for Linux System Files
- 2021-07-01 08:33:30
- OfStack
Default permissions umask
[root@CentOS7 data]# touch file1 ; ll file1
-rw-r--r--. 1 root root 0 Oct 9 13:55 file1
[root@CentOS7 data]# mkdir dir1 ; ll dir1 -d
drwxr-xr-x. 2 root root 6 Oct 9 13:55 dir1What is umask
From the above example, you can see that the default permissions for new files and directories are 644 and 755 respectively. Why? This is about talking about umask. The default value of umask in Linux system is 022, which directly affects the default permissions of files or directories created by users. It has the opposite effect to chmod. umask masks the corresponding permission bits of files, or "takes" the relevant permissions from the corresponding permission bits of files, while chmod gives the relevant permissions to files.
How to Calculate the umask Value
In Linux system, the maximum permission of directory is 777, and the maximum permission of file is 666. Because for security reasons, the newly created file is not allowed to have execution permission, so from the permission bit of file, the file has less execution permission than the directory (x).
Let's set different umask values and create files:
[root@CentOS7 data]# umask 222
[root@CentOS7 data]# touch file1 ; ll file1
-r--r--r-- 1 root root 0 Sep 30 16:41 file1
You can find that you get 444 by subtracting 222 from 666, but is this really the way to calculate it? Let's take a look at this example:
[root@CentOS7 data]# umask 123
[root@CentOS7 data]# touch file2 ; ll file2
-rw-r--r-- 1 root root 0 Sep 30 16:48 file2
[root@CentOS7 data]# mkdir dir1 ; ll dir1 -d
drw-r-xr-- 2 root root 6 Sep 30 16:49 dir1
From the results, we can find that the permissions of the newly created files are not 666-123=543, but 644, while the permissions of the directories are the normal reduced value of 777-123=654. Why? Let's convert the file's maximum value 666 and umask value 123 into binary contrapuntal expansion:
110 110 110-->666 (Maximum file permission value)
001 010 011-->123 ( umask Value)
110 100 100-->644 (Permissions for New File)
From the results, it verifies that "umask is to mask the corresponding permission bits of files", 1 means masking, and 0 means vice versa.
For the convenience of memory, the following calculation method can be used:
Directory: The default permission is the result of subtracting the umask value from 777
File: The default permission is 666 minus the umask value. If the value corresponding to the permission bit is odd, add 1, for example: 666-123=543, and the result is 644.
How to use umask
Provisional entry into force: umask 022
Permanently effective: ~/. bashrc (user settings, recommended),/etc/bashrc (global settings)
Sometimes you need to give a very strict permission to a new file, such as 000. You can use the following methods:
[root@CentOS7 data]# umask 666 ; touch file3
[root@CentOS7 data]# ll file3
---------- 1 root root 0 Sep 30 22:26 file3
[root@CentOS7 data]# umask
0666
or
[root@CentOS7 data]# touch file4 ; chmod 000 file4
[root@CentOS7 data]# ll file4
---------- 1 root root 0 Sep 30 22:33 file4
Although the above two methods can create a new file with 1 000 permissions, they all look tedious, especially the previous methods. If you only temporarily set the umask value under 1, you can use the following method:
[root@CentOS7 data]# (umask 666 ; touch file5)
[root@CentOS7 data]# ll file5
---------- 1 root root 0 Sep 30 22:42 file5
[root@CentOS7 data]# umask
0022
This method only temporarily changes the umask value by 1, but does not change the current umask value.
Special Permissions suid sgid sticky
suid
Function: Acts on the executable binary program, when the user executes this program, will inherit the permissions of the owner of this program.
1 In general, access to a file depends on the identity of the user, not on the file itself. However, this is not the case for files with suid permissions, most notably the/etc/shadow file. We all know that this file is used to save the user password. By default, ordinary users have no permission to this file, but when users execute passwd, a binary program, they can change their passwords and save the encrypted password to the file, which is the special permission of passwd, a binary program.
[hechunping@CentOS7 ~]$ ll /etc/shadow
---------- 1 root root 1271 Sep 30 23:18 /etc/shadow
[hechunping@CentOS7 ~]$ passwd
Changing password for user hechunping.
Changing password for hechunping.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[hechunping@CentOS7 ~]$ ll /etc/shadow
---------- 1 root root 1271 Sep 30 23:23 /etc/shadow
From the above execution results, it can be found that the/etc/shadow file has a permission of 000, but ordinary user hechunping can still execute passwd command to change his password, that is to say, the content of this file has also been changed, but it cannot be changed from the perspective of file permission. What is going on? This is due to the suid permissions, which can be analyzed by looking at the permissions of the executable file/usr/bin/passwd:
[root@CentOS7 data]# ll `which passwd`
-rwsr-xr-x. 1 root root 27832 Jun 10 2014 /usr/bin/passwd
It can be seen that the executable file owner section has a "s", which represents the special permission of suid. Its function is to inherit the permission of the owner when the user executes this program, so the ordinary user hechunping can also change his password.
sgid
Functions:
Acts on an executable binary program that, when executed, inherits the permissions of the group to which the program belongs.
Functions on a directory where new files and directories belong to groups that automatically inherit from the parent directory.
Test 1: When the directory belongs to the main group of the current user, the new file in the directory belongs to the main group of the current user;
[root@CentOS7 data]# ll /data/ -d
drwxr-xr-x 2 root root 19 Oct 1 13:18 /data/
[root@CentOS7 data]# touch test1 ; ll test1
-rw-r--r-- 1 root root 0 Oct 1 13:19 test1
Test 2: Change the directory group to other groups, and the new file group under the directory is still the main group of the current user;
[root@CentOS7 data]# chgrp hechunping /data/ ; ll /data/ -d
drwxr-xr-x 2 root hechunping 32 Oct 1 13:19 /data/
[root@CentOS7 data]# touch test2 ; ll test2
-rw-r--r-- 1 root root 0 Oct 1 13:20 test2
Test 3: When the directory has sgid permissions, the new files in the directory and the group to which the directory belongs automatically inherit the group to which the parent directory belongs.
[root@CentOS7 data]# umask 222
[root@CentOS7 data]# touch file1 ; ll file1
-r--r--r-- 1 root root 0 Sep 30 16:41 file1
Functions: Directory where files can be deleted only by the file owner or root.
Test 1: Give/data directory 777 permissions, root new files in this directory can be deleted by ordinary users hechunping
[root@CentOS7 data]# umask 222
[root@CentOS7 data]# touch file1 ; ll file1
-r--r--r-- 1 root root 0 Sep 30 16:41 file1
Test 2: After setting sticky permission to the/data directory, the normal user hechunping cannot delete the files of the root user in that directory, but can delete his own files.
[root@CentOS7 data]# umask 222
[root@CentOS7 data]# touch file1 ; ll file1
-r--r--r-- 1 root root 0 Sep 30 16:41 file1
ps: The sticky permissions are set by default in the/tmp directory in the Linux system
Set file-specific properties
Although the permissions are set for ordinary users, root can't delete and change some files after setting special attributes, which is realized by chattr command.
chattr
Changing file properties on the Linux file system
[Example 1] The attributes of files are set by chattr command, and the operations of deleting, changing contents and renaming cannot be realized:
[root@CentOS7 data]# touch file1 ; chattr +i file1
[root@CentOS7 data]# rm -rf file1
rm: cannot remove ' file1': Operation not permitted
[root@CentOS7 data]# mv file1 file1.bak
mv: cannot move ' file1' to ' file1.bak': Operation not permitted
[root@CentOS7 data]# echo "hello" >> file1
-bash: file1: Permission denied
[Example 2] The attributes of files are set by chattr command, and only contents can be appended:
[root@CentOS7 data]# umask 222
[root@CentOS7 data]# touch file1 ; ll file1
-r--r--r-- 1 root root 0 Sep 30 16:41 file1[Example 3] List specific attributes of a file
[root@CentOS7 data]# umask 222
[root@CentOS7 data]# touch file1 ; ll file1
-r--r--r-- 1 root root 0 Sep 30 16:41 file1ps: If you want to remove the specific attribute set with chattr, replace "+" with "-".
Summarize