Permissions under Linux are a very common and useful thing, broken down into file permissions and access control. File permissions refer to the read/write and execute permissions of the file owner, user group, and other users. Access control lists (ACLs), also known as ACLs, are used to provide specific permissions beyond the traditional file permissions. You can set specific permissions for a single user or group.

File permissions

File read and write permissions

The file property field consists of 10 letters. The first letter indicates the file type. If the letter is a minus sign, it indicates that the file is a normal file. The letter D indicates that the file is a directory. The following nine letters are the permission identifier of the file. Three letters are in a group, indicating the read/write and execute permissions of the file user, the user group, and other users respectively. Such as:

vagrant@homestead:~/code$ ll -a
drwxrw-r--  1 vagrant vagrant 4096 Dec  8 09:09 blog/
Copy the code

Represents a folder that is readable, read, and executable to the owner, Vagrant; Vagrant can be read and written to the group in which vagrant belongs; Readable only to other users; You can understand this better by looking at this graph:

Changing read/write Permissions

To change the read and write permission, run the chmod command. There are two ways to change the read and write permission, one is alphabetic, the other is digital.

  1. The letter way
chmod userMark (+|-) PermissionsMark
Copy the code

UserMark indicates whether to add permissions to the file owner, owner group or others. The values are as follows:

U: user G: group O: other users A: All usersCopy the code

PermissionMark indicates the permission to be added. The value is as follows:

R: read w: write x: executeCopy the code

Such as:

Chmod a+x main Add the executable permission to the main file for all users. Chmod g+w blogs Add the writable permission to the blogs file for group usersCopy the code
  1. Digital mode The digital mode directly sets all permissions, which is simpler and more convenient than the alphabetic mode. The first digit specifies the permission of the owner, the second digit specifies the permission of the group, and the third digit specifies the permission of other users. Each digit is the sum of 4(read), 2(write), and 1(execute) to determine the permission. For example, 6(4+2) has read and write rights, and 7(4+2+1) has read, write, and execute rights. It’s basically a binary to decimal representation, like if we want to change the permissions on a file torwx rw- r--If so, then the binary of its counterpoint is111 110 100Each group of three digits is converted to decimal764
rwx rw- r--
111 110 100
 7   6   4
Copy the code

So the action command is:

Chmod 764 main Sets the main permission to RWX rw-r --Copy the code

User and group operations

Attached are some common user and group actions:

Usermod -g sunny Docker add user sunny to docker group usermod -g sunny Docker add user sunny to Docker group Delete more /etc/group from the original group. View all user groups and their permissions. More /etc/passwd View all users and their permissionsCopy the code

Access Control List (ACL)

Most file systems support ACLs. EXT3 file systems enable ACLs by default. Acls allow specific users or user groups to operate a file or folder.

Usage scenarios

Suppose we currently have a file like this:

[sunny@localhost ~]$ ls -l
-rw-rw---- 1 sunny admin 0 Jul 5 08:45 test.txt
Copy the code

Test.txt the owner of this file (user) is Sunny who has read and write permissions. The user in the admin group has read and write permissions. Other does not have any permission on the file.

If we now want John to read and write to the test.txt file as well. Here are a few things you might think of (assuming John doesn’t belong to the Admin group)

  • Add read and write permissions to the other category of the file, so that since John will be classified as other, he will also have read and write permissions
  • If you add John to the admin group, John will be grouped into the group category and will have read and write permissions

The problem with the first approach is that all users will have read and write operations on test.txt, which is obviously not desirable. The problem with the second approach is that John is given too many privileges. All files belonging to the Admin group can be granted equal privileges to John.

It seems that there is no good solution, in fact, the problem lies in the Linux file permissions, the definition of other is too broad, so that it is difficult to restrict permissions to a user, so ACL is used to help us solve this problem.

The command operation

The syntax of the command getfacl setfacl:

Setfacl [- bkRd] [-m | - acl parameter x] target file nameCopy the code

The meanings of the parameters in this command are as follows:

-b Indicates that two ACLs need to be modified. The first ACL is the ACL for files and the second is the default ACL for directories-dIf the default ACL of a directory is specified, new files or directories under this directory inherit the ACL of the directory. -r Deletes the ACL of files. -d Deletes the default ACL of the directory, is'-dThe reverse operation of '-b deletes the default ACL for files and directories. The reverse operation of' -b '-r changes the ACL permissions for files and directories recursively-lList ACL permissions for files and directories. -m Sets ACL parameters for target files. Cannot be used together with '-x' to delete ACL parameters for target filesCopy the code

The acl parameter format is as follows:

tag:name:permission
Copy the code
  1. A tag can be one of the following:
User | u said user's ACL entry group | g the user group of the ACL entry other | o said other ACL entries, namely not specified in the ACL users and groups of ACL entry mask mask | m said ACL entry, This mask entry must be specified when specifying ACL permissions for other non-user owners, otherwise the command will failCopy the code
  1. Name can be a user name or a group name. By default, the ACL permission is specified for the owner or user group of a file or directory. Of course, name can also be the UID of a user or the GID of a group

  2. Permission refers to the permissions that the user or group has, which is a string of RWX

Command instances

setfacl -m u:sunny:rwx ./wwwdir  
Copy the code

Add RWX permission to the current wwwdir folder for user Sunny

setfacl -m g:sunny:rwx ./wwwdir  
Copy the code

Add a RWX permission to the current wwwdir folder in the Sunny group

setfacl -x g:sunny:rwx ./wwwdir  
Copy the code

Delete sunny group under the wwwdir folder RWX permissions

No, it’s easy.

Welcome to close my personal public number: left hand code