Linux Admin 简明教程

Linux Admin - File / Folder Management

为了介绍 CentOS Linux 中对目录和文件应用的权限,我们看看下面的命令输出。

To introduce permissions as they apply to both directories and files in CentOS Linux, let’s look at the following command output.

[centos@centosLocal etc]$ ls -ld /etc/yum*
drwxr-xr-x. 6 root root 100 Dec  5 06:59 /etc/yum
-rw-r--r--. 1 root root 970 Nov 15 08:30 /etc/yum.conf
drwxr-xr-x. 2 root root 187 Nov 15 08:30 /etc/yum.repos.d

Note − 你将看到的三个主要对象类型是

Note − The three primary object types you will see are

  1. "-" − a dash for plain file

  2. "d" − for a directory

  3. "l" − for a symbolic link

我们重点关注针对每个目录和文件的三个输出块 −

We will focus on the three blocks of output for each directory and file −

  1. drwxr-xr-x : root : root

  2. -rw-r—​r-- : root : root

  3. drwxr-xr-x : root : root

现在我们来分析一下,以便更好地理解这些行 −

Now let’s break this down, to better understand these lines −

d

Means the object type is a directory

rwx

Indicates directory permissions applied to the owner

r-x

Indicates directory permissions applied to the group

r-x

Indicates directory permissions applied to the world

root

The first instance, indicates the owner of the directory

root

The second instance, indicates the group to which group permissions are applied

理解所有者、组和 World(世界)之间的区别很重要。如果不理解这一点,对于向互联网托管服务的服务器来说可能会产生巨大影响。

Understanding the difference between owner, group and world is important. Not understanding this can have big consequences on servers that host services to the Internet.

在我们给出实际实例之前,让我们首先理解应用于目录和文件的权限。

Before we give a real-world example, let’s first understand the permissions as they apply to directories and files.

请查看下表,然后继续执行说明。

Please take a look at the following table, then continue with the instruction.

Octal

Symbolic

Perm.

Directory

1

x

Execute

Enter the directory and access files

4

r

Read

List the files within the directory

2

w

Write

Delete or modify the files in a directory

Note − 当文件应可在目录中读取时,通常会应用读取和执行权限。否则,用户将难以处理这些文件。禁用写入权限将确保文件无法:重命名、删除、覆盖或修改权限。

Note − When files should be accessible for reading in a directory, it is common to apply read and execute permissions. Otherwise, the users will have difficulty working with the files. Leaving write disabled will assure files cannot be: renamed, deleted, copied over, or have permissions modified.

Applying Permissions to Directories and Files

在应用权限时,有两个概念需要理解 −

When applying permissions, there are two concepts to understand −

  1. Symbolic Permissions

  2. Octal Permissions

从本质上说,它们都是相同的,但引用和分配文件权限的方式不同。有关快速指南,请研究并参考下表 −

In essence, each are the same but a different way to referring to, and assigning file permissions. For a quick guide, please study and refer to the following table −

Read

Write

Execute

Octal

4

2

1

Symbolic

r

w

x

在使用 octal 方法分配权限时,请使用 3 字节数字,例如:760。数字 760 转化为:所有者:rwx;组:rw;其他(或世界)无权限。

When assigning permissions using the octal method, use a 3 byte number such as: 760. The number 760 translates into: Owner: rwx; Group: rw; Other (or world) no permissions.

另一种情况:733 将转化为:所有者:rwx;组:wx;其他:wx。

Another scenario: 733 would translate to: Owner: rwx; Group: wx; Other: wx.

使用八进制方法的权限有一个缺点。现有的权限集无法修改。只能重新分配对象的整个权限集。

There is one drawback to permissions using the Octal method. Existing permission sets cannot be modified. It is only possible to reassign the entire permission set of an object.

现在您可能会想,总是重新分配权限有什么问题?想象一下一个大型目录结构,例如生产 Web 服务器上的 /var/www/。我们希望对所有目录递归地取消 Other 的 w 或写入位。因此,强制仅在安全措施需要时主动添加它。如果我们重新分配整个权限集,我们将取消分配给每个子目录的所有其他自定义权限。

Now you might wonder, what is wrong with always re-assigning permissions? Imagine a large directory structure, for example /var/www/ on a production web-server. We want to recursively take away the w or write bit on all directories for Other. Thus, forcing it to be pro-actively added only when needed for security measures. If we re-assign the entire permission set, we take away all other custom permissions assigned to every sub-directory.

因此,它将给系统管理员和用户带来问题。在某些时候,某人(或某些人)需要重新分配所有由于重新分配每个目录和对象的整个权限集而被清除的自定义权限。

Hence, it will cause a problem for both the administrator and the user of the system. At some point, a person (or persons) would need to re-assign all the custom permissions that were wiped out by re-assigning the entire permission-set for every directory and object.

在这种情况下,我们希望使用符号方法来修改权限 −

In this case, we would want to use the Symbolic method to modify permissions −

chmod -R o-w /var/www/

以上命令不会“覆盖权限”,而是修改当前权限集。因此,习惯于使用最佳做法

The above command would not "overwrite permissions" but modify the current permission sets. So get accustomed to using the best practice

  1. Octal only to assign permissions

  2. Symbolic to modify permission sets

重要的是,CentOS 管理员必须熟练掌握八进制和符号权限,因为权限对于数据和整个操作系统的完整性非常重要。如果权限不正确,最终结果将是敏感数据和整个操作系统将受到威胁。

It is important that a CentOS Administrator be proficient with both Octal and Symbolic permissions as permissions are important for the integrity of data and the entire operating system. If permissions are incorrect, the end result will be both sensitive data and the entire operating system will be compromised.

在介绍完这些内容后,我们来看看一些用于修改权限和对象所有者/成员的命令 −

With that covered, let’s look at a few commands for modifying permissions and object owner/members −

  1. chmod

  2. chown

  3. chgrp

  4. umask

chmod : Change File Mode Permission Bits

Command

Action

-c

Like verbose, but will only report the changes made

-v

Verbose, outputsthe diagnostics for every request made

-R

Recursively applies the operation on files and directories

chmod 允许我们使用八进制或符号权限集更改目录和文件的权限。我们将使用它来修改分配和上传目录。

chmod will allow us to change permissions of directories and files using octal or symbolic permission sets. We will use this to modify our assignment and uploads directories.

chown : Change File Owner and Group

Command

Action

-c

Like verbose, but will only report the changes made

-v

Verbose, outputsthe diagnostics for every request made

-R

Recursively applies the operation on files and directories

chown 可以同时修改用户和对象组的所有权。但是,除非需要同时修改两者,否则通常使用 chgrp 来修改组。

chown can modify both owning the user and group of objects. However, unless needing to modify both at the same time, using chgrp is usually used for groups.

chgrp : Change Group Ownership of File or Directory

Command

Action

-c

Like verbose, but will only report the changes

-v

Verbose, outputs the diagnostics for every request made

-R

Recursively, applies the operations on file and directories

chgrp 将更改组所有者为提供的组。

chgrp will change the group owner to that supplied.

Real-world practice

让我们更改 /var/www/students/ 中所有子目录分配,以便所有组是学生组。然后将 students 根目录分配给教授组。之后,让 Terry Thomas 博士成为 students 目录的所有者,因为他负责学校的所有计算机科学学术工作。

Let’s change all the subdirectory assignments in /var/www/students/ so the owning group is the students group. Then assign the root of students to the professors group. Later, make Dr. Terry Thomas the owner of the students directory, since he is tasked as being in-charge of all Computer Science academia at the school.

正如我们所见,在创建时,目录保留相当原始。

As we can see, when created, the directory is left pretty raw.

[root@centosLocal ~]# ls -ld /var/www/students/
drwxr-xr-x. 4 root root 40 Jan  9 22:03 /var/www/students/

[root@centosLocal ~]# ls -l /var/www/students/
total 0
drwxr-xr-x. 2 root root 6 Jan  9 22:03 assignments
drwxr-xr-x. 2 root root 6 Jan  9 22:03 uploads

[root@centosLocal ~]#

作为管理员,我们永远不想将我们的根凭据交给任何人。但同时,我们需要允许用户执行他们的工作。因此,让我们允许 Terry Thomas 博士更多地控制文件结构并限制学生可以执行的操作。

As Administrators we never want to give our root credentials out to anyone. But at the same time, we need to allow users the ability to do their job. So let’s allow Dr. Terry Thomas to take more control of the file structure and limit what students can do.

[root@centosLocal ~]# chown -R drterryt:professors /var/www/students/
[root@centosLocal ~]# ls -ld /var/www/students/
drwxr-xr-x. 4 drterryt professors 40 Jan  9 22:03 /var/www/students/

[root@centosLocal ~]# ls -ls /var/www/students/
total 0
0 drwxr-xr-x. 2 drterryt professors 6 Jan  9 22:03 assignments
0 drwxr-xr-x. 2 drterryt professors 6 Jan  9 22:03 uploads

[root@centosLocal ~]#

现在,每个目录和子目录的所有者都是 drterryt,所有组是 professors。由于 assignments 目录供学生上交已分配作业,因此,让我们取消学生组列出和修改文件的权限。

Now, each directory and subdirectory has an owner of drterryt and the owning group is professors. Since the assignments directory is for students to turn assigned work in, let’s take away the ability to list and modify files from the students group.

[root@centosLocal ~]# chgrp students /var/www/students/assignments/ && chmod
736 /var/www/students/assignments/

[root@centosLocal assignments]# ls -ld /var/www/students/assignments/
drwx-wxrw-. 2 drterryt students 44 Jan  9 23:14 /var/www/students/assignments/

[root@centosLocal assignments]#

学生可以将作业复制到 assignments 目录。但他们无法列出目录内容、复制当前文件或修改 assignments 目录中的文件。因此,它只允许学生提交已完成的作业。CentOS 文件系统将提供上交作业的时间戳。

Students can copy assignments to the assignments directory. But they cannot list contents of the directory, copy over current files, or modify files in the assignments directory. Thus, it just allows the students to submit completed assignments. The CentOS filesystem will provide a date-stamp of when assignments turned in.

作为 assignments 目录所有者——

As the assignments directory owner −

[drterryt@centosLocal assignments]$ whoami
drterryt

[drterryt@centosLocal assignments]$ ls -ld /var/www/students/assignment
drwx-wxrw-. 2 drterryt students 44 Jan  9 23:14 /var/www/students/assignments/

[drterryt@centosLocal assignments]$ ls -l /var/www/students/assignments/
total 4
-rw-r--r--. 1 adama  students  0 Jan  9 23:14 myassign.txt
-rw-r--r--. 1 tammyr students 16 Jan  9 23:18 terryt.txt

[drterryt@centosLocal assignments]$

我们可以看到,目录所有者可以列出文件以及修改和删除文件。

We can see, the directory owner can list files as well as modify and remove files.

umask Command: Supplies the Default Modes for File and Directory Permissions As They are Created

umask 是一条重要的命令,它在创建文件和目录权限时提供默认模式。

umask is an important command that supplies the default modes for File and Directory Permissions as they are created.

umask 权限使用一元否定逻辑。

umask permissions use unary, negated logic.

Permission

Operation

0

Read, write, execute

1

Read and write

2

Read and execute

3

Read only

4

Read and execute

5

Write only

6

Execute only

7

No permissions

 
[adama@centosLocal umask_tests]$ ls -l ./
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myDir
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myFile.txt

[adama@centosLocal umask_tests]$ whoami
adama

[adama@centosLocal umask_tests]$ umask
0022

[adama@centosLocal umask_tests]$

现在,让我们更改当前用户的 umask,并创建一个新文件和新目录。

Now, let’s change the umask for our current user, and make a new file and directory.

[adama@centosLocal umask_tests]$ umask 077

[adama@centosLocal umask_tests]$ touch mynewfile.txt

[adama@centosLocal umask_tests]$ mkdir myNewDir

[adama@centosLocal umask_tests]$ ls -l
total 0
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myDir
-rw-r--r--. 1 adama students 0 Jan 10 00:27 myFile.txt
drwx------. 2 adama students 6 Jan 10 00:35 myNewDir
-rw-------. 1 adama students 0 Jan 10 00:35 mynewfile.txt

正如我们所见,新创建的文件比之前稍微严格一些。

As we can see, newly created files are a little more restrictive than before.

用户 umask 必须在以下位置进行更改:-

umask for users must should be changed in either −

  1. /etc/profile

  2. ~/bashrc

[root@centosLocal centos]# su adama
[adama@centosLocal centos]$ umask
0022
[adama@centosLocal centos]$

通常,CentOS 中的默认 umask 是可以的。当我们遇到 0022 的默认值时通常会出现问题,这是因为属于不同组的不同部门需要在项目上进行协作时。

Generally, the default umask in CentOS will be okay. When we run into trouble with a default of 0022, is usually when different departments belonging to different groups need to collaborate on projects.

这正是系统管理员职责所在,以平衡 CentOS 操作系统的操作和设计。

This is where the role of a system administrator comes in, to balance the operations and design of the CentOS operating system.