By hmimcu 
?Foreword
Permissions are an indispensable part of life, such as the access control system of a certain community, the VIP of a certain film and television platform, the yellow diamond of a certain space, etc. These are all permissions and an important way to distinguish user groups. Permissions are also required in Linux, otherwise such a large platform cannot be managed in a standardized manner. Permissions in Linux are mainly for files, such as file permissions and directory permissions. Follow me to learn about permissions.
?Text
If you want to understand the permissions in Linux, you must first know what a shell is
? Understanding the shell
The shell is the shell layer wrapped outside the Linux kernel kernel, so it is also called the shell shell. Usually, the command line operations we input are performed on the shell shell, because the kernel kernel cannot be directly accessed, and the shell needs to be used as an intermediate pieces, as shown below:
The above is the rational understanding of the shell, which is more realistic and obscure. Let’s talk about the perceptual understanding of the shell
Suppose Xiao Ming is the son of the village chief and likes Xiao Mei next door
Xiaomei is the neighbor of Xiaoming’s family, she grew up with Xiaoming
Xiao Wang is Xiao Ming’s classmate and also Xiao Ming’s competitor
Wang Po is a well-known matchmaker in the village, and many interns learn from Wang Po
Scene 1. Xiaoming asks Mrs. Wang to help him find a matchmaker. Mrs. Wang sends intern A to work, Xiaomei agrees, the order is successfully executed, and everyone is happy
Scene 2: Xiaoming asks Wang Po to help him find a matchmaker, but at this time Xiaomei is already with Xiao Wang. Wang Po knows that the matter cannot be completed, so the command execution fails and feedback Permission denied (permission denied)
Scene 3: Xiao Ming likes Xiao Mei very much, but now someone else already has a partner, so he plans to ask his father, the village head, for help. At the request of the village head, Wang Po has to send intern A to handle errands
Situation 1: Xiaomei happened to quarrel with Xiaowang and broke up, so Xiaomei accepted Xiaoming, and the order was successfully executed
Situation 2: Intern A is beaten up by others, and the execution of instructions fails, but Wang Po is not affected
Situation 3: Under the effect of “super power”, Xiao Wang and Xiao Mei were separated, but Xiao Mei was very sad, and the whole village was destroyed. The order was successfully executed, but the environment was destroyed, which may have unexpected consequences
In the above story, Xiaoming represents the user, and his needs are the input commands; the village head is the super user root; Xiaomei is the operating system, which is the user’s operation object; Xiaowang is the possible permission restriction; shell, her intern is a subprocess in Linux. Several scenarios correspond to the following situations:
sufficient authority
Insufficient permissions
Unimpeded under the super user (root)
Summary: In Linux, users deal with the operating system through the shell shell. The shell will help to pass the command line bed and return the results, and the shell will create sub-processes to perform operations. In CentOS, the command line interpreter is bash, which belongs to the shell
?The role of the shell
Help with command line passing and returning results
protect the operating system
When executing the command, create a child process to execute
With the help of shell-based interaction, various permission concepts have been generated
? Permissions
Permissions are used to restrict people, because things may naturally lack certain attributes, so the premise of the existence of permissions is that someone performs related operations
Conclusion: Permissions = People + Things Attributes
?User classification
There are two kinds of users in Linux, one is the super user (root) with very high authority, and the other is the ordinary user created by the super user
The super user (root) is the most fundamental user, essentially the direct administrator of the entire system, with high authority
Ordinary users Users other than super users, ordinary users can perform most system operations, but when it comes to core parts, they have no authority
NOTE: superusers are pretty much unhelpful in the system, so special care is required when doing so
?User switching
Linux supports switching between different users, and of course switching to superuser
Syntax: su [options] [username]
su – root switches to the superuser’s home directory and displays recent login information
Function: switch to specified user
Description: su switches to the super user by default without adding a user name
?File Permissions
Everything in Linux is a file, and the relevant settings of the file can achieve the effect of permission division
?File classification
There are various files in Linux. When we choose to view the detailed information of the file, the first line indicates the type of the file, such as – in the above picture, indicating that this is an ordinary file
Some files are categorized as follows:
– Ordinary files, such as text files, executable files, archive files (compressed packages), etc.
d directory
b block device (block), such as a disk file
c character devices, such as keyboards and monitors
p pipeline file
s network (socket) file
l link file (link)
Now the most common ones we see are ordinary files and directory files, and other types of files need to be touched later
Note: For Linux, the file classification is determined by the first character in its detailed information, and has nothing to do with the file suffix. For example, if you create a file as test, you can also write text information into it.
The significance of the existence of the file suffix
It can be shown to the user, which is more in line with the usage habits. Windows judges the file type by the suffix
Some software running in Linux needs to use the file suffix to determine the type, such as gcc
?Permission settings
There are three permissions in Linux: read r, write w, execute x
r Read permission, able to view file related information
w Write permission, able to write information to the file and change the content of the file
x Execute permissions, able to enter directories, execute generated programs, etc.
– Indicates no permission here
For example, in the a.out file in the above figure, the permissions are: read and write execution, read and write execution, read and no execution, and the three groups of permissions correspond to different roles
Each division of the three permissions, if the operation is performed without permission, then it will be Permission denied (permission denied)
?Role division
In Linux, in addition to classifying users, various roles are also classified
File owner The creator of the file, who should have all permissions
The group to which the file belongs The group to which the file belongs. Generally speaking, the group to which the file belongs is the same person as the owner of the file. Of course, it can be changed, and the permissions also have
Other Others, everyone except the above two types of people can be regarded as Other, which is equivalent to a visitor, with relatively few permissions, generally only read r permissions
Obviously, the three sets of permissions that appeared in the permission setting before correspond to these three roles
There is no conflict between users and roles. There can be many common users, and different users can play different roles correspondingly.
Note: The super user is not limited by these role permissions, and has all permissions by default. It can be seen that root is God. When performing certain operations, if the permissions are not enough, you can use the sudo command to elevate the permissions, which is equivalent to a single authorization This operation (sudo command needs to be configured in advance)
?Permission change
Ordinary users are almost unrestricted in their own home, after all, it is their own home (Linux does not support ordinary users to access their space by default), so users can set permissions on specified files, with the help of the command chmod
Syntax: chmod u/g/o/a +/- r/w/x [file]
Function: Set permissions for specified files
Explanation: u is the owner, g is the group it belongs to, o is Other, a means all roles, and + and – means adding or reducing permissions, and multiple groups can be set through the , sign
Note: In addition to direct + – permissions, permissions can also be changed by octal numbers, for example, chmod 000 test.txt can clear the permissions of all roles in the test file
In the figure below, 1 means permission, 0 means no permission
?File viewing
There is a command to view the type of file and more information, so that we can be more clear about the file type
Syntax: file [file]
Function: view file type information
Description: When the command is input, the English description of the corresponding type will be output
?Directory Permissions
Directories also have permissions, but they are slightly different from files, because directories and files are different
?Basic Permissions
The basic permissions of the directory are also read r, write w, execute x
r read permission, view the file name and file attributes in the current directory
w Write permission, create a new file in the current directory
x Execution permission, able to enter the directory
– Indicates no permission here
Example:
?Default Permissions
Whether creating a file or creating a directory, the system assigns default permissions
document
The default permission of the file is 664, which is rw-rw-r–
Because general files do not need to be executed, all roles are not assigned executable permissions, and in order to ensure the security of files, there is no permission to change (write) files to Other
Table of contents
The default permission of the directory is 775, which is rwxrwxr-x
As mentioned earlier, it is impossible to enter the directory without executable permissions, so at this time the system just does not have permission to write files to Other
? Permission mask
In fact, the initial permissions of all files are released, that is, 666, while the initial permissions of directory files are 777. At this time, it is called the starting file. In order to better control the file permissions, the system cancels the permissions of some roles through the permission mask (umask), such as the write permission of Other. After canceling, it becomes the default permission.
In CentOS 7.6, the permission mask is 0002 , depending on the platform, the permission mask may be different
How Default Permissions Are Calculated
default permissions = starting permissions & (~umask)
The same is true for the calculation of directory default permissions
Note: You can directly view the default mask value of the current system through the umask command; the calculation of the default permission is not simply the initial permission – the permission mask is so simple, special attention needs to be paid to first inverting the mask bit by bit and then starting from the above start permissions
? sticky bits
The sticky bit is a special existence, it is for the permissions set in some specific scenarios
? nativity background
In a certain news, there is a system called “horse racing system”, which is to let group A and group B develop the same function, and then choose the best
Assuming that the sticky bit is not set, after Xiao Wang in group A completes the functional design, although Xiao Zhang in group B cannot view Xiao Wang’s work content (because he has no read and write permissions), he can directly delete Xiao Wang’s work files. it’s unreasonable
So there is a sticky bit. Simply put, the directory can be restricted so that the files in the current directory are only allowed to be deleted by the owner and the super user.
?How to use
It’s very simple. After creating a shared directory, use the identity of a super user to add a sticky bit to the shared directory through chmod +t [directory]. After the sticky bit is added successfully, the Other of the shared directory can be executed. Permissions changed to t
Here’s what happens if you try to delete someone else’s file in a shared directory with the sticky bit set:
?Summary
The above is the relevant content of permissions in Linux. We have introduced permission issues from the shell, and then to the last sticky bit protection permissions. In the middle, we also introduced how to change permissions and various role divisions. I believe that after reading this article, you will be able to gain a lot of knowledge