Home Backend Development PHP Tutorial Linux permission management issues

Linux permission management issues

Jun 23, 2017 pm 01:09 PM
php document Permissions

First of all, I recommend a video about Linux permissions: Basic permissions of Linux permission management. It is very well explained. After watching it, you will basically understand it.

1. File permissions and ownership

1. Files have three types of permissions. For convenience, you can use numbers instead, so You can use one number to identify the permissions of this file by adding and subtracting numbers. For example, 7=4+2+1 means that it has all three permissions: read, write and execute. 6=4+2 means that it has read and write permissions but not. Execution permissions, etc.

2, rbac permission management of Lenovo web application, etc. There is also user permission management under Linux. Users have user names and user groups. Generally, when creating a user At the same time, a group with the same name will be created to which the user belongs.

First log in with the root account and create a new directory and a file

#新建目录mkdir abc
#新建文件touch abc.txt
#查看ls -all
Copy after login

When you check it, you will find:

#d开头的为目录,-开头为文件,还有l开头的为软链接等
Copy after login

Look first In the blue part above, the first digit is the identifier. Remove the first digit and separate every three digits thereafter. Take the abc folder as an example: d | rwx | r-x | r-x

##So the abc folder means that owner owns rwx (7), group owns rx (5), and other owns rx (5).

Similarly, the red part in the file above is the name of the owner and the name of the group to which it belongs. That is, the owner of the abc folder is root and the group to which it belongs is root. At this time:

a. If the root user accesses the abc folder, it is equivalent to the owner and has 7 permissions.

b. If a new user name test user group is root. Accessing the abc folder is equivalent to group, with permissions of 5

c. If a new username test and the user group is test access the abc folder, it is equivalent to other, with permissions of 5

2. The role of each file permission

I originally wanted to test and explain, but it’s too troublesome, so let’s just tell you the results. You can create a new user yourself and then modify the permissions to test it yourself.

1. Directory

a. Enter the directory, i.e. cd command. The required permission is execution permission (x)

b. View the files in the directory, i.e. ls command, the required permission is read permission (r)

c. Create and delete folders/files in the directory, that is, mkdir/touch naming, the required permission is write permission (w)

By the way, the next directory only affects the next level, not the generation. For example, a directory abc/sub/. If abc does not have w permissions, but sub has w permissions, you can create files in sub. Of course, abc also needs If you have x permissions, otherwise you won't be able to enter, let alone create, but as long as you can enter (by switching root administrators), you will no longer be affected by abc, only sub.

Generally, our directories will be given 5 (rx) permissions, which are read and execute permissions. Only directories such as image uploading or caching that need to be created will be given 7 (rwx) permissions

2. File

a. To open the file, you can use the cat/vim command to open it. The required permission is read permission (r)

b. To modify the file, you can use the cat/vim command Open and save, the required permission is write permission (w)

c. File execution, you can directly execute ./abc.out, etc., the required permission is execution permission (x)

What needs to be explained here is that whether PHP is executed from the command line (similar to running php abc.php) or executed on the web side, it is called execution. It actually reads the file and parses it in the PHP kernel, so as long as you have read permission (r ). Similarly, for example, abc.sh, if you run ./abc.sh directly, you need execution permission (x), but running the sh abc.sh command requires read permission (r).

Generally, our files will be given 4(r) permissions, which is read permissions. Only logs, caches, etc. that need to write content to the file will be given 6(rx) permissions

The reason why the 755, 777, and 644 permissions are not mentioned above, but only a single permission, is because the permissions of your website directory cannot be guaranteed to be related to the user used during execution, which means that the user during execution may be owner, it may be group or other

3. Permissions when php is executed

We connect to linux through ssh ourselves You must have a username to log in. Similarly, if PHP wants to process PHP-related files, it is also operated under a certain user. Where is the user created or defined? It is usually created when installing the PHP environment. For example, apache, nginx and other environments will create users and user groups by default, and this user is used to read php. You can confirm by viewing the configuration file:

#apache在配置文件httpd.conf
User www
Group www
#nginx在配置文件nginx.conf
user www www;
Copy after login
Or view the process through the command:

#查看apache进程ps -ef|grep httpd
#查看nginx进程ps -ef|grep nginx
#查看php-pfm进行ps -ef|grep php-pfm
Copy after login
Taking apache as an example, it will display:

root      1663     1  0 09:14 ?        00:00:00 /www/wdlinux/apache/bin/httpd//主进程www       1697  1663  0 09:14 ?        00:00:05 /www/wdlinux/apache/bin/httpd//子进程www       1698  1663  0 09:14 ?        00:00:05 /www/wdlinux/apache/bin/httpd
Copy after login

第一列就是显示的哪个用户在执行它,主要看非root下的。上方说明是www用户在运行apache进程来处理php文件。一般来说apache/nginx会以root来启动主线程,然后fork出子线程来处理具体的业务,而子进程在创建时会根据配置文件中的用户名和用户组通过setuid和setgid命令来设置有效用户名和有效用户组。需要注意的是“有效”这两个字,例如,某个用户名为test,其所属组test,而apache中配置文件中设置的用户名为test,但是用户组设置为abc,这时就可能很疑惑了,那组到底是按照用户名所属的组还是配置文件中设置的组呢?答案是设置的,因为通过setgid变更了,具体谷歌百度搜索“有效用户”、“实际用户”、“setuid函数”等关键字。

这里需要注意的是,如果有安装php-pfm,则应该还需要查看php-pfm执行时的用户名及用户组。(没有安装,所以没实践过)

默认的可能是nobody或者apache等其它的用户及用户组,上方是已修改过的。此时应该在网站目录中用ls-all来确认下网站文件是属于哪个用户,分几种情况说明下吧:

a、例如网站所有者是这样:

drwxr-xr-x   2 www www 4096 Jun  6 10:23 system
drwxr-xr-x   2 www www 4096 Jun  6 10:23 tmp-rw-r--r--   1 www www    0 Jun  6 10:23 index.php
...
Copy after login

网站所有者为www,而php执行者也为www,那说明是具有owner权限,上方system文件夹中755中的55根本不起作用,只要是7xx就会以7(rwx)的权限来执行。

b、如果网站所有者是这样:

drwxr-xr-x   2 test www 4096 Jun  6 10:23 system
drwxr-xr-x   2 test www 4096 Jun  6 10:23 tmp
-rw-r--r--   1 test www    0 Jun  6 10:23 index.php
...
Copy after login

网站所有者为test,所属组为www,而php执行者为www,执行组为www,那说明是说在同一组中,具有group权限,上方system文件夹中755中的7和5不起作用,只要是x5x就会以5(rx)的权限来执行。

c、如果网站所有者是这样:

drwxr-xr-x   2 test test 4096 Jun  6 10:23 system
drwxr-xr-x   2 test test 4096 Jun  6 10:23 tmp
-rw-r--r--   1 test test    0 Jun  6 10:23 index.php
...
Copy after login

网站所有者为test,所属组为test,而php执行者为www,执行组为www,那说明是说根本没什么关系,具有other权限,上方system文件夹中755中的75不起作用,只要是xx5就会以5(rx)的权限来执行。

所以不能简单的说修改权限为755,644什么的,还需要确认程序的执行者和网站的所有者才能确定权限。

目前好多集成环境为了省事(嗯,lanmpv3等),将php的执行权限和网站所在目录都设置为www,此时一般创建完目录后为755,创建文件后为644,当php执行时,起作用的目录权限为7(所有目录拥有创建删除权限)和文件权限6(所有文件具有写权限),这种是不是挺不安全的?正常应该是目录为5,文件为4,当有特殊需求时才将权限设为7。如果出现上方说的这种情况,修改的方法一是修改apache/nginx的用户和用户组,二是修改网站文件的所有者和所有组这两个方向来修改,以确保网站的安全。

以上,只是基础的权限说明。

The above is the detailed content of Linux permission management issues. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian Dec 24, 2024 pm 04:42 PM

PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati

How To Set Up Visual Studio Code (VS Code) for PHP Development How To Set Up Visual Studio Code (VS Code) for PHP Development Dec 20, 2024 am 11:31 AM

Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c

7 PHP Functions I Regret I Didn't Know Before 7 PHP Functions I Regret I Didn't Know Before Nov 13, 2024 am 09:42 AM

If you are an experienced PHP developer, you might have the feeling that you’ve been there and done that already.You have developed a significant number of applications, debugged millions of lines of code, and tweaked a bunch of scripts to achieve op

How do you parse and process HTML/XML in PHP? How do you parse and process HTML/XML in PHP? Feb 07, 2025 am 11:57 AM

This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an

Explain JSON Web Tokens (JWT) and their use case in PHP APIs. Explain JSON Web Tokens (JWT) and their use case in PHP APIs. Apr 05, 2025 am 12:04 AM

JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,

PHP Program to Count Vowels in a String PHP Program to Count Vowels in a String Feb 07, 2025 pm 12:12 PM

A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total

Explain late static binding in PHP (static::). Explain late static binding in PHP (static::). Apr 03, 2025 am 12:04 AM

Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.

What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases? What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases? Apr 03, 2025 am 12:03 AM

What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.

See all articles