[Linux] File permissions, directory permissions, masks, sticky bits and related instructions

Article directory

  • Linux permissions
    • Two kinds of users
    • Linux permission management
      • Three questions:
        • What are permissions?
        • What are the three roles:
        • So why do belonging groups exist?
      • File types and access rights (thing properties)
        • a) File type
        • b)Basic permissions
      • How to express file permission values
      • How to set file access permissions
        • a)chmod
        • b)chown
        • c)chgrp
      • permission mask
        • d)umask
    • file command
      • 1) Modify the /etc/sudoers file allocation file
      • 2) Use sudo to call authorized commands
    • Directory permissions
    • Sticky bit -> can only be added to shared directories
    • Summary about permissions

Linux permissions

Two kinds of users

There are two types of users under Linux: super user (root) and ordinary user.

  • Super user: can do anything under the Linux system without restrictions
  • Ordinary users: Do limited things under Linux.
  • The command prompt of the super user is “#”, and the command prompt of the ordinary user is “$”.

Command: su [username]
Function: Switch users.
For example, to switch from the root user to the normal user, use su user. To switch from the normal user user to the root user, use su root (root can be omitted). At this time, the system will prompt you to enter the password of the root user.
To use this sudo command, you must ensure that the system trusts you as a user. You need to add the current user to /etc/sudoers
What is the difference between this and root: let you not use it easily and do not abuse your power.

Linux permission management

Three questions:

What are permissions?

Permissions are restricted to people (one or certain groups)
The target object (movie website, music app, etc.) has no corresponding attributes (business).
Permissions: Whether something is allowed to be done by whom
File permissions = person + file attributes

What are the three roles:
  • Owner of files and file directories: u-User
  • Users of the group to which the file and file directory owners belong: g-Group
  • Other users: o-Others
So why do belonging groups exist?

There can only be one owner, so you need to set up a grouper to let members of the team see your code.

File types and access permissions (thing attributes)

![[Pasted image 20221030101923.png]]

a) File Type

In Linux (operating system), file suffixes are not used to distinguish file types, but the first character of the file attribute is used; however, some software will use suffix identification (for example, software such as gcc\tar)

d: folder (directory folder)
-: Ordinary files (source code\library files\executable programs\document compressed packages, etc.)
l: Soft link (similar to Windows shortcut)
b: Block device file (such as hard disk, optical drive, etc.)
p: pipe file
c: character device file (such as screen and other serial devices)
s: socket file

b) Basic permissions
  • i. Read (r/4): For files, Read has the permission to read the file content; for directories, it has the permission to browse the directory information.
  • ii. Write (w/2): For files, Write has the permission to modify the file content; for directories, it has the permission to delete files in the mobile directory.
  • iii. Execute (x/1): For files, execute has the permission to execute the file; for directories, it has the permission to enter the directory.
  • iv. “-” means that you do not have the permission

How to express file permission values

a)Character representation method
![[Pasted image 20221030102046.png]]

b) Octal numerical representation method
![[Pasted image 20221030102056.png]]

How to set file access permissions

a)chmod

Feature: Set file access permissions
Format: chmod [parameter] permission file name
Common options:

R -> Recursively modify the permissions of directory files
Note: Only the owner of the file and root can change the permissions of the file.

Format of chmod command permission value
User identifier + /-= permission character

+: Add the permission represented by the permission code to the permission scope
-: Cancel the permission represented by the permission code from the permission range
=: Grant the permission represented by the permission code to the permission range
User symbols:
u: owner
g: For use by the same group as the owner
o: other users
a: all users

# chmod u + w /home/abc.txt
# chmod o-x /home/abc.txt
# chmod a=x /home/abc.txt

Three octal digits;

# chmod 664 /home/abc.txt //110 110 100 -> rw- rw- r--
# chmod 640 /home/abc.txt //110 100 000 -> rw- r-- ---
b)chown

Feature: Modify the owner of a file
Format: chown [parameter] username filename
Examples:

# chown user1 f1
# chown -R user1 filegroup1
c)chgrp

Function: Modify the group to which a file or directory belongs
Format: chgrp [parameter] user group name file name
Common options: -R recursively modify the group to which a file or directory belongs
Examples:

chgrp users /abc/f2

Permission mask

d)umask

Features:
View or modify file masks
Default permissions for new folders=0666
The default permission for a new directory is 0777
But in fact, the permissions you see on the files and directories you create are often not the above values. The reason is that when creating files or directories, they are also affected by umask. Assuming that the default permission is mask, the permissions of the actually created file are: mask & amp; ~umask

Permission mask: All permissions that appear in umask must be removed from the starting permissions and cannot affect any other permissions
For example, 002 -> 000 000 010 means removing 010 from other permissions.

Final permissions = starting permissions & amp; (~umask)
The permission bit to be removed by ~umask is 0, and the bit to be retained is 1

Format: umask permission value
Note: Subtract the permission mask from the existing access permissions to generate the default permissions when creating a document. The default mask value for super users is 0022, and for ordinary users, it is 0002.
Examples:

#umask 755
#umask //View
#umask 044//Settings

Why do directory permissions start with 777?
Because all directories are created, they must generally be accessible.

Directory permissions
R permissions of the directory: Can you view/display the contents of the directory?
The w permission of the directory: whether files can be created
The x permissions of the directory: can you enter the directory?

file command

Function Description: Identify file types.
Syntax: file [options] File or directory…
Common options:

-c displays the instruction execution process in detail to facilitate troubleshooting or analysis of program execution.
-z Attempt to decipher the contents of the compressed file.

Use sudo to assign permissions

1) Modify the /etc/sudoers file allocation file

# chmod 740 /etc/sudoers
# vi /etc/sudoer

Format: The host where the user who accepted the permission logged in = (the user who executed the command) command

2) Use sudo to call authorized commands

$ sudo –u username command

$ sudo -u root /usr/sbin/useradd u2

Directory permissions

Executable permissions: If the directory does not have executable permissions, you cannot cd into the directory.
Readable permissions: If the directory does not have readable permissions, you cannot use commands such as ls to view the file contents + file attributes in the directory.
Writable permissions: If a directory does not have writable permissions, files cannot be created in the directory, nor can files be deleted in the directory.
It is precisely because the new files and deleted files with w permission are integrated, so we must apply the sticky bit patch

In other words, as long as the user has write permissions for the directory, the user can delete the files in the directory, regardless of whether the user has write permissions for the file.
This doesn’t seem very scientific. Why can a file created by me, Zhang San, be deleted by you, Li Si? Let’s use the following process to verify it:

[root@localhost ~]# chmod 0777 /home/
[root@localhost ~]# ls /home/ -ld
drwxrwxrwx. 3 root root 4096 September 19 15:58 /home/
[root@localhost ~]# touch /home/root.c
[root@localhost ~]# ls -l /home/
Total usage 4
-rw-r--r--. 1 root root 0 September 19 15:58 abc.c

drwxr-xr-x. 27 litao litao 4096 September 19 15:53 litao
-rw-r--r--. 1 root root 0 September 19 15:59 root.c
[root@localhost ~]# su - litao
[litao@localhost ~]$ rm /home/root.c #litao can delete files created by root
rm: Delete the write-protected ordinary empty file "/home/root.c"? y
[litao@localhost ~]$ exit
logout

In order to solve this unscientific problem, Linux introduced the concept of sticky bits.
Permission bits can only be set by directories

Sticky bit->Can only be added to shared directories

Background: When using Linux, there may be some shared directories in the future, shared by all ordinary users, used to save temporary data generated by ordinary users; shared directories are generally provided by root.
When a file is shared by everyone, it is restricted by permissions, but I can’t stop others from deleting my file.
So we have to set the sticky bit

[root@localhost ~]# chmod + t /home/ # Add sticky bit
[root@localhost ~]# ls -ld /home/
drwxrwxrwt. 3 root root 4096 September 19 16:00 /home/
[root@localhost ~]# su - litao
[litao@localhost ~]$ rm /home/abc.c #litao cannot delete other people’s files
rm: Delete the write-protected ordinary empty file "/home/abc.c"? y
rm: cannot delete "/home/abc.c": Operation not allowed

Before adding:
drwxrwxrwx 2 root root 4096 Oct 21 11:46 public
After adding:
drwxrwxrwt 2 root root 4096 Oct 21 11:46 public
You can see that the last digit is represented by x->t

When a directory is set to the “sticky bit” (using chmod + t), the files in the directory can only be accessed by

1. Delete by super administrator
2. Delete the owner of the directory -> but generally the creator of the shared directory is root
3. Delete the file by its owner

Summary about permissions

The executable permissions of a directory indicate whether you can execute commands in the directory.
If the directory does not have -x permissions, you cannot execute any commands on the directory, or even cd into the directory, even if the directory still has -r read permissions (it is easy to make a mistake here, thinking that you can enter the directory and read the files in the directory if you have read permissions) )
And if the directory has -x permissions but does not have -r permissions, the user can execute commands and cd into the directory. However, since there is no read permission for the directory, even if you can execute the ls command in the directory, you still do not have permission to read the documents in the directory.