Comprehensive Analysis of Linux System Permissions

Author: Stubborn Stone_

https://blog.csdn.net/2302_78391795/article/details/148368911

Introduction

This article starts from the <span>essential concept of permissions</span> and gradually dissects core elements such as <span>user roles, file permission identifiers, and permission operation commands in the Linux system</span>. It not only deeply analyzes the underlying logic of basic commands like chmod and chown but also <span>reveals the special rules of directory permissions and the default permission generation mechanism</span>.

Whether you are a beginner encountering Linux for the first time or a system administrator looking to enhance your knowledge of permission management, this article will help you build a complete cognitive framework from theory to practice, ultimately mastering the core skills of accurately configuring permissions in complex scenarios.

1. Core Concepts of Linux Permissions

1.1 The Essence of Permissions: A Combination of Roles and Object Attributes

In the Linux system, the essence of permissions can be understood as “the permission for roles to operate on objects”. Here, “role” determines who can perform operations, while “object attributes” define the type and scope of operations. More colloquially:

  • Permissions = Role + Object Attributes
  • Person = Real Individual + Identity Role

This design allows the system to manage access control in a structured manner, ensuring that users of different identities can only perform operations they are permitted to.

1.2 Three Basic Roles in Linux

The Linux system divides access roles into three basic categories, which form the core framework of permission management:

  1. Owner: The creator of the file or directory, usually the user themselves
  2. Group: The user group associated with the file, used in team collaboration scenarios
  3. Other Users: All users in the system other than the owner and the group

When viewing file attributes using the <span>ls -l</span> command, the third and fourth fields represent the owner and group names, for example:

-rwxr-xr-- 1 user1 dev 1024 Jan 10 08:00 test.txt
          ↑    ↑
          Owner Group

2. User System and Identity Switching

2.1 Root Superuser and Regular Users

1. Root Superuser
  • Has the highest permissions in the system, almost unrestricted by any permissions
  • Can access and modify any files and configurations in the system
  • The command line prompt is <span>#</span>, which clearly distinguishes it from regular users
2. Regular Users
  • Permissions are strictly limited, can only access files in their own directory
  • Cannot modify critical system configurations and must use privilege escalation commands to perform privileged operations
  • The command line prompt is <span>$</span>

2.2 The su Command: The Core Tool for User Identity Switching

<span>su</span> (switch user) command is used to switch between different users, with the following usage and features:

  1. Basic Switching Syntax
 su 用户名  # Switch to the specified user, keeping the current working directory
 su - 用户名 # Switch to the specified user and reload the environment (equivalent to logging in)
  1. Switching to the root user
  su        # Switch to root, requires root password
  su -      # Fully switch to the root environment
  1. Switching from root to a regular user

  • No password required, simply execute <span>su 用户名</span> to switch
  • To exit the current user, use <span>exit</span> or <span>Ctrl+D</span>
  • Important Features

    • <span>su</span> does not change the working directory when switching, while <span>su -</span> switches to the target user’s home directory
    • When entering a password, no characters are displayed, which is a security design in Linux

    2.3 The sudo Command: A Precise Authorization Escalation Scheme

    1. Core Concept of sudo
    • Full name “superuser do”, allows regular users to execute commands with privileged identity
    • Authorization management is based on a whitelist mechanism (<span>/etc/sudoers</span><span>)</span>
    • Avoids direct use of the root account, enhancing system security
    2. Basic Usage
    sudo 命令    # Execute command with root privileges
    sudo -u 用户 命令 # Execute command as specified user
    
    3. Authentication Mechanism
    • When executing sudo for the first time, the current user password must be entered (to verify if they are in the sudoers whitelist)
    • Once verified, there is no need to enter the password again for the next 15 minutes
    • If the user is not in the whitelist, the root password must be entered to execute
    4. Whitelist Configuration
    # Edit the sudoers file as root (recommended to use visudo to avoid syntax errors)
    visudo
    

    Add authorization rules in the following format:

    用户名 主机名=(目标用户) 命令列表
    # Example: Allow user1 to execute all commands as root
    user1 ALL=(ALL) ALL
    

    3. Representation and Management of File Permissions

    3.1 File Attributes and Permission Identifiers

    When viewing files with the <span>ls -l</span> command, the first column of characters contains rich permission information:

    drwxr-xr-- 1 user1 dev 4096 Jun 1 10:00 documents
    ↑↑↑↑↑↑↑↑↑
    1 23456789
    
    • 1st Position: File Type Identifier

      • <span>-</span>: Regular file
      • <span>d</span>: Directory
      • <span>l</span>: Symbolic link
      • <span>c</span>: Character device (e.g., keyboard, display)
      • <span>b</span>: Block device (e.g., disk)
    • 2nd-10th Positions: Permission Bits, grouped in threes

      • 2-4th bits: Owner permissions
      • 5-7th bits: Group permissions
      • 8-10th bits: Other users’ permissions
    • Meaning of Permission Bits

      • <span>r</span> (read permission, 4): Allows reading file content or listing directory entries
      • <span>w</span> (write permission, 2): Allows modifying file content or creating/deleting files in a directory
      • <span>x</span> (execute permission, 1): Allows executing files or entering directories
      • <span>-</span>: No corresponding permission

    3.2 The chmod Command: A Universal Tool for Modifying Permissions

    1. Symbolic Mode for Modifying Permissions
    chmod [u/g/o/a][+/-/=][rwx] 文件名
    
    • <span>u</span>: Owner (user)
    • <span>g</span>: Group
    • <span>o</span>: Other users
    • <span>a</span>: All users
    • <span>+</span>: Add permission
    • <span>-</span>: Remove permission
    • <span>=</span>: Set exact permissions

    Examples:

    chmod u+x script.sh   # Add execute permission for the owner
    chmod g-w,o-r file.txt # Remove write permission for the group and read permission for other users
    chmod a=rwx directory # Set read, write, and execute permissions for all users
    
    2. Octal Mode for Modifying Permissions

    Convert rwx to binary, with each group of three corresponding to an octal number:

    • <span>rwx</span> = <span>111</span> = <span>7</span>
    • <span>rw-</span> = <span>110</span> = <span>6</span>
    • <span>r-x</span> = <span>101</span> = <span>5</span>
    • <span>r--</span> = <span>100</span> = <span>4</span>
    • <span>-wx</span> = <span>011</span> = <span>3</span>
    • <span>-w-</span> = <span>010</span> = <span>2</span>
    • <span>--x</span> = <span>001</span> = <span>1</span>
    • <span>---</span> = <span>000</span> = <span>0</span>

    Examples:

    chmod 755 script.sh   # Owner rwx, group r-x, other users r-x
    chmod 644 config.txt  # Owner rw-, group r--, other users r--
    chmod 700 private.sh  # Only owner has rwx permissions, other users have no permissions
    
    3. Preconditions for Modifying Permissions
    • Only the owner of the file or the root user can modify file permissions
    • The same rule applies to modifying directory permissions

    3.3 chown and chgrp: Managing Owners and Groups

    1. chown: Change File Owner
    chown 新拥有者 文件名        # Change only the owner
    chown 新拥有者:新所属组 文件名 # Change both owner and group
    chown -R 拥有者 目录名       # Recursively change the owner of the directory and all its contents
    
    2. chgrp: Change File Group
    chgrp 新所属组 文件名       # Change the group
    chgrp -R 所属组 目录名      # Recursively change the group of the directory and its contents
    
    3. Permission Requirements
    • Executing chown and chgrp requires root permissions
    • Regular users can use sudo to escalate privileges (must be in the sudoers whitelist)

    4. Special Meaning of Directory Permissions

    4.1 Actual Impact of Directory Permissions

    Directories, as a special type of file, have different meanings for their r/w/x permissions compared to regular files:

    1. Read Permission (r)

    • Allows users to read the list of files in the directory
    • For example: using the <span>ls</span> command to view directory contents
  • Write Permission (w)

    • Allows users to create new files or subdirectories in the directory
    • Allows users to delete or rename files in the directory (even if the files do not belong to that user)
  • Execute Permission (x)

    • Allows users to enter the directory (using the <span>cd</span> command)
    • Allows users to access files in the directory (such as reading or executing)

    4.2 Practical Scenarios of Permission Combinations

    Scenario 1: Allowing Only Viewing Directory Contents
    chmod 555 目录名  # r-x r-x r-x
    
    • Users can <span>ls</span> to view directory contents, but cannot <span>cd</span> into it or create/delete files
    Scenario 2: Allowing Team Collaboration Directory
    chmod 775 目录名  # rwx rwx r-x
    
    • Owner and group can read, write, and execute (create, modify, delete files)
    • Other users can view and enter the directory but cannot modify its contents
    Scenario 3: Strictly Private Directory
    chmod 700 目录名  # rwx --- ---
    
    • Only the owner has all permissions, other users cannot access

    5. Default Permissions and umask Mechanism

    5.1 Rules for Generating Default Permissions

    When creating new files or directories, the system calculates the final default permissions based on the “initial permissions” and “permission mask (umask)”:

    • Initial Permissions for Regular Files: <span>666</span> (rw-rw-rw-)
    • Initial Permissions for Directories: <span>777</span> (rwxrwxrwx)
    • Final Permissions = Initial Permissions & (~umask), i.e., initial permissions minus the permissions specified by umask

    5.2 Detailed Explanation of the umask Command

    1. View Current umask
    umask  # Output like 0002, where the first digit is a special permission flag, and the last three digits are the permission mask
    
    2. Set umask
    umask 0002  # Set permission mask (temporary, resets after reboot)
    
    3. Permission Calculation Examples
    • Scenario: umask=0002

      • Final permissions for regular files:<span>666 & ~0002 = 664</span> (rw-rw-r–)
      • Final permissions for directories:<span>777 & ~0002 = 775</span> (rwxrwxr-x)
    • Scenario: umask=022

      • Final permissions for regular files:<span>666 & ~022 = 644</span> (rw-r–r–)
      • Final permissions for directories:<span>777 & ~022 = 755</span> (rwxr-xr-x)

    5.3 Configuring and Persisting umask

    1. Temporary Modification (Effective for Current Session)
    umask 0002  # Modify the umask for the current shell
    
    2. Permanent Modification (For All Users)
    vim /etc/profile  # Add umask 0002 at the end of the file
    source /etc/profile  # Make the change take effect immediately
    
    3. Modifying for Specific Users
    vim ~/.bashrc  # Add umask settings in the user configuration file
    source ~/.bashrc  # Make the change take effect immediately
    

    6. Best Practices for Permission Management

    6.1 Security Principles

    1. Principle of Least Privilege: Assign users only the minimum permissions necessary to complete their tasks
    2. Avoid Direct Use of Root: Use sudo for precise authorization
    3. Regularly Review Permissions: Check for over-authorized users or files in the system

    6.2 Handling Common Scenarios

    1. Software Installation Permissions
    • Installing to system directories (e.g., <span>/usr/local</span>) requires sudo permissions
    • Note: These directories belong to the system scope, and the installed software should be available to all users
    2. Setting Up Team Collaboration Directories
    1. Create a Shared Group:<span>groupadd devteam</span>
    2. Add Team Members to the Group:<span>usermod -aG devteam user1</span>
    3. Set the Directory Group:<span>chgrp devteam shared_dir</span>
    4. Configure Permissions:<span>chmod 775 shared_dir</span>
    3. Secure User Directories
    • User home directories should be set to <span>700</span> permissions (rwx— —)
    • Avoid allowing other users to access and modify personal files

    6.3 Troubleshooting Permission Issues

    1. Cannot Access File: Check if you are the file owner or belong to the file’s group
    2. Cannot Execute File: Ensure the file has x permission and the directory has x permission
    3. Cannot Delete File: Check if the directory containing the file has w permission
    4. sudo Permission Issues: Confirm if the user is in the <span>sudoers</span> whitelist, which can be checked using <span>visudo</span> to verify the configuration

    By deeply understanding the Linux permission system, system administrators can build secure and flexible access control mechanisms, while regular users can better understand their operational permission boundaries, thus using the Linux system more safely and efficiently.

    Recommended Reading Clicking the title will redirect

    1. Smart adult toys explode with a “surprise” bug, can be remotely controlled. The manufacturer delayed for 14 months and even threatened to sue! Netizens argue: Isn’t this just a feature?

    2. Files were “formatted” on the spot by Gemini, all gone! Netizens complain: Claude and Copilot also love to delete libraries, none can escape

    3. As a programmer, I carry a MacBook that can weigh, isn’t that reasonable?

    Leave a Comment