linux用户权限管理, chmod, ln
1 /etc/passwd文件
用户名 密码 UID GID Full Name 主目录 默认的shell
asn :x :1000 :1000 :asnjudy@163.com :/home/asn :/bin/bash
sshd :x :116 :65534 : :/var/run/sshd :/usr/sbin/nologin
2 /etc/group文件
adm:x:4:syslog,asn
cdrom:x:24:asn
sudo:x:27:asn
dip:x:30:asn
plugdev:x:46:asn
lpadmin:x:108:asn
asn:x:1000:
sambashare:x:124:asn
docker:x:125:asn
查看 用户asn所属的组:
组名 密码 GID
nogroup:x:65534:
查看sshd所属的组:
3 文件的读、写、执行权限
u 文件所属用户
g 文件所属组
o 其他用户
chmod -R g=rwx testDir
给testDir目录所属的组赋予读、写、执行权限
=============================
chmod - change file mode bits
语法:
chmod [OPTION]... MODE[,MODE]... FILE...
chmod [OPTION]... OCTAL-MODE FILE...
chmod [OPTION]... --reference=RFILE FILE...
描述:
chmod changes the file mode bits of each given file according to mode,
which can be either a symbolic representation of changes to make, or an octal number representing the bit pattern for the new mode bits.
The format of a symbolic mode is [ugoa...][[+-=][perms...]...], where perms is either zero or more letters from the set rwxXst, or a single letter from the set ugo.
Multiple symbolic modes can be given, separated by commas.
一个符号模式的格式:
A combination of the letters ugoa controls which users' access to the file will be changed:
the user who owns it (u), 文件所有者为 o
other users in the file's group (g), 文件所属组中的其他用户(排除了拥有者) g
other users not in the file's group (o), 不在文件所属组中的其他用户 o
or all users (a). 所有用户
If none of these are given, the effect is as if a were given, but bits that are set in the umask are not affected. 如果未指定,即默认所有用户
The operator + causes the selected file mode bits to be added to the existing file mode bits of each file; +号把当前选中的文件模式位增加到每个文件的现有文件模式位
- causes them to be removed;
and = causes them to be added and causes unmentioned bits to be removed except that a directory's unmentioned set user and group ID bits are not affected.
=号,以前的模式位将被移除,除了目录的未提到打用户、组id位不受影响
The letters rwxXst select file mode bits for the affected users:
read (r),
write (w),
execute (or search for directories) (x),
execute/search only if the file is a directory or already has execute permission for some user (X), 仅当文件是一个目录、或该文件对某些用户已经有执行权限
set user or group ID on execution (s),
restricted deletion flag or sticky bit (t).
Instead of one or more of these letters, you can specify exactly one of the letters ugo: 确切地,你能够指定字母ugo中的一个,而不能同时指定多个
the permissions granted to the user who owns the file (u), 权限授予拥有该文件的用户
the permissions granted to other users who are members of the file's group (g), 权限授予文件组成员中的其他用户
and the permissions granted to users that are in neither of the two preceding categories (o). 权限授予不是上面2种情况的用户
A numeric mode is from one to four octal digits (0-7), derived by adding up the bits with values 4, 2, and 1. 通过位4、2、1相加得到
Omitted digits are assumed to be leading zeros.
The first digit selects the set user ID (4) and set group ID (2) and restricted deletion or sticky (1) attributes.
The second digit selects permissions for the user who owns the file: read (4), write (2), and execute (1);
the third selects permissions for other users in the file's group, with the same values; and the fourth for other users not in the file's group, with the same values.
chmod never changes the permissions of symbolic links; chmod不能改变符号链接的权限 the chmod system call cannot change their permissions.
This is not a problem since the permissions of symbolic links are never used. 因为符号连接的权限永远不会被使用,所以也无需改变符号连接的权限
However, for each symbolic link listed on the command line, chmod changes the permissions of the pointed-to file. 然而对于命令行上列出的每个符号链接,chmod改变的是其指向文件的权限
In contrast, chmod ignores symbolic links encountered during recursive directory traversals. 相反,在递归遍历文件的过程中,chmod会忽略遇到的符号连接
SETUID AND SETGID BITS (setUID 和 setGID位)
chmod clears the set-group-ID bit of a regular file, if the file's group ID does not match the user's effective group ID or one of the user's supplementary group IDs,
如果文件的组ID与用户的有效组ID(或用户的服务组ID)不匹配,chmod将会清除一个常规文件的组ID设置位;
文件sh01.sh属于用户asn,属于组asn(组asn的ID是文件的组ID)。文件sh01.sh的组ID是文件sh01.sh所属用户的有效组,所以此文件的组ID设置位是有效的
unless the user has appro priate privileges.
新建组shtestgroup,把文件sh01.sh所属组asn改为shtestgroup
Additional restrictions may cause the set-user-ID and set-group-ID bits of MODE or RFILE to be ignored.
This behavior depends on the policy and functionality of the underlying chmod system call. When in doubt, check the underlying system behavior.
chmod preserves a directory's set-user-ID and set-group-ID bits unless you explicitly specify otherwise.
You can set or clear the bits with symbolic modes like u+s and g-s, and you can set (but not clear) the bits with a numeric mode.
RESTRICTED DELETION FLAG OR STICKY BIT (restricted deletion flag or sticky bit)
The restricted deletion flag or sticky bit is a single bit, whose interpretation depends on the file type. 受限删除标志是一个单独的位,它的解释取决于文件的类型
For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory;
对于目录,该位会能够防止未授权的用户(什么样的用户就是被授权了的)移除或重命名目录中的一个文件,除非该未授权的用户拥有该文件或目录
this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories like /tmp. 这就叫做目录的限制删除标志位,通常在如tmp这种人人可写的目录上发现。
For regular files on some older systems, the bit saves the program's text image on the swap device so it will load more quickly when run; this is called the sticky bit.
对于某些系统上的普通常文件,该位在swap交换区设备上保存了程序的文件镜像,所有运行该程序是能够更快地加载 --- 称为粘结位
Change the mode of each FILE to MODE. With --reference, change the mode of each FILE to that of RFILE.
like verbose but report only when a change is made 仅当改变做出时报告
output a diagnostic for every file processed
do not treat '/' specially (the default) 不对根目录特别对待
fail to operate recursively on '/' 使不能再根目录上进行递归操作
use RFILE's mode instead of MODE values
change files and directories recursively 递归地改变文件、目录的模式
--help display this help and exit
output version information and exit
Each MODE is of the form '[ugoa]*([-+=]([rwxXst]*|[ugo]))+|[-+=][0-7]+'.
ln是linux中又一个非常重要命令,它的功能是为某一个文件在另外一个位置建立一个链接,这个命令最常用的参数是-s,具体用法是:ln –s 源文件目标文件。
当我们需要在不同的目录,用到相同的文件时,我们不需要在每一个需要的目录下都放一个必须相同的文件,
我们只要在某个固定的目录,放上该文件,然后在其它的目录下用ln命令链接(link)它就可以
例如:ln –s /bin/less /usr/local/bin/less
-s 是代号(symbolic)的意思。
这里有两点要注意:
1)ln命令会保持每一处链接文件的同步性,也就是说,不论你改动了哪一处,其它的文件都会发生相同的变化;
2)ln的链接分为软链接和硬链接两种, 无论是软链接还是硬链接,文件都保持同步变化
软链接就是ln –s ** **,它只会在你选定的位置上生成一个文件的镜像,不会占用磁盘空间
硬链接ln ** **,没有参数-s,它会在你选定的位置上生成一个和源文件大小相同的文件
如果你用ls察看一个目录时,发现有的文件后面有一个@的符号,那就是一个用ln命令生成的文件,用ls –l命令去察看,就可以看到显示的link的路径了。
指令名称 : ln
使用权限 : 所有使用者
使用方式 : ln [options] source dist
options选项: [-bdfinsvF] [-S backup-suffix] [-V {numbered,existing,simple}] [--help] [--version] [--]
说明 : Linux/Unix 档案系统中,有所谓的连结(link),我们可以将其视为档案的别名,而连结又可分为两种 : 硬连结(hard link)与软连结(symbolic link),
硬连结的意思是一个档案可以有多个名称,而软连结的方式则是产生一个特殊的档案,该档案的内容是指向另一个档案的位置。
硬连结是存在同一个档案系统中,而软连结却可以跨越不同的档案系统。
ln source dist产生一个连接文件dist(连接到source),至于使用硬连结或软链结则由参数决定
不论是硬连结或软链结都不会将原本的档案复制一份,只会占用非常少量的磁碟空间。
-f 链结时先将与 dist 同档名的档案删除
-d 允许系统管理者硬链结自己的目录
-i 在删除与 dist 同档名的档案时先进行询问
-n 在进行软连结时,将 dist 视为一般的档案
-s 进行软链结(symbolic link)
-v 在连结之前显示其档名
-b 将在链结时会被覆写或删除的档案进行备份
-S SUFFIX 将备份的档案都加上 SUFFIX 的字尾
-V METHOD 指定备份的方式
--help 显示辅助说明
--version 显示版本
范例 :
从档案sh01.sh产生一个软连接文件sh01-slink.sh --- 产生的软连接文件(大小为7个字节),
$ ln -s sh01.sh sh01-slink.sh
从档案sh01.sh产生一个硬连接文件sh01-hlink.sh --- 硬连接,拷贝源文件sh01.sh的内容作为新文件sh01-hlink.sh(就是一个普通的文件,与源文件进行了关联 - 内容相互同步更新)的内容
ln sh01.sh sh01-hlink.sh
查看文件: