Linux2._ permission understanding

1. The concept of Linux permissions

There are two kinds of users in Linux: super user (root) and ordinary user.

Super user: can do anything under Linux system without restriction.
Regular users: Do limited things under Linux.
The command prompt for superuser is "#", and the command prompt for normal user is "$".

Syntax: su [user]
Function: switch user.
For example, to switch from root user to normal user user, use su user. To switch from normal user user to root user use su
root (root can be omitted), the system will prompt to enter the password of the root user. The working directory remains unchanged.

Note:

adduser can be used to create user accounts. After the account is established, use passwd to set the password of the account. And use userdel to delete the account. Accounts created using the adduser command are actually stored in the /etc/passwd text file.

Syntax: adduser [options] username
Function: For new system users created in Linux.

Common options:

  -b, --base-dir BASE_DIR       The base directory of the new account's home directory
  -c, --comment COMMENT         new account GECOS field
  -d, --home-dir HOME_DIR       The home directory of the new account
  -D, --defaults                show or change the default adduser configure
  -e, --expiredate EXPIRE_DATE  Expiration date for new accounts
  -f, --inactive INACTIVE       Password inactivity period for new accounts
  -g, --gid GROUP               The name of the new account's primary group or ID
  -G, --groups GROUPS   		A list of additional groups for the new account
  -h, --help                    Show this help message and launch
  -k, --skel SKEL_DIR   		Use this directory as the skeleton directory
  -K, --key KEY=VALUE           Do not use /etc/login.defs default value in
  -l, --no-log-init     		Do not add this user to the recent logins and login failures database
  -m, --create-home     		Create the user's home directory
  -M, --no-create-home          Do not create the user's home directory
  -N, --no-user-group   		Do not create groups with the same name
  -o, --non-unique              Duplicates are allowed UID create user
  -p, --password PASSWORD       Encrypted new account password
  -r, --system                  Create a system account
  -R, --root CHROOT_DIR         chroot to the directory
  -s, --shell SHELL             Login of new account shell
  -u, --uid UID                 new account user ID
  -U, --user-group              Create a group with the same name as the user
  -Z, --selinux-user SEUSER     for SELinux User mapping uses specified SEUSER

Syntax: passwd [options…] <account name>
Function: used to set user authentication information, including user password, account lockout, password invalidation, etc. Directly run the passwd command to modify the current user password. The password operation of other users requires administrator privileges.

Common options:

  -k, --keep-tokens       Keep the authentication token from expiring
  -d, --delete            Remove password from named account(Only root users can do this)
  -l, --lock              Lock the password of the named account(only root user)
  -u, --unlock            Unlock the password of the named account(only root user)
  -e, --expire            Terminate the password of the named account(only root user)
  -f, --force             Force an action
  -x, --maximum=DAYS      The maximum validity period of the password(Only root users can do this)
  -n, --minimum=DAYS      The minimum validity period of the password(Only root users can do this)
  -w, --warning=DAYS      How many days before the password expires to start reminding the user(Only root users can do this)
  -i, --inactive=DAYS     How many days after the password expires the account will be disabled(Only root users can do this)
  -S, --status            Report password status for named accounts(Only root users can do this)
  --stdin                 Read token from standard input(Only root users can do this)

Syntax: userdel [options] username

Function: Delete user accounts and related files.

Note: The userdel command usually does not delete a user account if there are processes running that are related to the user being deleted. If it is really necessary to delete, you can first terminate the user process, and then execute the userdel command to delete. But the userdel command also provides an argument to face this situation, the "-f" option.

Common options:

Options:
  -f, --force                   Force some action that might fail
  -h, --help                    Show this help message and launch
  -r, --remove                  Delete home directories and mail pools
  -R, --root CHROOT_DIR         chroot to the directory
  -Z, --selinux-user            delete all for the user SELinux user mapping

Example:

Users who log in normally have a home directory under /home, so they can directly view the files in this directory.

2. Linux permission management

File permissions are determined by the user and file attributes.

2.1 Classification of file visitors

u—User the owner of files and file directories
g—Group Users of the group that the owner of files and file directories is in
o—Others other users

The significance of group existence: the premise of ensuring project security and facilitating collaboration within the group. The default is for a single person to form a group.

2.2 File types and access rights

When we use the ll command, we can see the following information:

Specifically, as shown in the following picture:

a) file type

d:	folder
-:	normal file
l:	soft link (similar to Windows shortcut)
b:	Block device files (such as hard disks, optical drives, etc.)
p:	pipe file
c:	Character device files (such as serial devices such as screens)
s:	socket file  

b) Basic permissions

r 	:	Read For a file, it has the permission to read the contents of the file; for a directory, it has the permission to browse the information of the directory
w	:	Write For files, it has the right to modify the content of the file; for directories, it has the right to delete files in the mobile directory
x	:	execute For a file, it has the permission to execute the file; for a directory, it has the permission to enter the directory
-	:	Indicates that you do not have this permission

2.3 Permission modification

a) chmod

Syntax: chmod [parameters] permissions filename
Function: Change the access permission of the file.
Note: Only the owner and root of the file can change the permissions of the file.

-c, --changes				Only specify if the file's permissions do change
-f, --silent, --quiet		Do not output error messages for files whose permissions cannot be changed
-v, --verbose              	Detail changes to permissions
-R, --recursive     		Change the permissions of files in a directory and all its subdirectories
--reference=rfile   		(updated at fileutils 4.0 superior) Change the file's mode to rfile.

1. User symbol ±= permission character:

+:Add the permission indicated by the permission code to the permission scope
-:Cancel the permission indicated by the permission code from the permission scope
=:Give the permission indicated by the permission code to the permission scope
 user symbol
u: owner
g: Owner in the same group
o: other users
a: All users

Example:

2. Three octets

We use 0 / 1 to indicate whether each bit has permission, then each group of permissions can be regarded as represented by 3 binary bits, and its range is 0 ~ 7, which is exactly an octal representation range. Then an octal number can be converted into binary to represent permissions, so 3 octal numbers can represent 3 groups of permissions.

Therefore, there is also the following writing

b) chown

Syntax: chown [parameters] username filename
Function: Modify file owner and group.
Options:

-c, --changes
              describe each file what ownership actually changed.
-f, --silent, --quiet
              Do not print the error message that the file ownership cannot be modified.
-h, --no-dereference
              A symbolic link that acts only on itself,without modifying the files they point to.  This only provides lchown Only available in case of system call.
-v, --verbose
              describe in detail each file action performed(or no action).
-R, --recursive
              Recursively modify the ownership of a directory and its contents.
--dereference
              Change ownership of the target side of a symbolic link,rather than the symlink itself.  (fileutils 4.0 New features implemented in.)
--reference=rfile
              (fileutils 4.0 New features implemented in.)  Revise file ownership of rfile ownership.

Example:

b) chgrp

Syntax: chgrp [parameters] user group name file name
Function: Change the group ownership of a file.
Options:

-R     Recursively change the group ownership of a directory and its contents (Continue even with errors)
--     end options list.

Another way of writing:

Replenish

We cancel the owner execute permission, and at the same time belong to the owning group, and the owning group has execute permission. But we found that we cannot execute the test file. Reason: By default, it is executed as the owner, and the non-owner will determine whether it is in the group to which it belongs.

file directive:

Syntax: file [ -bcnsvzL ] [ -f named file ] [ -m magic number file ] file …
Function: Determine the file type.
Options:

-b      Do not output filename (Brief mode).
-c      Display the instruction execution process in detail, which is convenient for debugging or analyzing the program execution situation.
-m list Specifies a list of files containing magic numbers.Can be a single file or multiple files separated by colons.
-n      Force flushing of standard output every time a file is checked. Only works when checking a set of files.  This option is generally only used when outputting file types to a pipe.
-v      print program version and exit.
-z      Attempt to view the internal information of the compressed file.
-L      (on systems that support symlinks)Option to show the original file of the symlinked file, like ls(1) command like-named Options.

umask mask

Ordinary file, starting permission 666
General ordinary directory, starting permission 777

However, we see 775, 664

View umask

Take the last three digits, then 002, convert to binary, that is, 000 000 010
 conduct default & ~umask

That is to say, any permissions that appear in umask should not appear in the final permissions.

interview questions

What permissions do I need to create a file in a directory?  
What permissions do I need to view a list of files in a directory? 
What permissions do I need to enter the directory?

The first two were answered at once, let’s look at the third question.

Experiments are available, execute permission is required!

sticky bit

Let's look at an experiment first:

As shown, we changed the owner of rmo.txt, the group it belongs to, and the write and execute permissions of other. But we can still delete it.

Next, we use root to create a new directory dir, file.txt file and modify the relevant permissions. Delete each file.txt file, only file4.txt. It cannot be deleted even in the upper directory.

Next, empty the dir directory, change to a normal user, and delete the dir directory. It can be found that it can be deleted at this time.

3. Summary

1. 	The executable permission of a directory indicates whether you can execute commands in the directory.
2. 	If the directory does not-x permissions, you cannot execute any commands on the directory, not even cd enter, even though the directory still has-r read permission.
3. 	If the directory has-x permission, but no-r permission, the user can execute commands and can cd Enter the directory.
	But since there is no read permission for the directory, in the directory, even if you can execute ls command, but still do not have permission to read the documents in the directory.

The above is a brief summary of the permissions of this Linux. Welcome to criticize and correct!

Tags: Linux bash

Posted by sfmnetsys on Sat, 08 Oct 2022 05:27:31 +0530