Unix文件权限

  在Unix中,每一个文件都具有以下属性:

  • 所有者权限(Owner permissions):决定文件所有者所能做的操作;
  • 组权限(Group permissions):文件所在组里的一个user,所能做的操作;
  • Other permissions:所有其他users所能做的操作;

The Permission Indicators

$ls -l /home/amrood
-rwxr-xr--  1 amrood   users 1024  Nov 2 00:10  myfile
drwxr-xr--- 1 amrood   users 1024  Nov 2 00:10  mydir

  访问权限被分为三组,从第一列的第二个字符开始,每组共三个字符。我们分别用:read(r)write(w)execute(x),来表示三种不同的访问模式。

  • 第一组字符(2-4)代表了文件所有者的权限。比如-rwxr-xr--表示文件所有者具有read(r)write(w)execute(x)的权限;
  • 第二组字符(5-7)代表了组访问权限。比如-rwxr-xr--表示组具有read(r)execute(x)的权限,不具有write(w)的权限;
  • 第三组字符(8-10)代表了剩下所有users的访问权限。比如-rwxr-xr--表示组具有read(r)的权限,不具有execute(x)write(w)的权限。

文件访问模式

模式 说明
Read 读权限,比如查看文件内容
Write 写权限,比如修改文件内容
Execute 执行权限,比如执行一个程序文件

修改权限

chmod

  使用chmod共有两种方式:

  • 符号模式(symbolic mode)
  • 绝对模式(absolute mode)

符号模式

chmod操作符 说明
+ 增加权限
- 删除权限
= 赋值权限
hadoop@ubuntu:/usr/local/R$ ls -l action.r
-rw-r--r-x 1 hadoop hadoop 564 Jan  7 18:41 action.r
hadoop@ubuntu:/usr/local/R$ chmod g+w action.r
hadoop@ubuntu:/usr/local/R$ ls -l action.r 
-rw-rw-r-x 1 hadoop hadoop 564 Jan  7 18:41 action.r

绝对模式

数字 权限 Ref
0 No permission ---
1 Execute permission --x
2 Write permission -w-
3 Execute and write permission: 1 (execute) + 2 (write) = 3 -wx
4 Read permission r--
5 Read and execute permission: 4 (read) + 1 (execute) = 5 r-x
6 Read and write permission: 4 (read) + 2 (write) = 6 rw-
7 All permissions: 4 (read) + 2 (write) + 1 (execute) = 7 rwx
hadoop@ubuntu:/usr/local/R$ chmod 777 action.r
hadoop@ubuntu:/usr/local/R$ ls -l action.r
-rwxrwxrwx 1 hadoop hadoop 564 Jan  7 18:41 action.r

更改文件所有者/所在组

  • chown:change owner,改变文件所有者
  • chgrp:change group,改变文件所在组
hadoop@ubuntu:/usr/local/R$ ls -l user.r
-rw-r--r-x 1 hadoop hadoop 348 Jan  7 18:32 user.r
hadoop@ubuntu:/usr/local/R$ sudo chown qiao user.r
hadoop@ubuntu:/usr/local/R$ ls -l user.r
-rw-r--r-x 1 qiao hadoop 348 Jan  7 18:32 user.r
hadoop@ubuntu:/usr/local/R$ ls -l user.r
-rw-r--r-x 1 qiao hadoop 348 Jan  7 18:32 user.r
hadoop@ubuntu:/usr/local/R$ sudo chgrp root user.r
hadoop@ubuntu:/usr/local/R$ ls -l user.r
-rw-r--r-x 1 qiao root 348 Jan  7 18:32 user.r

SUID/SGID

Often when a command is executed, it will have to be executed with special privileges in order to accomplish its task.

As an example, when you change your password with the passwd command, your new password is stored in the file /etc/shadow.

As a regular user, you do not have read or write access to this file for security reasons, but when you change your password, you need to have the write permission to this file. This means that the passwd program has to give you additional permissions so that you can write to the file /etc/shadow.

Additional permissions are given to programs via a mechanism known as the Set User ID (SUID) and Set Group ID (SGID) bits.

When you execute a program that has the SUID bit enabled, you inherit the permissions of that program's owner. Programs that do not have the SUID bit set are run with the permissions of the user who started the program.

This is the case with SGID as well. Normally, programs execute with your group permissions, but instead your group will be changed just for this program to the group owner of the program.

The SUID and SGID bits will appear as the letter "s" if the permission is available. The SUID "s" bit will be located in the permission bits where the owners’ execute permission normally resides.