Unix 简明教程
Unix / Linux - File Permission / Access Modes
在本章中,我们将详细讨论 Unix 中的文件权限和访问模式。文件所有权是 Unix 的一个重要组成部分,它提供了一种安全的文件存储方法。Unix 中的每个文件都具有以下属性 −
In this chapter, we will discuss in detail about file permission and access modes in Unix. File ownership is an important component of Unix that provides a secure method for storing files. Every file in Unix has the following attributes −
-
Owner permissions − The owner’s permissions determine what actions the owner of the file can perform on the file.
-
Group permissions − The group’s permissions determine what actions a user, who is a member of the group that a file belongs to, can perform on the file.
-
Other (world) permissions − The permissions for others indicate what action all other users can perform on the file.
The Permission Indicators
使用 ls -l 命令时,它会显示与文件权限相关的各种信息,如下所示 −
While using ls -l command, it displays various information related to file permission as follows −
$ls -l /home/amrood
-rwxr-xr-- 1 amrood users 1024 Nov 2 00:10 myfile
drwxr-xr--- 1 amrood users 1024 Nov 2 00:10 mydir这里,第一列表示不同的访问模式,即文件或目录具有的权限。
Here, the first column represents different access modes, i.e., the permission associated with a file or a directory.
权限分为每组 3 个,组中的每个位置都表示一个特定权限,其顺序如下:读 (r)、写 (w)、执行 (x) −
The permissions are broken into groups of threes, and each position in the group denotes a specific permission, in this order: read (r), write (w), execute (x) −
-
The first three characters (2-4) represent the permissions for the file’s owner. For example, -rwxr-xr-- represents that the owner has read (r), write (w) and execute (x) permission.
-
The second group of three characters (5-7) consists of the permissions for the group to which the file belongs. For example, -rwxr-xr-- represents that the group has read (r) and execute (x) permission, but no write permission.
-
The last group of three characters (8-10) represents the permissions for everyone else. For example, -rwxr-xr-- represents that there is read (r) only permission.
File Access Modes
文件的权限是 Unix 系统安全的第一道防线。Unix 权限的基本构建块是这里描述的 read 、 write 和 execute 权限 −
The permissions of a file are the first line of defense in the security of a Unix system. The basic building blocks of Unix permissions are the read, write, and execute permissions, which have been described below −
Directory Access Modes
目录访问模式的列出和组织方式与任何其他文件相同。需要注意以下几个区别 −
Directory access modes are listed and organized in the same manner as any other file. There are a few differences that need to be mentioned −
Read
访问目录表示用户可以读取内容。用户可以查看目录中的 filenames 。
Access to a directory means that the user can read the contents. The user can look at the filenames inside the directory.
Changing Permissions
要更改文件或目录许可权,请使用 chmod (更改模式)命令。有两种使用 chmod 的方法——符号模式和绝对模式。
To change the file or the directory permissions, you use the chmod (change mode) command. There are two ways to use chmod — the symbolic mode and the absolute mode.
Using chmod in Symbolic Mode
初学者修改文件或目录权限最简单的方法是使用符号模式。有了符号权限,您可以使用下表中的运算符来添加、删除或指定您想要的权限组。
The easiest way for a beginner to modify file or directory permissions is to use the symbolic mode. With symbolic permissions you can add, delete, or specify the permission set you want by using the operators in the following table.
Sr.No. |
Chmod operator & Description |
1 |
+ Adds the designated permission(s) to a file or directory. |
2 |
- Removes the designated permission(s) from a file or directory. |
3 |
= Sets the designated permission(s). |
这里有一个使用 testfile 的示例。在 testfile 中运行 ls -1 显示文件的权限如下 −
Here’s an example using testfile. Running ls -1 on the testfile shows that the file’s permissions are as follows −
$ls -l testfile
-rwxrwxr-- 1 amrood users 1024 Nov 2 00:10 testfile然后对 testfile 运行前面的表中的每个 chmod 命令示例,然后执行 ls –l ,这样您就可以看到权限更改 −
Then each example chmod command from the preceding table is run on the testfile, followed by ls –l, so you can see the permission changes −
$chmod o+wx testfile
$ls -l testfile
-rwxrwxrwx 1 amrood users 1024 Nov 2 00:10 testfile
$chmod u-x testfile
$ls -l testfile
-rw-rwxrwx 1 amrood users 1024 Nov 2 00:10 testfile
$chmod g = rx testfile
$ls -l testfile
-rw-r-xrwx 1 amrood users 1024 Nov 2 00:10 testfile以下是如何将这些命令组合在单行中 −
Here’s how you can combine these commands on a single line −
$chmod o+wx,u-x,g = rx testfile
$ls -l testfile
-rw-r-xrwx 1 amrood users 1024 Nov 2 00:10 testfileUsing chmod with Absolute Permissions
使用 chmod 命令修改权限的第二种方法是使用数字来指定文件每组权限。
The second way to modify permissions with the chmod command is to use a number to specify each set of permissions for the file.
每项权限都分配有一个值,如下表所示,每组权限的总和都为该组提供了一个数字。
Each permission is assigned a value, as the following table shows, and the total of each set of permissions provides a number for that set.
Number |
Octal Permission Representation |
Ref |
0 |
No permission |
--- |
1 |
Execute permission |
--x |
2 |
Write permission |
-w- |
3 |
Execute and write permission: 1 (execute) + 2 (write) = 3 |
-wx |
4 |
Read permission |
r-- |
5 |
Read and execute permission: 4 (read) + 1 (execute) = 5 |
r-x |
6 |
Read and write permission: 4 (read) + 2 (write) = 6 |
rw- |
7 |
All permissions: 4 (read) + 2 (write) + 1 (execute) = 7 |
rwx |
这里有一个使用 testfile 的示例。在 testfile 中运行 ls -1 显示文件的权限如下 −
Here’s an example using the testfile. Running ls -1 on the testfile shows that the file’s permissions are as follows −
$ls -l testfile
-rwxrwxr-- 1 amrood users 1024 Nov 2 00:10 testfile然后对 testfile 运行前面的表中的每个 chmod 命令示例,然后执行 ls –l ,这样您就可以看到权限更改 −
Then each example chmod command from the preceding table is run on the testfile, followed by ls –l, so you can see the permission changes −
$ chmod 755 testfile
$ls -l testfile
-rwxr-xr-x 1 amrood users 1024 Nov 2 00:10 testfile
$chmod 743 testfile
$ls -l testfile
-rwxr---wx 1 amrood users 1024 Nov 2 00:10 testfile
$chmod 043 testfile
$ls -l testfile
----r---wx 1 amrood users 1024 Nov 2 00:10 testfileChanging Owners and Groups
在 Unix 中创建帐户时,它会为每个用户分配一个 owner ID 和一个 group ID 。上述所有权限也都根据所有者和组进行分配。
While creating an account on Unix, it assigns a owner ID and a group ID to each user. All the permissions mentioned above are also assigned based on the Owner and the Groups.
有两个可用的命令来更改文件的所属者和组 −
Two commands are available to change the owner and the group of files −
-
chown − The chown command stands for "change owner" and is used to change the owner of a file.
-
chgrp − The chgrp command stands for "change group" and is used to change the group of a file.
Changing Ownership
chown 命令更改文件的拥有权。其基本语法如下:
The chown command changes the ownership of a file. The basic syntax is as follows −
$ chown user filelist用户的代码值可以是系统上的 name of a user 或系统上用户的 user id (uid) 。
The value of the user can be either the name of a user on the system or the user id (uid) of a user on the system.
以下示例将帮助你了解这个概念:
The following example will help you understand the concept −
$ chown amrood testfile
$将给定文件的所有者更改为用户 amrood 。
Changes the owner of the given file to the user amrood.
NOTE - 超级用户 root 拥有更改任何文件所有权的非受限能力,但普通用户只能更改由自己拥有的文件的所有权。
NOTE − The super user, root, has the unrestricted capability to change the ownership of any file but normal users can change the ownership of only those files that they own.
Changing Group Ownership
chgrp 命令更改文件的组所有权。其基本语法如下:
The chgrp command changes the group ownership of a file. The basic syntax is as follows −
$ chgrp group filelist组的代码值可以是系统上的 name of a group 或系统上的组的 the group ID (GID) 。
The value of group can be the name of a group on the system or the group ID (GID) of a group on the system.
以下示例将帮助你了解这个概念:
Following example helps you understand the concept −
$ chgrp special testfile
$将给定文件的组更改为 special 组。
Changes the group of the given file to special group.
SUID and SGID File Permission
通常,一个命令在执行时都需要利用特殊权限才能完成其任务。
Often when a command is executed, it will have to be executed with special privileges in order to accomplish its task.
举例来说,当用 passwd 命令更改口令时,你的新口令会存储在文件 /etc/shadow 中。
As an example, when you change your password with the passwd command, your new password is stored in the file /etc/shadow.
由于安全原因,作为一个普通用户,你没有对这个文件的 read 或 write 访问权,但是当你更改你的口令时,你需要有这个文件的写权限。这意味着 passwd 程序需要给你其他权限,才能写文件 /etc/shadow 。
As a regular user, you do not have read or write access to this file for security reasons, but when you change your password, you need to have the write permission to this file. This means that the passwd program has to give you additional permissions so that you can write to the file /etc/shadow.
通过一种称为 Set User ID (SUID) 和 Set Group ID (SGID) 位的机制给程序额外权限。
Additional permissions are given to programs via a mechanism known as the Set User ID (SUID) and Set Group ID (SGID) bits.
当一个有 SUID 位的程序执行时,你将继承该程序所有者的权限。没有 SUID 位的程序将以启动该程序的用户的权限运行。
When you execute a program that has the SUID bit enabled, you inherit the permissions of that program’s owner. Programs that do not have the SUID bit set are run with the permissions of the user who started the program.
SGID 也是如此。通常,一个程序会以你的组权限执行,但是对这个程序,你的组将更改为程序的程序组所有者。
This is the case with SGID as well. Normally, programs execute with your group permissions, but instead your group will be changed just for this program to the group owner of the program.
如果权限可用,SUID 和 SGID 位将显示为字母 "s" 。SUID "s" 位将位于所有者 execute 权限通常所在的权限位中。
The SUID and SGID bits will appear as the letter "s" if the permission is available. The SUID "s" bit will be located in the permission bits where the owners’ execute permission normally resides.
例如,此命令
For example, the command −
$ ls -l /usr/bin/passwd
-r-sr-xr-x 1 root bin 19031 Feb 7 13:47 /usr/bin/passwd*
$显示 SUID 位已设置,并且该命令归根拥有。在执行位置的大写字母 S (而非小写字母 s )表示未设置执行位。
Shows that the SUID bit is set and that the command is owned by the root. A capital letter S in the execute position instead of a lowercase s indicates that the execute bit is not set.
如果为目录启用了粘滞位,则只有下列用户之一才能删除文件:
If the sticky bit is enabled on the directory, files can only be removed if you are one of the following users −
-
The owner of the sticky directory
-
The owner of the file being removed
-
The super user, root
要为任何目录设置 SUID 和 SGID 位,请尝试以下命令:
To set the SUID and SGID bits for any directory try the following command −
$ chmod ug+s dirname
$ ls -l
drwsr-sr-x 2 root root 4096 Jun 19 06:45 dirname
$