Linux permission management issues

First of all, I recommend a video about Linux permissions: Basic permissions of Linux permission management. It is very well explained. After watching it, you will basically understand it.

1. File permissions and ownership

1. Files have three types of permissions. For convenience, you can use numbers instead, so You can use one number to identify the permissions of this file by adding and subtracting numbers. For example, 7=4+2+1 means that it has all three permissions: read, write and execute. 6=4+2 means that it has read and write permissions but not. Execution permissions, etc.

2, rbac permission management of Lenovo web application, etc. There is also user permission management under Linux. Users have user names and user groups. Generally, when creating a user At the same time, a group with the same name will be created to which the user belongs.

First log in with the root account and create a new directory and a file

#新建目录mkdir abc
#新建文件touch abc.txt
#查看ls -all

When you check it, you will find:

#d开头的为目录，-开头为文件，还有l开头的为软链接等

Look first In the blue part above, the first digit is the identifier. Remove the first digit and separate every three digits thereafter. Take the abc folder as an example: d | rwx | r-x | r-x

##So the abc folder means that owner owns rwx (7), group owns rx (5), and other owns rx (5).

Similarly, the red part in the file above is the name of the owner and the name of the group to which it belongs. That is, the owner of the abc folder is root and the group to which it belongs is root. At this time:

a. If the root user accesses the abc folder, it is equivalent to the owner and has 7 permissions.

b. If a new user name test user group is root. Accessing the abc folder is equivalent to group, with permissions of 5

c. If a new username test and the user group is test access the abc folder, it is equivalent to other, with permissions of 5

2. The role of each file permission

I originally wanted to test and explain, but it’s too troublesome, so let’s just tell you the results. You can create a new user yourself and then modify the permissions to test it yourself.

1. Directory

a. Enter the directory, i.e. cd command. The required permission is execution permission (x)

b. View the files in the directory, i.e. ls command, the required permission is read permission (r)

c. Create and delete folders/files in the directory, that is, mkdir/touch naming, the required permission is write permission (w)

By the way, the next directory only affects the next level, not the generation. For example, a directory abc/sub/. If abc does not have w permissions, but sub has w permissions, you can create files in sub. Of course, abc also needs If you have x permissions, otherwise you won't be able to enter, let alone create, but as long as you can enter (by switching root administrators), you will no longer be affected by abc, only sub.

Generally, our directories will be given 5 (rx) permissions, which are read and execute permissions. Only directories such as image uploading or caching that need to be created will be given 7 (rwx) permissions

2. File

a. To open the file, you can use the cat/vim command to open it. The required permission is read permission (r)

b. To modify the file, you can use the cat/vim command Open and save, the required permission is write permission (w)

c. File execution, you can directly execute ./abc.out, etc., the required permission is execution permission (x)

What needs to be explained here is that whether PHP is executed from the command line (similar to running php abc.php) or executed on the web side, it is called execution. It actually reads the file and parses it in the PHP kernel, so as long as you have read permission (r ). Similarly, for example, abc.sh, if you run ./abc.sh directly, you need execution permission (x), but running the sh abc.sh command requires read permission (r).

Generally, our files will be given 4(r) permissions, which is read permissions. Only logs, caches, etc. that need to write content to the file will be given 6(rx) permissions

The reason why the 755, 777, and 644 permissions are not mentioned above, but only a single permission, is because the permissions of your website directory cannot be guaranteed to be related to the user used during execution, which means that the user during execution may be owner, it may be group or other

3. Permissions when php is executed

We connect to linux through ssh ourselves You must have a username to log in. Similarly, if PHP wants to process PHP-related files, it is also operated under a certain user. Where is the user created or defined? It is usually created when installing the PHP environment. For example, apache, nginx and other environments will create users and user groups by default, and this user is used to read php. You can confirm by viewing the configuration file:

#apache在配置文件httpd.conf
User www
Group www
#nginx在配置文件nginx.conf
user www www;

Or view the process through the command:

#查看apache进程ps -ef|grep httpd
#查看nginx进程ps -ef|grep nginx
#查看php-pfm进行ps -ef|grep php-pfm

Taking apache as an example, it will display:

root      1663     1  0 09:14 ?        00:00:00 /www/wdlinux/apache/bin/httpd//主进程www       1697  1663  0 09:14 ?        00:00:05 /www/wdlinux/apache/bin/httpd//子进程www       1698  1663  0 09:14 ?        00:00:05 /www/wdlinux/apache/bin/httpd

第一列就是显示的哪个用户在执行它，主要看非root下的。上方说明是www用户在运行apache进程来处理php文件。一般来说apache/nginx会以root来启动主线程，然后fork出子线程来处理具体的业务，而子进程在创建时会根据配置文件中的用户名和用户组通过setuid和setgid命令来设置有效用户名和有效用户组。需要注意的是“有效”这两个字，例如，某个用户名为test，其所属组test，而apache中配置文件中设置的用户名为test，但是用户组设置为abc，这时就可能很疑惑了，那组到底是按照用户名所属的组还是配置文件中设置的组呢？答案是设置的，因为通过setgid变更了，具体谷歌百度搜索“有效用户”、“实际用户”、“setuid函数”等关键字。

这里需要注意的是，如果有安装php-pfm，则应该还需要查看php-pfm执行时的用户名及用户组。（没有安装，所以没实践过）

默认的可能是nobody或者apache等其它的用户及用户组，上方是已修改过的。此时应该在网站目录中用ls-all来确认下网站文件是属于哪个用户，分几种情况说明下吧：

a、例如网站所有者是这样：

drwxr-xr-x   2 www www 4096 Jun  6 10:23 system
drwxr-xr-x   2 www www 4096 Jun  6 10:23 tmp-rw-r--r--   1 www www    0 Jun  6 10:23 index.php
...

网站所有者为www，而php执行者也为www，那说明是具有owner权限，上方system文件夹中755中的55根本不起作用，只要是7xx就会以7（rwx）的权限来执行。

b、如果网站所有者是这样：

drwxr-xr-x   2 test www 4096 Jun  6 10:23 system
drwxr-xr-x   2 test www 4096 Jun  6 10:23 tmp
-rw-r--r--   1 test www    0 Jun  6 10:23 index.php
...

网站所有者为test，所属组为www，而php执行者为www，执行组为www，那说明是说在同一组中，具有group权限，上方system文件夹中755中的7和5不起作用，只要是x5x就会以5（rx）的权限来执行。

c、如果网站所有者是这样：

drwxr-xr-x   2 test test 4096 Jun  6 10:23 system
drwxr-xr-x   2 test test 4096 Jun  6 10:23 tmp
-rw-r--r--   1 test test    0 Jun  6 10:23 index.php
...

网站所有者为test，所属组为test，而php执行者为www，执行组为www，那说明是说根本没什么关系，具有other权限，上方system文件夹中755中的75不起作用，只要是xx5就会以5（rx）的权限来执行。

所以不能简单的说修改权限为755，644什么的，还需要确认程序的执行者和网站的所有者才能确定权限。

目前好多集成环境为了省事（嗯，lanmpv3等），将php的执行权限和网站所在目录都设置为www，此时一般创建完目录后为755，创建文件后为644，当php执行时，起作用的目录权限为7（所有目录拥有创建删除权限）和文件权限6（所有文件具有写权限），这种是不是挺不安全的？正常应该是目录为5，文件为4，当有特殊需求时才将权限设为7。如果出现上方说的这种情况，修改的方法一是修改apache/nginx的用户和用户组，二是修改网站文件的所有者和所有组这两个方向来修改，以确保网站的安全。

以上，只是基础的权限说明。

The above is the detailed content of Linux permission management issues. For more information, please follow other related articles on the PHP Chinese website!