文件权限
文件权限对于每个linux的使用者来说是最为熟悉了。 它是一种对用户文件访问控制的机制,能限制用户对文件系统活动范围,能降低用户对系统安全威胁。
来看一个简单的例子:
[chase@lustre doc]$ ls -l-rw-rw-r-- 1 chase chase 2 Feb 17 00:17 a.txt
这是运行ls -l 的结果。在这里我们可以清楚的看到一些关于文件a.txt的信息。这些信息主要的含义如下:
-rw-rw-r--(文件权限) 1(文件链接数) chase(拥有者)chase(用户组号) 2(文件大小)Feb 17 00:17(最后修改日期) a.txt(文件名)上面的信息表示文件是由chase拥有和属于chase用户组。而在权限位上,我们可以把它分成四部分:
-(文件类型) rw-(拥有者权限) rw-(用户组权限) r--(其他用户权限)
对于第一部分表示文件的类型,在linux下一共有七种文件类型,包括套接字(s),符号链接文件(l),普通文件(-),快设备文件(b),目录(d),字符设备(c)和命名管道(P) (括号中是文件在权限位上的表示符)。其他三部份结构类似,都是用三个字符(rwx)表示。r对应的是读权限,w对应的是写权限,x对应的是有运行的权限。 对于这三部分我们都可以用三位二进制或一位八进制数来表示,当某一位使能时就把这一位符值为1,如rw-就表示读和写位使能,对应的位赋1,所以在这种情况下可以用二进制110或八进制6表示。
当我们要改变文件权限时既可以用字符方式,又可以用八进制数的方式。改变文件权限的命令是chmod。用字符方式的话,其中u代表拥有者,g代表用户组,o代表其他用户和a代表所有人。例如当你要把上文件a.txt的权限改变为用户组只能读,就可以用
[chase@lustre doc]$ chmod g-w a.txt
[chase@lustre doc]$ ls -l
-rw-r--r-- 1 chase chase 2 Feb 17 00:35 a.txt
这样用户组就对这个文件只读。如果你运行下面的命令
[chase@lustre doc]$ chmod +x a.txt
[chase@lustre doc]$ ls -l-rwxr-xr-x 1 chase chase 2 Feb 17 00:35 a.txt
所有的可运行位都会使能,但是
[chase@lustre doc]$ chmod +w a.txt
[chase@lustre doc]$ ls -l-rw-rw-r-- 1 chase chase 2 Feb 17 00:35 a.txt
就不会把可写位全部使能,一定要a+w才可以,主要的原因我不太清楚, 可能出于安全考虑吧。如果用数字方式,同样按上的权限改变顺序,运行命令如下
[chase@lustre doc]$ chmod 644 a.txt
[chase@lustre doc]$ ls -l-rw-r--r-- 1 chase chase 2 Feb 17 00:35 a.txt
<ccid_page/>
所有运行位使能
[chase@lustre doc]$ chmod 755 a.txt
[chase@lustre doc]$ ls -l-rwxr-xr-x 1 chase chase 2 Feb 17 00:35 a.txt
另外还有SUID或SGID,这两个权限位主要是设定用户或用户组的运行ID。SUID功能是当用户(不一定是该文件的拥有者)执行SUID文件时, 这个文件有效用户号(UID)就会被设定为该文件拥有者的用户号(UID);对于GUID,类似SUID当用户(不一定是该文件的用户组成员)这行SGID文件时,这个文件的有效用户组号(GID)就会被设定为该文件的用户组号(GIU)。
除了以上说权限位以外,还有一个权限位说一说的,当你运行下面的命令时
[chase@lustre doc]$ ls -ld /tmp/drwxrwxrwt 3 root root 4096 Feb 16 23:42 /tmp/
有没有注意到在权限位中第三部份的最后一位竟然是t,这一权限位的名字叫粘着位(sticky bit)。我见一些书是这么翻译的:这种权限主要是在目录上出现,它是使用户在这个目录里只能删除属于自己的文件,而不能删除其他人的文件。下面是Practical UNIX& Internet Security 一书中对粘着位起源的说明:
The Origin of "Sticky"A very long time ago, UNIX ran onmachines with much less memory than today: 64 kilobytes, for instance. This amount of memory was expected to contain a copy of the operating system, I/O buffers, and running programs. This memory often wasn’t sufficient when there were several large programs running at the same time.To make the most of the limited memory, UNIX swapped processes to and fromsecondarystorage as their turns at the CPU ended. When a program was started, UNIX would determine the amount of storage that might ultimately be needed for the program, its stack,and all its data. It then allocated a set of blocks on the swap partition of the disk or drum attached to the system. (Many systems still have a /dev/swap, or a swapper process that is a holdover from these times.)
Each time the process got a turn from the scheduler, UNIX would swap in the program and data, if needed, execute for a while, and then swap out the memory copy if the space was needed for the next process. When the process exited or exec’d another program, the swap space was reclaimed for use elsewhere. If there was not enough swap space to hold the process’s memory image, the user got a "No memory error " (still possible on many versions of UNIX if a large stack or heap is involved.)
Obviously, this is a great deal of I/O traffic that could slow computation. So, one of the eventual steps was development of compiler technology that constructed executable files with two parts: pure code that would not change, and everything else. These were indicated with a special magic number in the header inside the file. When the program was first executed, the program and data were copied to their swap space on disk first, then brought into memory to execute. However, when the time comes to swap out, the code portions were not written to disk - they would not have changed from what was already on disk! This change was a big savings.
The next obvious step was to stop some of that extra disk-to-disk copying at start-up time. Programs that were run frequently - such as cc, ed, and rogue - could share the same program pages. Furthermore, even if no copy was currently running, we could expect another one to be run soon. Therefore, keeping the pages in memory and on the swap partition, even while we weren’t using them, made sense. The "sticky bit" was added to mark those programs as worth saving.
Since those times, larger memories and better memory management methods have largely removed the original need for the sticky bit.
对于上面说的三个权限位,我们怎样改变呢?对于这三个权限位, chmod有对应的字符和八进制数方式来改变。对于SUID和SGID位我们只能用u+/-s或g+/-s来改变;而粘着位就用+t就可以拉,因为它是对所有的用户授权的,这是用字符方式改变的方法:
SUID改变
[chase@lustre doc]$ ls -l a.txt;chmod u+s a.txt;ls -l a.txt-rwxr-xr-x 1
chase chase 2 Feb 17 00:35 a.txt-rwsr-xr-x 1
chase chase 2 Feb 17 00:35 a.txt
GUID改变
[chase@lustre doc]$ ls -l a.txt;chmod g+s a.txt;ls -l a.txt-rwsr-xr-x 1
chase chase 2 Feb 17 00:35 a.txt-rwsr-sr-x 1
chase chase 2 Feb 17 00:35 a.txt
<ccid_page/>
粘着位改变
[chase@lustre doc]$ ls -l;chmod +t sticky;ls -ldrwxrwxr-x 2 chase
chase 4096 Feb 17 04:25 stickydrwxrwxr-t 2
chase chase 4096 Feb 17 04:25 sticky
在用八进制方式改变的话,它们三位都有像读写和可执行位八进制表示法,只不过在文件权限的扩展位,对应的八进制分别为4000(SUID),2000(SGID)和1000(sticky bit)
SUID改变
[chase@lustre doc]$ ls -l a.txt;chmod 4755 a.txt;ls -l a.txt-rwxr-xr-x 1
chase chase 2 Feb 17 00:35 a.txt-rwsr-xr-x 1
chase chase 2 Feb 17 00:35 a.txt
GUID改变
[chase@lustre doc]$ ls -l a.txt;chmod 2755 a.txt;ls -l a.txt-rwsr-xr-x 1
chase chase 2 Feb 17 00:35 a.txt-rwsr-sr-x 1 chase chase 2 Feb 17 00:35 a.txt
粘着位改变
[chase@lustre doc]$ ls -l;chmod 1755 sticky;ls -ldrwxrwxr-x 2 chase
chase 4096 Feb 17 04:25 stickydrwxrwxr-t 2 chase chase 4096 Feb 17 04:25 sticky
当然,用户访问该文件时,系统会读取权限位来判断用户对该文件的访问权限。和文件权限有关的系统参数还有用户缺省的文件掩码,了解用户的缺省的文件掩码可以运行命令[chase@lustre doc]$ umask 0002
0002就是用户缺省的文件掩码,它决定当用户建立文件时缺省的文件权限,它和文件权限的关系是:普通文件:666&002=664;目录:777&002=775。
改变缺省的文件掩码只要在umask后加上想要设定的文件掩码就可以拉。 如果你不想每次登陆修改的话,可以在`/.bash_profile加上umask 077。
可能以上说的,对于很多人来说都知道,但是当你的系统用户人数比较多的时候,这些文件权限使用是要特别小心,以免一时不慎,造成对系统不必要破坏。.
- 上一篇:合格的Linux管理员应具备的技能
- 下一篇:Linux文件系统的安装与卸载