This article brings you knowledge about Linux permissions, including how to change the properties of permissions. I hope it will be helpful to everyone.
In the process of using Linux, we will more or less encounter some problems about users and groups. For example, the most common one is that you want to be in a certain This error message often appears when executing a certain command under the path.
permission denied
Anyway, I most likely see this error when using FTP to transfer files. After waiting for a long time, the transfer percentage is still zero. Is the network so slow? Why isn't it being transmitted? Actually I don't know, this is due to permissions issue.
My general repair method is to directly grant 777 permissions, or directly use su administrator to log in. . . . . .
You may not know what I’m talking about, and some big guys may think my approach is too low. Anyway, if you encounter this kind of problem, it means you don’t have enough permissions. Why? Next we need to get to know the users and groups in Linux.
Users and groups
In Linux, file owners are divided into three categories, namely file owners, groups and Others belong, here are the following three concepts explained respectively
File owner
Linux is a multi-user Multi-tasking system, multi-user means whether the files created by some users are visible to other users. This is a visibility issue, and it is also a privacy issue. In order to take into account everyone's privacy, Linux designed the file ownership the role of the author. If you have some information and files that are highly private, you can set the file to "visible only to me". This is the role of the file owner.
Group
The concept of group is used in team development, and it is more useful for projects Set permissions. For example, if you work in the outsourcing department of a bank, and you and other outsourcing departments jointly serve a certain bank, and all outsourcing groups use one server, this will involve the issue of group permissions. Your outsourcing department develops If you don't want other outsourcing departments to see a project, you will set the project to be visible to a group. However, the bank is the overall person in charge, and all banks have permission to view all your outsourcing department projects. Therefore, you also need to set the bank permissions.
Others belong to
Others and the group are relative, other people are outside the group, A permission relationship in which there is no permission to view files in the group.
In addition to the above three concepts, there is also a boss with the highest authority level, which is root. This root has the highest authority.
Linux file permissions
After talking about the concepts of users and groups above, let’s talk about file permissions The question of how to set it up is very important because it is the key to solving the permission denied problem.
Permission attributes
First log in to the Linux system, use su - to switch to root identity, and then execute ls -al, you will see the following
There are seven columns of content in total. The content of these seven columns is as shown in the figure below.
You can use root directly when learning, because subsequent chgrp, chown and other instructions require root to process, but it is strongly recommended not to use root permissions at work.
Use exit to exit as root.
In the above command, ls means list, which means listing, and the option -al means detailed file permissions and attributes.
Permissions. The first column represents permissions. Permissions are represented by 10 characters in total. Let’s take home permissions as an example to list the meanings of each character
The first character represents the file type. There are many file types. Generally, [d] represents a directory. You can use the cd command to enter this directory. You can see that almost everything in the picture is a directory.
If it is [-], it means a file, if it is [l], it means a link file, if it is [b], it means a random access device in the device file , if it is [c], it means a one-time reading device (keyboard, mouse) in the device file.
接下来的九个字符分为三组,三个一组,分别表示所属人、所属群组、其他所有者权限,每组内的权限都是三个 rwx 的组合,[r] 表示可读,[w]表示可写,[x] 表示可执行,这里需要注意的是,如果没有权限,就会变为 -号。
链接,这一列表示有多少文件名链接到这个节点(i-node)上,每个文件都会将它的权限和属性记录到文件系统的 i-node 上,不过,我们使用的目录树却是使用文件名来记录的,因此每个文件名都会关联到一个 i-node ,所以这个属性就是记录有多少文件链接到了同一个 i-node 上。
什么是 i-node ?
i-node 的描述方式很像是我们之前聊过的 Socket,Socket 就是一个四元组,有时会加上协议类型变为五元组,如果你不太清楚我说的是什么,可以看下我的这篇文章 原来这才是 Socket!
我们知道,磁盘的最小存储单位是扇区,操作系统在读取扇区时,不会一个扇区接着一个扇区这样读取,因为效率太低,而是以块为单位进行读取,块是由多个扇区组成的。
文件中的数据都存储在扇区中,但是我们并不知道哪一块数据是我们需要的,为了存储一些文件的元信息,比如文件的创建者,创建日期,文件的大小,开发人员提出了 i-node ,也就是索引节点。一般来说,i-node 具有如下内容
具体关于 i-node 的内容,我们后面还会再说。
然后第三列表示这个文件的所属人,由图可见,大部分文件的所属人都是 root 用户。
第四列表示这个文件的所属群组,在 Linux 系统下,你登录的账号会添加到一个或者多个所有人群组中,这一栏就表示对应的群组权限。
第五列表示文件大小,默认单位为字节(Bytes)。
第六列为创建这个文件的日期和最近修改日期,从图中可以看到,这个日期格式有可能不是我们想要的,如果要显示完整的日期格式,可以使用 ls -l --full-time,包括年、月、日、时间。
如果想要让系统默认的语系变为英文的话,那么你可以修改系统配置文件 /etc/locale.conf,首先我们可以查看一下系统都支持哪些语言。
修改默认语言,输入
vi /etc/profile
在文档的最后输入
export LANG="en_US.UTF-8"
就可以切换成为英文,如果想使用中文,可以输入
export LANG="zh_CN.GB18030"
然后使用 esc + :wq 保存,保存之后使用
source /etc/profile
即可完成设置。
第七列为文件名,有一类特殊的文件名,它表示着隐藏文件,如果文件名之前多一个 . ,那就表示隐藏文件。
权限的重要性
提供系统保护:非权限用户不能操作具有某些权限的功能和数据。
适合团队开发和数据共享:团队所有组成员和个人所属能够共享项目。
如果没有恰当的设置系统权限,可能会造成某些泄密事件或者其他不可忽视的后果,所以权限问题大家要引起重视,下面我们就来聊一聊如何设置系统权限。
改变系统权限和属性
我们现在知道文件权限对于一个系统安全的重要性了,现在就要聊一聊如何修改文件权限了。常用的修改文件权限的指令有
chgrp :改变文件所属群组
chown:改变文件所有者
chmod:改变文件权限
chgrp
chgrp 就是 change group 的缩写,我觉得李纳斯把缩写用到了极致,这也许是我们现在对于缩写这么流行的原因。chgrp 能够改变文件群组,不过,要改变群组的话,要被改变的群组名称要在 /etc/group 文件内存在才行,否则就会显示错误。
chown
既然 chgrp 能够改变文件群组,那么 chown 能够改变文件所有者,同样也需要注意的是,文件所有者必须是系统中存在的账号,也就是在 /etc/passwd 这个文件中有记录的使用者名称才可改变。除此之外,chown 还可以直接修改群组名称。
chmod
变更文件权限使用的是 chmod 这个指令,但是,权限的设置有两种方式,可以分别使用数字或者符号进行权限变更。
使用数字改变文件权限
Linux 文件基本权限有 9 种,分别是 owner/group/others 三种身份加自己的 read/write/execute 权限,这九个权限三个为一组,我们可以使用数字表示各个权限。
一般 r 表示 4;w 表示 2;x 表示 1,每种身份各自的权限是需要累加的,比如 rwx 就表示 4 + 2 + 1 = 7。比如我们最常见的 chmod 777 它就表示赋予所有的权限,也就是说谁都能看/写/执行,所以这种文件也存在极大的安全问题。使用数字改变文件权限是我们最常用的一种方式。
使用符号改变文件权限
九种文件权限分别对应着:(1) user (2) group (3) others,所以我们可以借由 u,g,o 来代表三种身份的权限。除此之外,a 代表 all 即全部的身份。
比如我们想要给 -rwxr-xr-x 设置权限,那么我们所使用的命令应该是
chmod u=rwx,go=rx .filename
如果我们想要给所有人增加写入权限,就可以这么操作
chmod a+w .filename
如果我们想给所有人去掉写入权限,就可以这么写入指令
chmod a-w .filename
我们上面列出了三种指令,分别是 =、+、- 号,= 号表示赋值指定权限,+ 号表示增加权限,- 号表示去掉某些权限,在 + 和 - 的状态下,只要没找到指令的项目,那么该权限不会发生变动。
Linux 目录和文件权限
我们上面聊的都是文件权限,文件是容纳数据的地方,这些文件包括一般文本文件、数据库文件、二进制文件等,权限对于文件的意义在于
r(read):可以读取文件的实际内容,比如读取文本文件的文字内容
w(write):可以新增、编辑或者修改文件中的内容(不包括删除文件)
x(execute):使文件具有被文件系统执行的权限。
Windows 下面判断文件是否能够执行的因素是看文件扩展名, 比如 .exe, .bat, .com 等等,但是在 Linux 中,判断文件是否具有可执行权限是直接判断文件有没有 x 这个权限,和文件名无关。
但是在 Linux 中,不只有文件具有权限,目录也有权限,文件是存放实际数据的地方,而目录是记录文件所在位置的清单,我们只有通过目录才能找到文件放在哪里!权限对于不同的目录,也代表着不同的概念。
r (read contents in directory):表示具有读取目录结构清单的权限,所以如果你具有读取一个目录的权限时,就代表你可以查询目录下的文件,所以你就可以使用 ls 将目录的内容显示出来。
w(modify contents of directory):写入权限表示你具有对文件目录和目录中的文件进行修改的操作,主要包括
删除已经存在的文件和目录。
创建新的文件和目录。
将已存在的文件或目录进行改名。
移动目录内文件、目录位置。
x(access directory):这执行权限有啥用?总不能目录也能够被执行把?其实并不是这样,执行权限表示着你有没有权限进入到指定目录下,也就是 cd(change directory) 。
Linux 文件种类和扩展名
想必大家都听说过这样一句话:任何设备在 Linux 下都是文件,但是文件也分为多种,除了上面介绍过的一般文件(-) 和目录文件(d) 之外,还包括下面这些文件类型
常规文件(regular file):常规文件就是我们使用 ls -al 所显示出来的属性,也就是上面我们列出的第一个字符,
文件类型又可以分为
纯文本文件(ASCII),这是 Linux 系统中最多的一种文件类型,纯文本文件是我们能够直接看到的数据,你可以使用 cat 来直接看到这部分内容。比如我们最常用的设置 Linux 静态 ip 的文件 ens33 ,就可以使用 cat 命令来输出
cat ifcfg-ens33
二进制文件,在 Linux 中,查看二进制文件可以使用 xxd 或者 od 进行格式化输出
数据格式文件,数据文件直接使用 cat 读取会显示乱码,但是它能够通过 last 指令进行输出
目录,目录没什么好说的,就是表示一个文件清单,目录的表示就是 [d],也就是 directory。
链接文件(link),链接文件就是某些程序执行时需要和这些链接文件进行链接才能执行的一种文件类型。
Devices and device files (device), devices under Linux are divided into two types, block devices and character devices:
A block device is a device that can store A device with fixed-size block information that supports reading and (optionally) writing data in fixed-size blocks, sectors, or clusters. Each block has its own physical address. Typically the block size is between 512 - 65536. All transferred information will be in consecutive blocks. The basic feature of a block device is that each block is relatively independent and can be read and written independently. Common block devices include hard drives, Blu-ray discs, and USB drives.
Block devices are generally located under /dev/sda, and its first attribute is [b].
Another type of I/O device is a character device. Character devices send or receive a stream of characters in units of characters, regardless of any block structure. Character devices are not addressable and do not perform any seek operations. Common character devices include printers, network devices, mice, and most other devices that are different from disks.
The biggest feature of the character device is that it can be read once and the output cannot be truncated. For example, you cannot jump the mouse to another place at once, but use smooth movement. Character device The first attribute of is [c].
Data interface file (sockets): As the name suggests, the data interface file uses sockets to receive network data. Its attribute is [s], which is usually found in the directories /run or /tmp. arrive.
Data transfer file (FIFO, pipe): FIFO is also a special type of file. Its main purpose is to solve the error problem caused by multiple programs accessing a file at the same time. , its first attribute is [p].
Linux extension
It’s actually a headache when it comes to this extension. There is no extension in Linux Conceptual, but there are some extension naming methods, which is very embarrassing, so let’s call it an extension type for now. Generally, there are the following types:
*.sh. This is an execution script or batch script. It is also generally called a shell script. It contains some instructions written in shell syntax.
.tar, .tar.gz, .zip, *.tgz, this extension type is a packaged compressed file, and there are different extension types according to different packaging methods
.html, .php: web page related files, representing web page files in HTML and PHP syntax respectively.
Related recommendations: "Linux Video Tutorial"
The above is the detailed content of Linux permissions you must understand (summary sharing). For more information, please follow other related articles on the PHP Chinese website!