2024-07-12
한어Русский языкEnglishFrançaisIndonesianSanskrit日本語DeutschPortuguêsΕλληνικάespañolItalianoSuomalainenLatina
Preface: This section mainly talks about the contents related to Linux permissions. Linux permissions cannot be felt if you use the root account, so we need to use a normal account to study the contents of this section and do some experimental tests. Then, through the study of Linux permissions, we can know why sometimes we always get permission dinied when operating a file, and let us know the difference between the file permissions in the root directory and the file permissions in our ordinary user's home directory.
ps: This section is suitable for friends who are learning Linux and know some Linux commands.
//First, let's take a look at the classification of users under Linux:
- root:Super User, Administrator
- general user:These are the users we created. (Ordinary users created by addusr)
The fundamental difference between these two users is that the root user is not restricted by permissions, while ordinary users are restricted by permissions.
//su
Ordinary users can switch to root users, and root users can also switch to ordinary users.
Switch from a normal user to a root user:
The first one is su + root password. You can switch to the root user. If you switch at this time, the user's position will not change after the switch.
The second method is su- + root password. It also switches to the root user. If you switch at this time, the user's location after switching will become root's home directory.
In both cases above, you can use cral + d to switch back.
Switching from root user to ordinary user - No password is required for switching from root user to ordinary user, you can switch directly.
Switch to a normal user
There are generally two ways for ordinary users to switch to ordinary users:
The first method is to have the password of the ordinary user, then you can use su + user + user's password to switch identities
The second method is to switch to the root user first (refer to the above for the switching method), and then directly switch to the specified user through the root identity.
Note that the consciousness identity can be switched back using cral + d.
Command Escalation:When we execute commands, we do not need to switch to the root user, but only elevate the privileges of one of the commands. At this time, sudu + command + current user's password is used. Here, friends may have questions, why do you need to enter your own password instead of the root password to elevate the privileges of a certain command. That is because the command privilege escalation is conditional, that is, only when a user is added to the system's whitelist can the command privilege escalation be performed. If it is not added to the whitelist, the privilege escalation command is useless.
In simple terms, permissions refer to whether you are allowed to do something. This is permission.
A user's identity is divided into: owner, group, and others.
Let's look at the following command lines:
Here, the first _mian_yang represents the owner of the file, and the second _mian_yang represents the group to which the file belongs. That is, if the owner of these files is _mian_yang, _mian_yang is the owner's identity; the group to which these files belong is _mian_yang, and if a user belongs to the group _mian_yang, then he is the group identity; and if a user is neither _mian_yang nor in the group _mian_yang, then this user is the identity of someone else.
So if there is a principal named Zhang San, and Zhang San wants to go to his own principal's office. So, is Zhang San able to go to the principal's office because he is Zhang San, or because he is the principal? Obviously, he can go to his own principal's office because he is the principal. So, for our files, can we access this file because we are this user? Or because of our user's identity? The answer is identity. That is, the identity is authenticated by the permission.
The second question is, we all know that mobile phones have many functions, we can watch videos, check information, play games, etc. These can be regarded as the properties of mobile phones. However, when we are hungry, we cannot eat the mobile phone to stop being hungry. The ability to be used as food is a property that mobile phones do not have. So no matter what, even if we have the highest authority, we cannot make the mobile phone become food, so. We can know the second point, that is, authority is also related to the properties of things.
//The relationship between identity and user
After discussing the three types of permissions, let's combine the previous user classification and think about the relationship between permissions and user classification.
First of all, for an ordinary user, this ordinary user may be the owner of a file, the group to which a file belongs, or someone else.
For the root user, the root user may be the owner of a file, the group to which a file belongs, or someone else.
So, how is it reflected specifically? That is, how does Linux determine the identity of this user? Let's look at this picture again:
For the green and orange boxes, the green box is the owner, and the orange box is the group. So when any logged in user accesses a file, they must first check whether they are the owner of the file. If not, they must check whether they are the group to which the file belongs. If not, then it is other.
//File permissions
Continue to look at this picture. For this picture, the pink box is the permissions of each identity. The green bar is the owner's permission, the orange bar is the group's permission, and the blue bar is the permissions of others. Among them, each identity has three permissions: rwx. These three permissions are a group, and the positions of these three permissions are fixed. The first position is read, the second position is write, and the third position is executable. These three positions will not be out of order. The meaning of each position is fixed! And each position has only yes or no, with specified permissions.
Think about it here, why do we need the permission of the group to which we belong?
Suppose Zhang San and Li Si both entered a company for an interview, and finally became interns of the company, and were assigned to Group A and Group B respectively. Zhang San is in Group A, and Li Si is in Group B. Now the company lets these two groups develop a software at the same time. One day Zhang San wrote a string of very powerful code, and Li Si wanted to take a look, but Zhang San didn't want Li Si to see it. However, one day the leader wanted to see the code written by Zhang San, but if Zhang San released the reading permission of the code, then Li Si could see it, so the belonging group came into play at this time. Let this leader belong to this belonging group, so that I can see this program, the leader can also see it, and others can't see it.
There are only two people who can modify permissions, one is the owner and the other is root.
Method: chmod u + rwx changes the permissions of the owner and adds permissions to the owner (r read permission, w write permission, x execute permission)
chmod u-rwx changes the owner's permissions and reduces the corresponding permissions for the owner
chmod g+rwx Modify the permissions of the group to which it belongs and add permissions to the group to which it belongs
chmod g-rwx changes the permissions of the group to which it belongs, and adds permissions to the group to which it belongs
chmod g-rwx Modify the permissions of others, add permissions to others
chmod g-rwx Modify the permissions of others, add permissions to others
You can also give multiple identities permissions chmod u+rwx, g+rwx is to add permissions to the group and owner, and subtract permissions to the opposite.
For example, if you want to add permissions to all identities at once, you can use chmod a+rwx, and subtracting permissions is the opposite.
In addition to changing permissions, we can also change the owner and group of a file.
Change file owner: chown user file gives a certain file to someone else and changes the owner.
Change the group to which a file belongs: chgrp user file changes the group to which it belongs.
Both of the above instructions require the consent of the corresponding user. Generally, there are two ways: one is to escalate privileges, su, and the other is to communicate offline.
As for permissions, the permissions of each location we see in ll are fixed, so we can use 1 to represent that the location has permissions, and 0 to represent that the location has no permissions. So we can use 111 and 110 to represent the permissions of an identity, for example, 111 has read, write, and execute. 111 is 7, so three identities can be represented by three octal digits, such as 777.
So, we can modify the permissions like this - chmod 777, which means giving all identities all permissions.
Now, let's look at an example:
Now, for the user _mian_yang, his owner identity has read permission but no write permission; his group identity has read permission and write permission.
So at this time, can _mian_yang write to this file?
The answer is no, because when a user authenticates his identity, he can only authenticate one identity, first authenticating the owner, then authenticating the group to which he belongs, and finally authenticating others.
Why are the permissions like this when we create a file?
First of all, we need to know that the permissions in the figure are the final permissions created by the file. They actually have a starting permission - the default starting permission for directory files is 777, and the default starting permission for ordinary files is 666. But why are the permissions created in the end 775 for directory files and 664 for ordinary files?
This is because the system has a umask by default - permission mask. The permission mask means that any permission that appears in the umask will not appear in the final permission. The calculation rule here is not default permission - permission mask, but final permission = default permission & (~ permission mask)
At the same time, umask can also be modified, such as umask number, which is to change the permission mask to a certain number
Directory reading: allows us to view the contents of files in the current directory
Directory writing: allows us to create, delete and modify files
Executable directory: Whether we are allowed to enter the directory.
In practice, we may have this requirement: we want to share data, but if we create a directory under our home directory, other users cannot enter. Therefore, this directory can only be created under the root directory, but the default permission of the root directory is dr-xr-xr-x, which means that the three identities can only read and execute, and cannot create directories at will. Therefore, you need to use the root account to create a directory.
After creating this file, we can set the other identity to read, write and execute it, otherwise it cannot be shared. However, if a user creates a file in it, because the directory has write permissions, other people can delete the file at will. So at this time, in order to protect this file, the sticky bit operation is added. This sticky bit operation can ensure that the files created by the user can only be deleted by the user himself or root.
Therefore, the sticky bit is a permission specifically set for a directory, usually a shared directory. Everyone can add, delete, check, and modify files in the directory, but only the owner and root can delete the file, no one else can.
------------------
That’s all for this section.
Here are my notes:
I have devoted myself to the research of technology for more than 30 years. I am proficient in various languages such as Java, Linux, JavaScript, PHP, CSS, etc. I have made many contributions in the field of open source. I have established a developer documentation site to share some problems in technology development for everyone to read.
