Detailed explanation of Linux permissions (chmod, 600, 644, 700, 711, 755, 777, 4755, 6755, 7755)

 

 (If you think the article is well written, you can follow my personal account)

Introduction to Permissions

  • The permissions of files are strictly controlled on the Linux system. If you want to perform certain operations on a file, you must have the corresponding permissions to execute successfully.
  • Permission types of files under Linux generally include read, write, and execute. The corresponding letters are r, w, x.
  • The granularity of permissions under Linux has three types: owner, group, and other groups. Each file can be set with different rwx (read, write and execute) permissions for three granularities. Normally, a file can only belong to one user and group. If other users want to have the permission of this file, they can add the user to the group with permission, and a user can belong to multiple groups at the same time.

On Linux, the chmod command is usually used to set and change file permissions.

1. Quick Start

Change file permissions (chmod command)

Commonly used format

chmod [optional] <mode> <file...>

  1. Parameter Description:
  2. [optional]
  3. -c, --changes like verbose but report only when a change is made
  4. -f, --silent, --quiet suppress most error messages (do not display error messages if the file permissions cannot be changed)
  5. -v, --verbose output a diagnostic for every file processed (show details of permission changes)
  6. --no-preserve-root do not treat '/' specially (the default)
  7. --preserve-root fail to operate recursively on '/'
  8. --reference=RFILE use RFILE's mode instead of MODE values
  9. -R, --recursive change files and directories recursively (recursively make the same permission changes to all files and subdirectories in the current directory)
  10. --help display this help message
  11. --version display version information
  12. [mode]
  13. Permission setting string, the detailed format is as follows:
  14. [ugoa...][[+-=][rwxX]...][,...],
  15. in
  16. [ugoa ...]
  17. u represents the owner of the file, g represents those who belong to the same group as the owner of the file, o represents people other than others, and a represents all (including the above three).
  18. [+-=]
  19. + means to increase the authority, - means to cancel the authority, = means to set the only authority.
  20. [rwxX]
  21. r means readable, w means writable, x means executable, X means only if the file is a subdirectory or the file has been set to be executable.
  22. [file...]
  23. File list (single or multiple files, folders)

 example:

  • Make the file a.conf readable by all users
  1. chmod ugo+r a.conf
  2. or
  3. chmod a+r a.conf
  • Set  c.sh  only the owner can read, write and execute
chmod u+rwx c.sh
  • Set the permissions of files a.conf and b.xml to be readable and writable by the owner and the same group to which they belong, and readable and not writable by other groups
chmod a+r,ug+w,o-w a.conf b.xml
  • Set all files and subdirectories in the current directory to be readable and writable by anyone
chmod -R a+rw *

Digital Rights Use Format

In this usage, first we need to understand how numbers represent permissions. First of all, we stipulate that the numbers 4, 2 and 1 represent read, write, and execute permissions (for specific reasons, see the detailed explanation of permissions in the next section), that is, r=4, w=2, x=1. At this time, other permission combinations can also be represented by other octal numbers.

Such as:

rwx = 4 + 2 + 1 = 7

rw = 4 + 2 = 6

rx = 4 +1 = 5

which is

To set the rwx (read-write run) permission at the same time, set the permission bit to 4 + 2 + 1 = 7

To set the rw- (read, write, but not run) permission at the same time, set the permission bit to 4 + 2 = 6

To set the rx (read, run, but not write) permission at the same time, set the permission bit to 4 + 1 = 5

We mentioned above that each file can have different rwx (read, write and execute) permissions for three granularities. That is, we can use three octal numbers to represent the permission details of the owner, group, and other groups (u, g, o), and use chmod to directly add three octal numbers to directly change the file permissions. The syntax format is:

chmod <abc> file...

  1. in
  2. a, b, and c are each a number, representing the permissions of User , Group , and Other, respectively.
  3. equivalent to a simplified version
  4. chmod u = authority,g = authority,o = authority file...
  5. The permissions here will use octal numbers to represent the read, write, and execute permissions of User , Group , and Other.

example:

  • Set everyone can read and write and execute
chmod  777 file (equivalent to   chmod u=rwx,g=rwx,o=rwx file or   chmod a=rwx file)
  • Set the owner can read and write, others can not read and write execution
chmod  600 file (equivalent to   chmod u=rw,g=---,o=--- file or chmod u=rw,go-rwx file )

Change file owner (chown command)

Linux/Unix is ​​a multi-person multi-tasking system, each file has an owner (owner), if we want to change the owner of the file (using chown to change the file owner), generally only the system administrator (root) ) has this operation permission, while ordinary users do not have permission to set the owner of their own or someone else's files to someone else.

Syntax format:

chown [optional] user[:group] file...

  1. Use permission: root
  2. illustrate:
  3. [Optional] : same as above chmod
  4. user : the user of the new file owner
  5. group : the user group ( group ) of the new file owner

example:

  • Set the owner of the files d.key and e.scrt as the tom of the users group
chown tom: users file d.key e.scrt
  • Set the owner of all files in the current directory and subdirectories to James of the users group
chown -R James:users  *

2. Detailed explanation of Linux permissions

The permissions of files are strictly controlled on the Linux system. If a certain operation is performed relative to a certain file, it must have the corresponding permissions to execute it successfully. This is also the mechanism that differentiates Linux from Windows. Based on this permission mechanism, Linux can effectively prevent viruses from running by themselves, because the condition for running is to have the permission to run, and this permission is given by the user in Linux.

File permissions in Linux have the following settings:

  • Permission types of files under Linux generally include read, write, and execute. The corresponding letters are r, w, x.
  • There are three groups of permissions under Linux: owner , group, and other groups . Each file can set different rwx (read, write and execute) permissions for these three groups (granularity).
  • Normally, a file can only belong to one user and group. If other users want to have the permission of this file, they can add the user to the group with permission, and a user can belong to multiple groups at the same time.

If we want to represent all permission details of a file, there are two ways:

  • The first is the ten-digit binary representation, (each permission of the three groups uses one binary digit, plus one highest digit for a total of ten digits), which can be simplified into the form of three octal digits (such as 755)
  • Another twelve-bit binary representation (twelve bits), which can be reduced to four octal digits (such as 4755)

Ten-digit authority representation

Common permission representations are:

  1. -rw------- (600) Only the owner has read and write permissions.
  2. -rw-r--r-- (644) Only the owner has read and write permissions; group users and other users have only read permissions.
  3. -rwx------ (700) Only the owner has read, write, and execute permissions.
  4. -rwxr-xr-x (755) The owner has read, write, and execute permissions; group users and other users only have read and execute permissions.
  5. -rwx--x--x (711) The owner has read, write, and execute permissions; group users and other users only have execute permissions.
  6. -rw-rw-rw- (666) All users have file read and write permissions.
  7. -rwxrwxrwx (777) All users have read, write, and execute permissions.

Analysis of the last nine digits: We know that Linux permissions have a total of three groups. Here we use three positions for each group to define three operation (read, write, execute) permissions, which together are the last nine digits of the permissions. Above we use characters to represent permissions, where - represents no permission, r represents read permission, w represents write permission, and x represents execute permission. (The first 3 digits of the last nine digits correspond to owner permissions, 4-6 digits correspond to group permissions, and 7-9 digits correspond to other group permissions)

In fact, the meaning of each position of the last nine digits (representing a certain permission of a certain group) is fixed. If we replace the presence or absence of the permission of each position with binary numbers 1 and 0, it will be read-only and write-only. , only execute permission, which can be expressed as a three-digit binary number

  1. r-- = 100
  2. -w- = 010
  3. --x = 001
  4. --- = 000

Converted to octal numbers, it is r=4, w=2, x=1, -=0 (this is why 4 means read, 2 means write, and 1 means execution when setting permissions with numbers)

In fact, we can represent all permissions in binary form and further convert them into octal numbers:

  1. rwx = 111 = 7
  2. rw- = 110 = 6
  3. r-x = 101 = 5
  4. r-- = 100 = 4
  5. -wx = 011 = 3
  6. -w- = 010 = 2
  7. --x = 001 = 1
  8. --- = 000 = 0

It can be concluded from the above that all permissions of each group can be represented by an octal number, and each number represents a different permission (weight). For example, the highest permission is 7, which means readable, writable, and executable.

Therefore, if we express the permissions of each group as an octal number, the permissions of the file can be expressed as a three-digit octal number.

  1. -rw------- = 600
  2. -rw-rw-rw- = 666
  3. -rwxrwxrwx = 777

Explanation of the first and highest bits: Above we talked about the meaning of the last nine bits in the permission representation. The remaining first bit represents the type of the file, which can be one of the following:

  1. d stands for directory (directroy)
  2. -represents a file (regular file)
  3. s stands for socket file
  4. p represents a pipe file (pipe) or a named pipe file (named pipe)
  5. l stands for symbolic link file (symbolic link)
  6. b represents the file is a block-oriented device file (block-oriented device file)
  7. c represents that the file is a character -oriented device file (charcter-oriented device file)

Twelve-bit permissions (Linux additional permissions)

Additional Privileges Related Concepts

In addition to setting normal read and write operation permissions, linux also has a type of setting that also involves permissions, called Linxu additional permissions. Including SET bit permissions (suid, sgid) and sticky bit permissions (sticky).

SET bit permissions:

The suid/sgid is generated to enable "unprivileged users to complete a task that must be performed with privileges".

It is generally used to set executable programs or script files, where SUID means adding SET bit authority to the owner user, and SGID means adding SET bit authority to users in the group.

After the execution file is set with SUID and SGID permissions, when any user executes the file, he will obtain the identity corresponding to the owner and group account of the file.

  • suid (set User ID, set UID) means that when a process executes a file, it usually maintains the UID of the process owner. However, if the executable file's suid bit is set, the process gets the UID of the file's owner.
  • sgid (set Group ID, set GID) means the same, just change the above process owner to the file owning group (group).

Using suid and sgid is useful in many scenarios, but inappropriate use of these permissions can introduce security risks to the system. So you should try to avoid using SET bit permission programs. (The passwd command is one of the few commands that must use "suid").

SET bit authority representation (10 bit authority):

If a file is set with the suid or sgid bit, it will be displayed on the executable bit of the owner or the same group of users, respectively; if the file is set with suid and the x (execute) bit is set, the corresponding execution bit is expressed as s (lowercase). However, if the x bit is not set, it will be represented as S (uppercase). Such as:

  1. 1. - rwsr - xr - x means that suid is set and the owner has executable permission
  2. 2. - rwSr --r-- means that suid is set, but the owner does not have executable permission
  3. 3. - rwxr - sr - x means that sgid is set and the group user has executable permission
  4. 4. - rw - r - Sr -- Indicates that sgid is set, but the group user does not have executable permissions

How to set:

The SET bit permission can be set through the chmod command. The command to add suid and sgid to the file is as follows (similar to the command that chmod gives general permissions above):

  1. chmod u+s filename set the suid bit
  2. chmod us filename remove suid setting
  3. chmod g+s filename set the sgid bit
  4. chmod gs filename remove sgid settings

Sticky Bit Permissions:

Sticky bit permissions are sticky. It is generally used to set special additional permissions for a directory. When a directory is set with a sticky bit permission, even if the user has write permission to the directory, the file data of other users in the directory cannot be deleted. For a directory with sticky bit permissions set, when viewing its properties with ls, the x at the permissions of other users will become t. When using the chmod command to set directory permissions, the +t and -t permission modes can be used to add and remove sticky bit permissions, respectively.

Sticky bit permissions representation (10 bit permissions):

A file or directory that has the sticky bit permissions set will be reflected in the executable bit of the permissions of other groups of users. If the file has sticky set and also has the x (execute) bit set, the executable bit for the permissions of other group users is t (lowercase). However, if the x bit is not set, it will be represented as T (uppercase). Such as:

  1. 1 , - rwsr - xr - t means that the sticky bit is set and other user groups have executable permissions
  2. 2 , - rwSr - - r - T means that the sticky bit is set but other user groups do not have executable permissions

How to set:

The sticky permission can also be set with the chmod command:

chmod +t <file list..>

Twelve-digit authority representation method

In addition to being represented by ten-digit rights, additional permissions can also be represented by twelve-digit characters.

  1. 11 10 9 8 7 6 5 4 3 2 1 0
  2. S G T r w x r w x r w x

SGT represents SUID permission, SGID permission, and sticky bit permission respectively. The corresponding relationship of these twelve bits is as follows:

Bit 11 is the SUID bit, bit 10 is the SGID bit, bit 9 is the sticky bit, and bits 8-0 correspond to the three sets of rwx bits above (the last nine bits).

A value is set on each of these twelve bits. 1 if there is a corresponding permission, 0 if there is no such permission.

  1. The value of -rw-r-Sr-- is: 0 1 0 1 1 0 1 0 0 1 0 0
  2. The value of -rwsr-xr-x is: 1 0 0 1 1 1 1 0 1 1 0 1
  3. The value of -rwsr-sr-x is: 1 1 0 1 1 1 1 0 1 1 0 1
  4. The value of -rwsr-sr-t is: 1 1 1 1 1 1 1 0 1 1 0 1

If the first three SGTs are also converted into a binary number, then

  • The octal number for suid is 4
  • The representative number for sgid is 2
  • The sticky bit means the number is 1

In this way, we can convert the twelve-digit permission three-three-digit into four octal numbers. in

  • The highest octet number is the weight of suid, sgdi, and sticky.
  • The second is the weight of the owner
  • The third digit is the weight of the group to which it belongs
  • The last digit is the weight of other groups

Additional permissions in octal form

From the above, we know that normal permissions and additional permissions can be represented by 4-digit octal numbers. Numerical authority assignment mode similar to normal authority (using three octal digits to assign values)

chmod <abc> file...

We can further assign both normal and additional permissions using 4 octal digits.

chmod <sabc> file...

Among them, s is an octal number representing additional permissions, and abc is the same as before, corresponding to the permissions of User, Group, and Other (owner, group, and other groups). Because SUID corresponds to octal number is 4, and SGID corresponds to octal number is 2, "4755" means to set SUID permission, "6755" means to set SUID and SGID permission at the same time.

We further convert the binary number in the example in the previous subsection into an octal representation, then

  1. -rw-r-Sr-- = 0 1 0 1 1 0 1 0 0 1 0 0 = 2644
  2. -rwsr-xr-x = 1 0 0 1 1 1 1 0 1 1 0 1 = 4755
  3. -rwsr-sr-x = 1 1 0 1 1 1 1 0 1 1 0 1 = 6755
  4. -rwsr-sr-t = 1 1 1 1 1 1 1 0 1 1 0 1 = 7755

Comparative example:

  • Set the permissions of netlogin to owner readable, writable and executable, and group and other permissions to readable and executable
  1. chmod 755 netlogin
  • Set the permissions of netlogin to owner readable, writable and executable, group and other permissions to readable and executable, and set suid
chmod  4755 netlogin

Compared with chmod 755, chmod 4755 has an additional permission value of 4. This 4 means that other users have the same permissions as the owner (with SUID set) when executing files.

Why set 4755 instead of 755? 
Suppose netlogin is an online authentication program created by the root user. If other users want to use this program to access the Internet, the root user needs to run the chmod 755 netlogin command so that other users can also run netlogin. However, if the execution of netlogin needs to access some files that only the root user has access to, other users may not be able to access the Internet due to insufficient permissions when executing netlogin. In this case, you can use chmod 4755 netlogin to set other users to have root user permissions when executing netlogin, so as to surf the Internet smoothly.

------- 

Seeing this, if you think the writing is good, please pay attention to my personal public account, and follow-up articles will be shared through the public account from time to time~

Tags: Detailed explanation of Linux permissions (chmod, 600, 644, 700, 711, 755, 777, 4755, 6755, 7755)

Linux linux

Related: Detailed explanation of Linux permissions (chmod, 600, 644, 700, 711, 755, 777, 4755, 6755, 7755)