Technical Alley
Read time:
5 minutes
Remember to star our public account
In Linux systems, managing file and directory permissions is crucial for ensuring system security. Whether it is to limit the operational scope of ordinary users or to ensure that critical files are not accidentally deleted, permission configuration plays an important role. This article guides you through the management of Linux permissions, from basic permission representation to special permission applications, and then to ACL fine control. It is suitable for beginners in operations and maintenance to quickly get started, and can also help experienced users fill in gaps.
1. Permission Representation Methods
1. Viewing File and Directory Permissions
- File permission example:
[root@localhost ~]# ls -l /etc/fstab - rw- r-- r--. 1 root root 465 Jul 5 13:51 /etc/fstab Owner Group Others Owner Group
- Directory permission example (the first letter ‘d’ indicates a directory):
[root@localhost ~]# ls -ld /etc/drwxr-xr-x. 148 root root 8192 Jul 13 09:08 /etc/
2. General Permissions
- Permission symbols and values: r (read, 4), w (write, 2), x (execute, 1)
- For files:
- r: view content (cat/head/tail, etc.)
- w: modify content (vim, etc.)
- x: execute scripts
- For directories:
- To view directory files, both r and x permissions are required
- r: list directory contents (ls)
- w: add/delete/modify files in the directory (touch/rm/mv)
- x: change directory (cd)
2. Modifying File/Directory Permissions
1. Changing Owner and Group (chown)
# Format: chown username[.groupname] file[root@localhost ~]# chown zzj.caiwu /opt/test/1.txt # Change both owner and group[root@localhost ~]# chown martin /opt/test/2.txt # Change only owner
2. Changing Group (chgrp)
# Format: chgrp groupname file[root@localhost ~]# chgrp caiwu /opt/test/3.txt
3. Changing Permissions (chmod)
- Symbolic method:
<span>chmod {a/u/g/o}{+/-/=}{rwx} file</span> - a: all users; u: owner; g: group; o: others
[root@localhost ~]# chmod g+w /opt/test/1.txt # Add write permission for group[root@localhost ~]# chmod g-rw,o+x /opt/test/1.txt # Remove read/write for group, add execute for others
- Numeric method:
<span>chmod xxx file</span>(xxx is the sum of permission values)
[root@localhost ~]# chmod 600 /opt/test/2.txt # Owner read/write, others no permissions (6=4+2)
3. facl: File Access Control List
Advantages
Allows for fine-grained permissions to be set for individual users or groups.
1. Setting Permissions
- For a single user:
<span>setfacl -m u:username:permissions file</span>[root@localhost ~]# setfacl -m u:user4:r /opt/test/file03 - For a single group:
<span>setfacl -m g:groupname:permissions file</span>
2. Viewing Permissions
[root@localhost ~]# getfacl /opt/test/file03# file: opt/test/file03# owner: user1# group: user3user::rw-user:user4:r-- # Additional user permissionsgroup::rwxmask::rwxother::r-x
3. Revoking Permissions
# Revoke user permissions[root@localhost ~]# setfacl -x u:martin /opt/test/file04# Revoke group permissions[root@localhost ~]# setfacl -x g:groupname /opt/test/file04
4. Special File Permissions
1. Special Permission Values
suid (4), sgid (2), sticky bit (1)
2. suid (for commands/scripts)
- Function: Ordinary users temporarily gain owner permissions when executing commands
- Example (the passwd command is by default with suid):
[root@localhost ~]# ls -l /usr/bin/passwd -rwsr-xr-x. 1 root root 27856 Apr 1 2020 /usr/bin/passwd
- Add/Remove:
<span>chmod u+s command</span>/<span>chmod u-s command</span>
3. sgid (for directories)
- Function: New files in the directory automatically inherit the directory’s group
- Add/Remove:
<span>chmod g+s directory</span>/<span>chmod g-s directory</span>
[root@localhost ~]# chmod g+s /opt/linux/[root@localhost ~]# ls -ldh /opt/linux/drwxr-srwx. 2 root jishu 201 Jul 13 14:50 /opt/linux/
4. sticky bit (for directories)
- Function: Prevent ordinary users from deleting each other’s files
- Add/Remove:
<span>chmod o+t directory</span>/<span>chmod o-t directory</span>
[root@localhost ~]# chmod o+t /opt/work/[root@localhost ~]# ls -ldh /opt/work/drwxrwxr-t. 2 root IT 50 Jul 13 14:58 /opt/work/
5. umask: Permission Mask
Function
Determines the default permissions for newly created files/directories.
1. Viewing umask Value
[root@localhost ~]# umask
- Root default 0022: file permissions 666-022=644; directory 777-022=755
- Ordinary user default 0002: file 666-002=664; directory 777-002=775
6. Batch Modifying Permissions (-R option)
Recursively modify permissions for directories and their contents:
[root@localhost ~]# chown -R martin.caiwu /opt/test/ # Recursively change owner and group[root@localhost ~]# chmod -R 755 /opt/test/ # Recursively change permissions
