All of the examples in this document use root actions, with ordinary users actions commented separately. In the markdown code block, the command description will be indicated with # on the previous line.
File type. - indicates that this is an ordinary file. Seven file types will be introduced later.
2
Permissions of owner user, the meaning of rwx respectively means: read, write, execute.
3
Permissions of the owner group.
4
Permissions of other users.
5
Number of subdirectories (. and .. included). For a file, it represents the number of hard links, and 1 represents itself.
6
Name of the owner user.
7
Name of the owner group.
8
For files, it shows the size of the file. For directories, it shows the fixed value of 4096 bytes occupied by the file naming. To calculate the total size of a directory, use du -sh
Represents an ordinary file. Including plain text files (ASCII); binary files (binary); data format files (data); various compressed files.
d
Represents a directory file. By default, there is one in every directory . and ...
b
Block device file. Including all kinds of hard drives, USB drives and so on.
c
Character device file. Interface device of serial port, such as mouse, keyboard, etc.
s
Socket file. It is a file specially used for network communication.
p
Pipe file. It is a special file type, the main purpose is to solve the errors caused by multiple programs accessing a file at the same time. FIFO is the abbreviation of first-in-first-out.
l
Soft link files, also called symbolic link files, are similar to shortcuts in Windows. Hard link file, also known as physical link file.
What is ACL?
ACL(Access Control List), the purpose is to solve the problem that the three identities under Linux can not meet the needs of resource permission allocation.
For example, the teacher gives lessons to the students, and the teacher creates a directory under the root directory of OS. Only the students in this class are allowed to upload and download, and others are not allowed. At this point, the permissions for the directory are 770. One day, a student from another school came to listen to the teacher, how should permissions be assigned? If you put this student in the owner group, he will have the same permissions as the students in this class - rwx. If the student is put into the other users, he will not have any permissions. At this time, the basic permission allocation cannot meet the requirements, and you need to use ACL.
There is a similar feature in the Windows operating system. For example, to assign permissions to a user for a file, for a user-defined directory/file, right-click ---> Properties ---> Security ---> Edit ---> Add ---> Advanced ---> Find now, find the corresponding user/group ---> assign specific permissions ---> apply, and complete.
The same is true of GNU/Linux: add the specified user/group to the file/directory and grant the appropriate permissions to complete the ACL permission assignment.
How do I enable an ACL?
You need to find the file name of the device where the mount point is located and its partition number. For example, on my machine, you could do something like this:
When you see the line "Default mount options: user_xattr acl", it indicates that ACL has been enabled. If it is not enabled, you can also enable it temporarily -- mount -o remount,acl /. It can also be enabled permanently:
Shell>vim/etc/fstab
UUID=c8e6206d-2892-4c22-a10b-b87d2447a885/ext4defaults,acl11
Shell>mount-oremount/
# or
Shell>reboot
To view ACL, you need to use the getfacle command -- getfacle FILE_NAME
If you want to set ACL permissions, you need to use the setfacl command.
Shell>setfacl<option><FILE_NAME>
Option
Description
-m
modify the current ACL(s) of file(s)
-x
remove entries from the ACL(s) of file(s)
-b
remove all extended ACL entries
-d
operations apply to the default ACL
-k
remove the default ACL
-R
recurse into subdirectories
Use the teacher's example mentioned at the beginning of the article to illustrate the use of ACL.
# The teacher is the root user
Shell>groupaddclass1
Shell>mkdir/project
Shell>chownroot:class1/project
Shell>chmod770/project
Shell>ls-ld/project/
drwxrwx---2rootclass14096Jan1212:58/project/
# Put the students in the class into the class1 group
Shell>useraddfrank
Shell>passwdfrank
Shell>useraddaron
Shell>passwdaron
Shell>gpasswd-afrankclass1
Shell>gpasswd-aaronclass1
# A student from another school came to listen to the teacher
Shell>useraddtom
Shell>passwdtom
# If it is a group, "u" here should be replaced by "g"
Shell>setfacle-mu:tom:rx/project
# "+" sign is added in the output message
Shell>ls-ld/project/
drwxrwx---+2rootclass14096Jan1212:58/project/
Shell>getfacl-p/project/
# file: /project/# owner: root# group: class1
user::rwx
user:tom:r-x
group::rwx
mask::rwx
other::---
When using the getfacl command, what does the "mask:: rwx" in the output message mean?
The mask is used to specify the maximum valid permissions. The permissions given to the user are not real permissions, the real permissions can only be obtained by using the "logical and" of the user's permissions and mask permissions.
Info
"Logical and" means: that if all are true, the result is true; if there is one false, the result is false.
Permissions set by users
Mask permissions
Result
r
r
r
r
-
-
-
r
-
-
-
-
Info
Because the default mask is rwx, for any user's ACL permissions, the result is their own permissions.
# Delete the ACL permissions of user/group in the specified directory
Shell>setfacl-xu:USER_NAMEFILE_NAME
Shell>setfacl-xg:GROUP_NAMEFILE_NAME
# Removes all ACL permissions for the specified directory
Shell>setfacl-bFILE_NAME
What is the recursion of ACL permissions?
For ACL permissions, this means that when the parent directory sets ACL permissions, all subdirectories and sub-files will have the same ACL permissions.
Info
Recursion is suitable for files/directories that already exist in the directory.
Look at the following example:
Shell>setfacl-mm:rwx/project
Shell>setfacl-mu:tom:rx/project
Shell>cd/project
Shell>touchfile1file2
# Because there is no recursion, the file here does not have ACL permission.
Shell>ls-l
-rw-r--r--1rootroot0Jan1214:35file1
-rw-r--r--1rootroot0Jan1214:35file2
Shell>setfacl-mu:tom:rx-R/project
Shell>ls-l/project
-rw-r-xr--+1rootroot0Jan1214:35file1
-rw-r-xr--+1rootroot0Jan1214:35file2
Now there is a question: if I create a new file in this directory, does it have ACL permission?
The answer is no, because the newly created file is after the command setfacl-m u:tom:rx -R /project is executed.
The default and recursion of using ACL permissions require that the operating object of the command be a directory! If the operation object is a file, an error prompt will be output.
Only executable binaries can set SUID permissions.
The executor of the command should have x permission to the program.
The executor of the command obtains the identity of the owner of the program file when executing the program.
The identity change is only valid during execution, and once the binary program is finished, the executor's identity is restored to the original identity.
Why does GNU/Linux need such strange permissions?
Take the most common passwd command as an example:
As you can see, the ordinary users only has r and x, but the owner's x becomes s, proving that the passwd command has SUID permissions.
It is well known that the ordinary users (uid >= 1000) can change his own password. The real password is stored in the /etc/shadow file, but the permission of the shadows file is 000, and the ordinary users does not have any permissions.
Since the ordinary users can change their password, they must have written the password to the /etc/shadow file. When an ordinary user executes the passwd command, it will temporarily change to the owner of the file -- root. For shadow file, root can not be restricted by permissions. This is why passwd command needs SUID permission.
As mentioned earlier, basic permissions can be represented by numbers, such as 755, 644, and so on. SUID is represented by 4. For executable binaries, you can set permissions like this -- 4755.
# Set SUID permissions
Shell>chmod4755FILE_NAME
# or
Shell>chmodu+sFILE_NAME
# Remove SUID permission
Shell>chmod755FILE_NAME
# or
Shell>chmodu-sFILE_NAME
Warning
When the owner of an executable binary file/program does not have x, the use of capital S means that the file cannot use SUID permissions.
# Suppose this is an executable binary file
Shell>vimsuid.sh
#!/bin/bashcd/etc&&ls
Shell>chmod4644suid.sh
Warning
Because SUID can temporarily change the Ordinary users to root, you need to be especially careful with files with this permission when maintaining the server. You can find files with SUID permissions by using the following command:
Only executable binaries can set SGID permissions.
The executor of the command should have x permission to the program.
The executor of the command obtains the identity of the owner group of the program file when executing the program.
The identity change is only valid during execution, and once the binary program is finished, the executor's identity is restored to the original identity.
The locate command uses the mlocate.db database file to quickly search for files.
Because the locate command has SGID permission, when the executor (ordinary users) executes the locate command, the owner group is switched to slocate. slocate has r permission for the /var/lib/mlocate/mlocate.db file.
The SGID is indicated by the number 2, so the locate command has a permission of 2711.
# Set SGID permissions
Shell>chmod2711FILE_NAME
# or
Shell>chmodg+sFILE_NAME
# Remove SGID permission
Shell>chmod711FILE_NAME
# or
Shell>chmodg-sFILE_NAME
Warning
When the owner group of an executable binary file/program does not have x, use uppercase S to indicate that the file's SGID permissions cannot be used correctly.
# Suppose this is an executable binary file
Shell>touchsgid
Shell>chmod2741sgid
Shell>ls-lsgid
-rwxr-S--x1rootroot0Jan1412:11sgid
SGID can be used not only for executable binary file/program, but also for directories, but it is rarely used.
Ordinary users must have rwx permissions on the directory.
For files created by ordinary users in this directory, the default owner group is the owner group of the directory.
Because SGID can temporarily change the owner group of ordinary users to root, you need to pay special attention to the files with this permission when maintaining the server. You can find files with SGID permissions through the following command:
Ordinary users have w and x permissions on this directory.
If there is no Sticky Bit, ordinary users with w permission can delete all files in this directory (including files created by other users). Once the directory is given SBIT permission, only root user can delete all files. Even if ordinary users have w permission, they can only delete files created by themselves (files created by other users cannot be deleted).
SBIT is represented by the number 1.
Can the file or directory have 7755 permission?
No, they are aimed at different objects. SUID is for executable binary files; SGID is used for executable binaries and directories; SBIT is only for directories. That is, you need to set these special permissions according to different objects.
The directory /tmp has SBIT permission. The following is an example:
# The permissions of the /tmp directory are 1777
Shell>ls-ld/tmp
drwxrwxrwt.8rootroot4096Jan1412:50/tmp
Shell>su-tom
Shell>cd/tmp&&touchtom_file1
Shell>exit
Shell>su-jack
Shell(jack)>cd/tmp&&rm-rftom_file1
rm:cannotremove'tom_file1':Operationnotpermitted
Shell(jack)>exit# The file has been deleted
Shell>su-tom
Shell(tom)>rm-rf/tmp/tom_file1
Info
root (uid=0) users are not restricted by the permissions of SUID, SGID, and SBIT.
Through the root user, assign the commands that can only be executed by the root user (uid=0) to ordinary users for execution.
The operation object of "sudo" is the system command.
We know that only the administrator root has permission to use the commands under /sbin/ and /usr/sbin/ in the GNU/Linux directory. Generally speaking, a company has a team to maintain a set of servers. This set of servers can refer to a single computer room in one geographic location, or it can refer to a computer room in multiple geographical locations. The team leader uses the permissions of the root user, and other team members may only have the permissions of the ordinary user. As the person in charge has a lot of work, there is no time to maintain the daily work of the server, most of the work needs to be maintained by ordinary users. However, ordinary users have many restrictions on the use of commands, and at this point, you need to use sudo permissions.
To grant permissions to ordinary users, you must use the root user (uid=0).
You can empower ordinary users by using the visudo command, what you're actually changing is the /etc/sudoers file.
Shell>visudo
...
88Defaultssecure_path=/sbin:/bin:/usr/sbin:/usr/bin
8990## Next comes the main part: which users can run what software on91## which machines (the sudoers file can be shared between multiple92## systems).93## Syntax:94##95## user MACHINE=COMMANDS96##97## The COMMANDS section may have other options added to it.98##99## Allow root to run any commands anywhere100rootALL=(ALL)ALL
↓↓↓↓
1234
...
Part
Description
1
User name or owner group name. Refers to which user/group is granted permissions. If it is an owner group, you need to write "%", such as %root.
2
Which machines are allowed to execute commands. It can be a single IP address, a network segment, or ALL.
3
Indicates which identities can be transformed into.
4
The authorized command, which needs to be represented by an absolute path.
For example:
Shell>visudo
...
101tomALL=/sbin/shutdown-rnow
...
# You can use the "-c" option to check for errors in /etc/sudoers writing.
Shell>visudo-c
Shell>su-tom
# View the available sudo commands.
Shell(tom)>sudo-l
# To use the available sudo command, ordinary users need to add sudo before the command.
Shell(tom)>sudo/sbin/shutdown-rnow
If your authorization command is /sbin/shutdown, it means that authorized users can use any of the options of the command.
Warning
Because sudo is a "ultra vires" operation, you need to be careful when dealing with /etc/sudoers files!