Linux file permissions
1 user information
The root user account is the administrator of the Linux system, and the UID assigned to it is 0.
Linux system will create different user accounts for various functions, and these accounts are not real users. These accounts are called system accounts and are special accounts used by various service processes running on the system to access resources.
Linux reserves UID values below 500 for system accounts. Some services even need a specific UID to work properly.
- Login user name
- User password
- UID of user account (in digital form)
- Group ID (GID) of the user account (in digital form)
- Text description of the user account (called the memo field)
- Location of user HOME directory
- User's default shell
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:999:998:User for polkitd:/:/sbin/nologin libstoragemgmt:x:998:997:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin dockerroot:x:996:993:Docker User:/var/lib/docker:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin zabbix:x:995:992:Zabbix Monitoring System:/var/lib/zabbix:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
/The password field in the etc/passwd file is set to x. most Linux systems save the user password in a separate file (called shadow file, located in / etc/shadow).
/etc/passwd is a standard text file. If it is damaged, the system cannot read its contents, which will cause users to fail to log in normally (even root users).
There are 9 fields in each record in the / etc/shadow file:
- The login corresponding to the login field in the / etc/passwd file
- Encrypted password
- Number of days since the last password change (calculated from January 1, 1970)
- How many days will it take to change your password
- How many days must I change my password
- How many days before the password expires to remind the user to change the password
- How many days after the password expires to disable the user account
- The date on which the user account was disabled (expressed in days from January 1, 1970 to the current day)
- Reserved fields for future use
root:$6$eZUQy5TAdXxCXyi6$z/4Pp2eoUVYCGZbTLOAqJQViyzycfG3.huNvV1YGyemHLapfMNdhUZEG6Q2o9H3JD26zJKrmq8kFlfcxWYkf1.::0:99999:7::: bin:*:17834:0:99999:7::: daemon:*:17834:0:99999:7::: adm:*:17834:0:99999:7::: lp:*:17834:0:99999:7::: sync:*:17834:0:99999:7::: shutdown:*:17834:0:99999:7::: halt:*:17834:0:99999:7::: mail:*:17834:0:99999:7::: operator:*:17834:0:99999:7::: games:*:17834:0:99999:7::: ftp:*:17834:0:99999:7::: nobody:*:17834:0:99999:7::: systemd-network:!!:18598:::::: dbus:!!:18598:::::: polkitd:!!:18598:::::: libstoragemgmt:!!:18598:::::: abrt:!!:18598:::::: rpc:!!:18598:0:99999:7::: apache:!!:18598:::::: sshd:!!:18598:::::: postfix:!!:18598:::::: ntp:!!:18598:::::: chrony:!!:18598:::::: tcpdump:!!:18598:::::: dockerroot:!!:18778:::::: rpcuser:!!:18824:::::: nfsnobody:!!:18824:::::: zabbix:!!:18837:::::: tss:!!:18850:::::: geoclue:!!:18850:::::: rtkit:!!:18850:::::: pulse:!!:18850:::::: colord:!!:18850:::::: gdm:!!:18850:::::: gluster:!!:18850:::::: qemu:!!:18850:::::: setroubleshoot:!!:18850:::::: usbmuxd:!!:18850:::::: unbound:!!:18850:::::: saslauth:!!:18850:::::: saned:!!:18850:::::: sssd:!!:18850:::::: radvd:!!:18850:::::: gnome-initial-setup:!!:18850:::::: avahi:!!:18850::::::
3 user management
3.1 adding new users
Use the command useradd to create a new user account and set the user HOME directory structure at one time.
New user example:
useradd -m test
Login new user:
On the premise that you have logged in to the root account:
su - test
By default, the useradd command does not create the HOME directory, but the - m command line option causes it to create the HOME directory.
Common parameters of useradd:
-c comment Add notes to new users -d home_dir Specify a name for the home directory (if you do not want to use the login name as the home directory name) -e expire_date use YYYY-MM-DD Format specifies the date when an account expires -f inactive_days Specify how many days after the password of this account expires, this account will be disabled; 0 means to disable the password as soon as it expires, and 1 means to disable it Disable this feature -g initial_group Specifies the name of the user login group GID Or group name -G group ... Specify one or more additional groups to which the user belongs in addition to the login group -k Must and-m Used together, will/etc/skel Copy the contents of the directory to the user's HOME catalogue -m Create user's HOME catalogue -M Do not create user's HOME Directory (this option is only used when the default setting requires creation) -n Create a new group with the same name as the user login -r Create system account -p passwd Specify the default password for the user account -s shell Specify default login shell -u uid Specify a unique for the account UID
View the default values in the Linux system you are using:
When creating a new user, if you do not specify a specific value on the command line, the useradd command will be displayed with the - D option
The default values. The default values listed in this example are as follows:
- The new user will be added to the public group with GID 100;
- The HOME directory of the new user will be located in / home/loginname;
- The new user account password will not be disabled after expiration;
- No expiration date is set for the new user account;
- The new user account takes bash shell as the default shell;
- The system will copy the contents in / etc/skel directory to the user's HOME directory [generally storing the standard startup file of bash shell environment];
- The system creates a file for receiving mail under the mail directory for the user account.
For example, use the tsch shell as the default login shell for all new users
useradd -D -s /bin/tsch
3.2 delete user
The userdel command will only delete the user letter in the / etc/passwd file. With the - r parameter, userdel will delete the user's HOME directory and mail directory
/usr/sbin/userdel -r test
3.3 modify user
- usermod modifies the fields of the user account, and can also specify the ownership of the main group and the additional group
- passwd modify the password of an existing user
- chpasswd reads the login password pair from the file and updates the password
- chage changes the expiration date of the password
- chfn modify user account remarks
- chsh modifies the default login shell for the user account
- -l modify the login name of the user account.
- -L lock the account so that the user cannot log in.
- -p change the password of the account.
- -U unlock to enable users to log in.
usermod -L test
3.3.2 passwd and chpasswd
How to change the password. Any user on the system can change his password, but only
Only the root user has the right to change someone else's password.
If you need to change the password for a large number of users in the system, the chpasswd command can get twice the result with half the effort. The chpasswd command can be used from
Standard input automatically reads the list of login and password pairs (separated by colons), encrypts the password, and then sets it for the user account.
chpasswd < users.txt
3.3.3 chsh, chfn and chage
Modify specific account information
- chsh command: used to quickly modify the default user login shell. When using, you must use the full pathname of the shell as a parameter
chsh -s /bin/csh test
- finger: View user information on Linux system.
yum -y install finger
[root@jiangxue ~]# finger test Login: test Name: Directory: /home/test Shell: /bin/bash Last login 1 November 16:17 (CST) on pts/2 from 192.168.101.57 No mail. No Plan.
The chfn command provides a standard way to store information in the comments field of the / etc/passwd file. The chfn command will save the information of the finger command for Unix into the memo field or leave the memo field blank.
[root@jiangxue ~]# chfn test Changing finger information for test. name [jk]: jiangxue to work in an office [information kaifa]: research and development Office telephone : 911 Residential telephone : 119 Finger information changed. [root@jiangxue ~]# grep test /etc/passwd test:x:1001:1002:jiangxue,research and development,911,119:/home/test:/bin/bash
The chat command is used to help manage the validity of user accounts
- -d set the number of days since the last password change
- -E set the date when the password expires
- -I set the number of days from password expiration to account locking
- -m sets the minimum number of days between password changes
- -W set how long before the password expires, the reminder message will appear
The date value of the chat command can be either of the following two ways:
- Date in YYYY-MM-DD format
- Represents the number of days from January 1, 1970 to that date
4 using linux user group
A group occurred due to sharing information.
- Group permissions allow multiple users to share a common set of permissions on objects in the system (such as files, directories or devices).
- Each group has a unique GID -- similar to UID, it is a unique value on the system. In addition to GID, each group also
There is a unique group name
Group information is saved in / etc/group.
The information is as follows:
[root@jiangxue ~]# cat /etc/group root:x:0: bin:x:1: daemon:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mem:x:8: kmem:x:9: wheel:x:10:hadpod-yl-1 cdrom:x:11: mail:x:12:postfix man:x:15: dialout:x:18: floppy:x:19: games:x:20: tape:x:33: video:x:39: ftp:x:50: lock:x:54: audio:x:63:
GID is also assigned in a specific format. Groups for system accounts are usually assigned GIDS less than 500
Value, and the GID of the user group will be assigned from 500/ The etc/group file has four fields:
- Group name
- Group password
- List of users belonging to this group
The group password allows non group members to temporarily become members of the group through it.
⚠️ be careful:
- Never add users to a group by directly modifying the / etc/group file. You need to use the usermod command.
- In the list, some groups do not list users. This is not to say that these groups have no members. When a user specifies a group as the default group in the / etc/passwd file, the user account will not appear in the / etc/group file as a member of the group.
4.1 create a new group
[root@hdp-jiangxue ~]# /usr/sbin/groupadd shared [root@hdp-jiangxue ~]# tail /etc/group libvirt:x:982: sssd:x:981: radvd:x:75: gnome-initial-setup:x:980: avahi:x:70: hadpod-yl-1:x:1000: mysql:x:1001: redis:x:979: test:x:1002: shared:x:1003:
When creating a new group, no users are assigned to the group by default. The groupadd command does not provide the option to add users to a group, but you can compensate for this with the usermod command.
/usr/sbin/usermod -G shared test
be careful ⚠️:
- If the user group to which the logged in system account belongs is changed, the user must log out of the system and log in again before the change of group relationship can take effect.
- Use extreme caution when assigning groups to user accounts. If the - G option is added, the specified group name will replace the default group of the account- G option will add the group to the list of user's subordinate groups without affecting the default group.
4.2 modify grouping
The groupmod command can modify the GID (plus - g option) or group name (plus - n option) of an existing group.
[root@hdp-jiangxue ~]# /usr/sbin/groupmod -n sharing shared [root@hdp-jiangxue ~]# tail /etc/group libvirt:x:982: sssd:x:981: radvd:x:75: gnome-initial-setup:x:980: avahi:x:70: hadpod-yl-1:x:1000: mysql:x:1001: redis:x:979: test:x:1002: sharing:x:1003:test
⚠️ Note: when modifying the group name, GID and group members will not change, only the group name will change. Since all security permissions are based on GID, you can change the group name at will without affecting the security of the file.
5 file permissions
5.1 understanding document authority
[root@hdp-jiangxue ~]# ls -l Total consumption 40 drwxr-xr-x 4 root root 123 10 October 28:23 airflow drwxr-xr-x 28 root root 4096 10 June 20-16:29 anaconda3 -rw-------. 1 root root 1565 12 February 2020 anaconda-ks.cfg drwxr-xr-x 3 root root 24 5 June 27-18:24 cmj -rw-r--r-- 1 root root 411 7 June 19-16:21 cookie.txt -rw-r--r-- 1 root root 640 7 May 17:07 derby.log drwxr-xr-x 2 root root 100 8 November 13:32 fyk -rw-r--r-- 1 root root 7008 6 February 14:18 index.html drwxr-xr-x 5 root root 133 7 May 17:07 metastore_db -rw------- 1 root root 9637 10 June 26-17:58 nohup.out -rw-r--r-- 1 root root 3152 8 June 19-18:07 people.json drwxr-xr-t 2 root root 6 8 November 15:32 thinclient_drives
The first character represents the object
- -Representative document
- d stands for directory
- l stands for link
- c stands for character type equipment
- b stands for block equipment
- n stands for network equipment
There are three sets of three character codes. Each group defines three access rights:
- r means that the object is readable
- w means that the object is writable
- x means that the object is executable
If there is no permission, a single broken polyline will appear in the permission bit. These three groups of permissions correspond to three security levels of the object:
- Owner of the object
- Group of objects
- Other users of the system
In the first line, drwxr-xr-x 4 root 123 October 28 10:23 airflow, rwx represents the owner of the file, r-x represents the group of the file, and r-x represents others on the system.
5.2 default file permissions
The umask command is used to set the default permissions for the created files and directories.
[root@jiangxue home]# touch newfile [root@jiangxue home]# ls -al newfile -rw-r--r-- 1 root root 0 11 March 17:48 newfile [root@jiangxue home]# umask 0022
The first representative: a special security feature called sticky bit
The last 3 bits: represent the umask octal value corresponding to the file or directory.
In this binary representation, each position represents a binary bit. Therefore, if the read permission is the only set permission, the permission value is r –, the binary value is 100, and the octal value is 4.
Linux File permission code Permission binary value octal value description --- 000 0 No permissions --x 001 1 Only execution permission -w- 010 2 Write only -wx 011 3 Have write and execute permissions r-- 100 4 Read only r-x 101 5 Have read and execute permissions rw- 110 6 Have read and write permissions rwx 111 7 Have full permissions
Meaning of umask value:
The umask value is just a mask. It will mask the permissions you don't want to grant to this security level. Subtract the umask value from the full permission value of the object. For files, the value of full permission is 666 (all users have read and write permissions); For the directory, it is 777 (all users have read, write and execute permissions). Therefore, in the above example, the initial permission of the file is 666. After subtracting the umask value of 022, the remaining file permission becomes 644.
The umask value is usually set in the / etc/profile startup file, but some are set in the / etc/login.defs file (such as Ubuntu).
For example, in / etc/profile,
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then umask 002 else umask 022 fi
Modify umask value:
[root@hjiangxue home]# umask 026 [root@jiangxue home]# touch newfile2 [root@jiangxue home]# ls -la newfile2 -rw-r----- 1 root root 0 11 March 18:00 newfile2
5.3 changing security settings
5.3.1 change authority
Using chmod, set the octal mode used here, and directly use the standard 3-bit octal permission code expected to be given to the file.
For example, the following is to assign the file master to read / write execution, group to read / write, and others to none.
[root@jiangxue home]# chmod 760 newfile
5.3.2 change of affiliation
The chown command is used to change the ownership of a file,
The chgrp command is used to change the default group of files.
The format of chown command is as follows:
chown options owner[.group] file
A login or UID can be used to specify the new owner of the file, for example,
chown test newfile
The chown command also supports changing the owner and group of a file at the same time, for example:
chown test.test newfile
Change the default group of only one directory, for example:
chown .test newfile
The system adopts the group name matching the user login name, which can be changed with only one entry.
chown test. newfile
be careful ⚠️:
- Only the root user can change the ownership of the file. Any owner can change the ownership group of a file, provided that the owner must
Is a member of the original group and the target group.
The chgrp command can change the default group of a file or directory [the user account must be the owner of the file. In addition to changing the group, it must also be a member of the new group.].
chgrp test newfile
5.4 shared files
How to share files:
- Assign files to a new default group of other users;
- Modify the access rights of the security group where other users belong;
- If you want to create documents in a large environment and share them with others, the above two methods are cumbersome. You can use the following methods.
1. Use chgrp to change the default array of users to the group containing all users who need to share files;
2. Use chmod g+s to set the permission to be the same as the group, and reset the SGID bit at runtime (ensure that all new files in the directory take shared as the default group);
3. The umask 002 setting file can be written to members of the group;
4. The new files in the folder will follow the directory group instead of the user's default group.
[root@hdp-1 test]# rm -rf testDir/ [root@hdp-1 test]# ls [root@hdp-1 test]# mkdir -vp testDir mkdir: Directory created "testDir" [root@hdp-1 test]# ls -ll Total consumption 0 drwxr-xr-x 2 root root 6 12 January 11:54 testDir [root@hdp-1 test]# tail -3 /etc/group redis:x:979: test:x:1002: sharing:x:1003:test [root@hdp-1 test]# chgrp sharing testDir [root@hdp-1 test]# chmod g+s testDir [root@hdp-1 test]# umask 0022 [root@hdp-1 test]# umask 002 [root@hdp-1 test]# cd testDir/ [root@hdp-1 testDir]# touch testFile [root@hdp-1 testDir]# ls -l Total consumption 0 -rw-rw-r-- 1 root sharing 0 12 January 11:57 testFile
- 1. User ID (SUID): when the file is used by the user, the program will run with the permission of the file owner.
- SGID can be set by chmod command. It will be added before the standard 3-bit octal value (forming a 4-bit octal value), or use the symbol s in symbol mode.
- After enabling the SGID bit, you can force new files created in a shared directory to belong to the group of the directory, and this group will become the group of each user.
- 2. Group ID (SGID): for files, the program will run with the permissions of the file group; For a directory, new files created in the directory will take the default group of the directory as the default group
- 3. Adhesive bit: after the process ends, the file still resides (adheres) in memory [the first bit of octal umask value, such as 0 in 0022].
This article discusses some command line commands you need to know to manage Linux system security. Linux restricts access to files, directories, and devices through user IDs and group IDs. Linux stores the user account information in the / etc/passwd file and the group information in the / etc/group file. Each user is assigned a unique user ID and a text login that identifies the user in the system. The group is also assigned a unique group ID and group name. A group can contain one or more users to support shared access to system resources.
There are several commands that can be used to manage user accounts and groups. The useradd command is used to create a new user account, and the groupadd command is used to create a new group account. To modify an existing user account, we use the usermod command. A similar groupmod command is used to modify group account information.
Linux uses a complex bit system to determine the access rights of files and directories. Each file has three security levels: the owner of the file, the default group that can access the file, and other users on the system. Each security level is defined by three access permission bits: read, write, and execute, corresponding to the symbol rwx. If a permission is denied, the symbol corresponding to the permission will be replaced by a single broken polyline (for example, r – for read-only permission).
This symbolic permission is usually described in octal values. Three bits of binary form an octal value, and three octal values represent three security levels. The umask command is used to set the default security settings for files and directories created in the system. System administrators usually set a default umask value in the / etc/profile file, but you can modify your umask value at any time through the umask command. The chmod command is used to modify the security settings of files and directories. Only the owner of the file can change the permissions of the file or directory.
However, the root user can change the security settings of any file or directory on the system. The chown and chgrp commands can be used to change the default owner and group of files.
Finally, it discusses how to create a shared directory by setting the group ID bit. The SGID bit will force new files or directories created in a directory to follow the parent directory's group instead of the user's group who created these files. This can provide a simple way for users of the system to share files.