1. The concept of Linux permissions
There are two kinds of users in Linux: super user (root) and ordinary user.
Super user: can do anything under Linux system without restriction.
Regular users: Do limited things under Linux.
The command prompt for superuser is "#", and the command prompt for normal user is "$".
Syntax: su [user]
Function: switch user.
For example, to switch from root user to normal user user, use su user. To switch from normal user user to root user use su
root (root can be omitted), the system will prompt to enter the password of the root user. The working directory remains unchanged.
Note:
adduser can be used to create user accounts. After the account is established, use passwd to set the password of the account. And use userdel to delete the account. Accounts created using the adduser command are actually stored in the /etc/passwd text file.
Syntax: adduser [options] username
Function: For new system users created in Linux.
Common options:
-b, --base-dir BASE_DIR The base directory of the new account's home directory -c, --comment COMMENT new account GECOS field -d, --home-dir HOME_DIR The home directory of the new account -D, --defaults show or change the default adduser configure -e, --expiredate EXPIRE_DATE Expiration date for new accounts -f, --inactive INACTIVE Password inactivity period for new accounts -g, --gid GROUP The name of the new account's primary group or ID -G, --groups GROUPS A list of additional groups for the new account -h, --help Show this help message and launch -k, --skel SKEL_DIR Use this directory as the skeleton directory -K, --key KEY=VALUE Do not use /etc/login.defs default value in -l, --no-log-init Do not add this user to the recent logins and login failures database -m, --create-home Create the user's home directory -M, --no-create-home Do not create the user's home directory -N, --no-user-group Do not create groups with the same name -o, --non-unique Duplicates are allowed UID create user -p, --password PASSWORD Encrypted new account password -r, --system Create a system account -R, --root CHROOT_DIR chroot to the directory -s, --shell SHELL Login of new account shell -u, --uid UID new account user ID -U, --user-group Create a group with the same name as the user -Z, --selinux-user SEUSER for SELinux User mapping uses specified SEUSER
Syntax: passwd [options…] <account name>
Function: used to set user authentication information, including user password, account lockout, password invalidation, etc. Directly run the passwd command to modify the current user password. The password operation of other users requires administrator privileges.
Common options:
-k, --keep-tokens Keep the authentication token from expiring -d, --delete Remove password from named account(Only root users can do this) -l, --lock Lock the password of the named account(only root user) -u, --unlock Unlock the password of the named account(only root user) -e, --expire Terminate the password of the named account(only root user) -f, --force Force an action -x, --maximum=DAYS The maximum validity period of the password(Only root users can do this) -n, --minimum=DAYS The minimum validity period of the password(Only root users can do this) -w, --warning=DAYS How many days before the password expires to start reminding the user(Only root users can do this) -i, --inactive=DAYS How many days after the password expires the account will be disabled(Only root users can do this) -S, --status Report password status for named accounts(Only root users can do this) --stdin Read token from standard input(Only root users can do this)
Syntax: userdel [options] username
Function: Delete user accounts and related files.
Note: The userdel command usually does not delete a user account if there are processes running that are related to the user being deleted. If it is really necessary to delete, you can first terminate the user process, and then execute the userdel command to delete. But the userdel command also provides an argument to face this situation, the "-f" option.
Common options:
Options: -f, --force Force some action that might fail -h, --help Show this help message and launch -r, --remove Delete home directories and mail pools -R, --root CHROOT_DIR chroot to the directory -Z, --selinux-user delete all for the user SELinux user mapping
Example:
Users who log in normally have a home directory under /home, so they can directly view the files in this directory.
2. Linux permission management
File permissions are determined by the user and file attributes.
2.1 Classification of file visitors
u—User the owner of files and file directories
g—Group Users of the group that the owner of files and file directories is in
o—Others other users
The significance of group existence: the premise of ensuring project security and facilitating collaboration within the group. The default is for a single person to form a group.
2.2 File types and access rights
When we use the ll command, we can see the following information:
Specifically, as shown in the following picture:
a) file type
d: folder -: normal file l: soft link (similar to Windows shortcut) b: Block device files (such as hard disks, optical drives, etc.) p: pipe file c: Character device files (such as serial devices such as screens) s: socket file
b) Basic permissions
r : Read For a file, it has the permission to read the contents of the file; for a directory, it has the permission to browse the information of the directory w : Write For files, it has the right to modify the content of the file; for directories, it has the right to delete files in the mobile directory x : execute For a file, it has the permission to execute the file; for a directory, it has the permission to enter the directory - : Indicates that you do not have this permission
2.3 Permission modification
a) chmod
Syntax: chmod [parameters] permissions filename
Function: Change the access permission of the file.
Note: Only the owner and root of the file can change the permissions of the file.
-c, --changes Only specify if the file's permissions do change -f, --silent, --quiet Do not output error messages for files whose permissions cannot be changed -v, --verbose Detail changes to permissions -R, --recursive Change the permissions of files in a directory and all its subdirectories --reference=rfile (updated at fileutils 4.0 superior) Change the file's mode to rfile.
1. User symbol ±= permission character:
+:Add the permission indicated by the permission code to the permission scope -:Cancel the permission indicated by the permission code from the permission scope =:Give the permission indicated by the permission code to the permission scope user symbol u: owner g: Owner in the same group o: other users a: All users
Example:
2. Three octets
We use 0 / 1 to indicate whether each bit has permission, then each group of permissions can be regarded as represented by 3 binary bits, and its range is 0 ~ 7, which is exactly an octal representation range. Then an octal number can be converted into binary to represent permissions, so 3 octal numbers can represent 3 groups of permissions.
Therefore, there is also the following writing
b) chown
Syntax: chown [parameters] username filename
Function: Modify file owner and group.
Options:
-c, --changes describe each file what ownership actually changed. -f, --silent, --quiet Do not print the error message that the file ownership cannot be modified. -h, --no-dereference A symbolic link that acts only on itself,without modifying the files they point to. This only provides lchown Only available in case of system call. -v, --verbose describe in detail each file action performed(or no action). -R, --recursive Recursively modify the ownership of a directory and its contents. --dereference Change ownership of the target side of a symbolic link,rather than the symlink itself. (fileutils 4.0 New features implemented in.) --reference=rfile (fileutils 4.0 New features implemented in.) Revise file ownership of rfile ownership.
Example:
b) chgrp
Syntax: chgrp [parameters] user group name file name
Function: Change the group ownership of a file.
Options:
-R Recursively change the group ownership of a directory and its contents (Continue even with errors) -- end options list.
Another way of writing:
Replenish
We cancel the owner execute permission, and at the same time belong to the owning group, and the owning group has execute permission. But we found that we cannot execute the test file. Reason: By default, it is executed as the owner, and the non-owner will determine whether it is in the group to which it belongs.
file directive:
Syntax: file [ -bcnsvzL ] [ -f named file ] [ -m magic number file ] file …
Function: Determine the file type.
Options:
-b Do not output filename (Brief mode). -c Display the instruction execution process in detail, which is convenient for debugging or analyzing the program execution situation. -m list Specifies a list of files containing magic numbers.Can be a single file or multiple files separated by colons. -n Force flushing of standard output every time a file is checked. Only works when checking a set of files. This option is generally only used when outputting file types to a pipe. -v print program version and exit. -z Attempt to view the internal information of the compressed file. -L (on systems that support symlinks)Option to show the original file of the symlinked file, like ls(1) command like-named Options.
umask mask
Ordinary file, starting permission 666
General ordinary directory, starting permission 777
However, we see 775, 664
View umask
Take the last three digits, then 002, convert to binary, that is, 000 000 010 conduct default & ~umask
That is to say, any permissions that appear in umask should not appear in the final permissions.
interview questions
What permissions do I need to create a file in a directory? What permissions do I need to view a list of files in a directory? What permissions do I need to enter the directory?
The first two were answered at once, let’s look at the third question.
Experiments are available, execute permission is required!
sticky bit
Let's look at an experiment first:
As shown, we changed the owner of rmo.txt, the group it belongs to, and the write and execute permissions of other. But we can still delete it.
Next, we use root to create a new directory dir, file.txt file and modify the relevant permissions. Delete each file.txt file, only file4.txt. It cannot be deleted even in the upper directory.
Next, empty the dir directory, change to a normal user, and delete the dir directory. It can be found that it can be deleted at this time.
3. Summary
1. The executable permission of a directory indicates whether you can execute commands in the directory. 2. If the directory does not-x permissions, you cannot execute any commands on the directory, not even cd enter, even though the directory still has-r read permission. 3. If the directory has-x permission, but no-r permission, the user can execute commands and can cd Enter the directory. But since there is no read permission for the directory, in the directory, even if you can execute ls command, but still do not have permission to read the documents in the directory.
The above is a brief summary of the permissions of this Linux. Welcome to criticize and correct!