Product SiteDocumentation Site

9.3. 管理权限

Linux 是一个典型的多用户系统,这就有必要提供许可制度来控制对文件和目录的操作,其中包含了所有的系统资源和设备(在Unix 系统中,任何设备都由文件或目录来表示)。这一原则对所有Unix 系统通用,这里再提醒一下,特别是对一些有趣的相对高级应用。

9.3.1. Owners and Permissions

每个文件和文件夹有三种用户许可类型:
  • 所有者 (使用符号 u “user”首字母);
  • 所有者群组(使用符号 g “group”首字母),代表组中的所有成员;
  • 其他(使用符号 o “other”的首字母)。
Three basic types of rights can be combined:
  • 读取(使用符号 r “read”的首字母);
  • 写(使用符号 w “write”的首字母);
  • 执行(使用“eXecute”中的符号 x )。
以文件来说,其权限较容易理解:读取就是允许读取其内容 (包括复制)、写入就是允许改变它、而运行就是执行它 (文件本身必须是程序)。

安全 可执行文件的 setuidsetgid

Two particular rights are relevant to executable files: setuid and setgid (symbolized with the letter “s”). Note that we frequently speak of “bit”, since each of these Boolean values can be represented by a 0 or a 1. These two rights allow any user to execute the program with the rights of its owner or its group, respectively. This mechanism grants access to features requiring higher level permissions than those you would usually have.
由于 setuid root程序在系统层以超级用户的身份运行,有必要确定其安全性和可靠性。实际上,如果用户可以侵入该程序并调用自己设定的命令,就有可能伪装成超级用户并获取系统的所有权限。
If you require running a program under a different user or if a program requires higher permissions, the sudo, su, or runuser commands are usually better choices than using these bits (see 第 8.9.4 节 “共享管理员权限”).
文件夹的处理方式略有不同。读取其条目 (文件及文件夹)、写入包括添加与删除文件、而运行则是进入它 (尤其是使用 cd 命令)。进入文件夹而不必有读取权限,运行已知的文件名,若不知其正确的名称,则无法运行。

安全 文件夹的 setgidsticky bit

setgid 位也适用于目录。在这种目录中新创建的条目会被自动赋予其父目录的所有组,而不是通常情况下那样继承创建者的主用户组。这种设置可以避免几个同组用户在共享文件树中协同工作时(为保持所创建文件的所有组的一致性)而不得不改变自身主用户组的额外工作(使用 newgrp 命令)。
“sticky”位(使用符号“t”)是仅用于目录的许可位。专门用于所有人都有写权限的临时目录(例如 /tmp/):它严格限制删除操作,只有所有者(或者父目录的所有者)可以删除。少了它,所有人都能删除其他用户在 /tmp/中的文件。
有三个控制文件许可权限的命令:
  • chown user file 命令更改文件的所有者;
  • chgrp group file 改变所有群组;
  • chmod rights file 改变文件许可权限。
有两种方法表示权限。其中,符号表示是最易于理解和记忆的。它使用前述的符号链接。可以通过显示的设置(u/g/o),通过设置(=),加(+),或者减(-)定义每种用户的权限类型。一个 u=rwx,g+rw,o-r 格式的命令会赋予所有者读,写和执行权限,给所有组添加读写权限,移除其他用户的读权限。其他命令中未通过加或者减列出的权限保持不变。字母 a是指“所有”,涵盖三种类型的用户,因此 a=rx 命令会赋予三种用户相同的权限(读和执行,没有写)。
与权限相关的(八进制)数字表示:4是读,2是写,1是执行。各种权限组合通过代表的数字求和得到。通过把每个值置于端到端序列不同位置关联不同的用户类型(所有者,所有组,其他用户)。
For instance, the chmod 754 file command will set the following rights: read, write and execute for the owner (since 7 = 4 + 2 + 1); read and execute for the group (since 5 = 4 + 1); read-only for others. The 0 (zero) means no rights; thus chmod 600 file allows for read/write rights for the owner, and no rights for anyone else. The most frequent right combinations are 755 for executable files and directories, and 644 for data files.
要表示特殊权限,可以根据同样的原则在数字上加入第四个前缀位,位 setuidsetgidsticky 分别对应4,2,和1。chmod 4754 会设置前面描述的 setuid 位权限。
八进位标记只适用于对文件的一次性设置所有权限;不能以它加入新的权限,如群组拥有者的读取,因为必须把现在的权限与计算新的数值。

提示 递归操作

有时需要更改整个文件树的权限。以上所有的命令都有 -R 选项来递归操作子目录。
The distinction between directories and files sometimes causes problems with recursive operations. That is why the “X” letter has been introduced in the symbolic representation of rights. It also represents the right to execute, but it applies differently to directories and files.
For directories it adds executable permissions to the chosen user(s). For files, it adds the executable bit only if at least one of the users (owner, group, or others) already has executable permissions. Let's demonstrate it, because this bit can be confusing: 
$ ls test.txt
  -rw-r--r-- 1 daniel daniel 0 18. Nov 01:07 test.txt
  $ chmod u+X test.txt
  $ ls test.txt
  -rw-r--r-- 1 daniel daniel 0 18. Nov 01:07 test.txt
  $ chmod o+x test.txt
  $ ls test.txt
  -rw-r--r-x 1 daniel daniel 0 18. Nov 01:07 test.txt
  $ chmod u+X test.txt
  $ ls test.txt
  -rwxr--r-x 1 daniel daniel 0 18. Nov 01:07 test.txt
The example shows a typical file with its default permissions: its owner can read and write it, the owner's group and all other users can read it. The next operation (u+X) won't add executable permissions for the owner of the file, because permissions to execute have not been assigned. The operation has no effect on the file. Next we assign execute rights for "other" users and repeat the operation. This time it is successful, because at least one user group already had executable permissions.
It is a misconception that this bit will only affect directories. If files and directories have mixed permissions, it is often a good idea to use the find command to locate the targets you want to operate on.

TIP Changing the user and group together

Frequently you want to change the group of a file at the same time that you change the owner. The chown command has a special syntax for that: chown user:group file. This syntax can also be used to recursively (-R) change the ownership of a whole directory.

进阶 umask

When an application creates a file, it assigns indicative permissions, knowing that the system automatically removes certain rights, given by the command umask. Enter umask in a shell; you will see a mask such as 0022. This is simply an octal representation of the rights to be systematically removed. In this case, the write right for the group and other users: With the above umask value, the default for directories 777 becomes 755 and the default permissions for files 666 become 644.
The system's default value is handled by pam_umask(8) and /etc/login.defs.
If you give it a new octal value, the umask command modifies the mask. Used in a shell initialization file (for example, ~/.bashrc or ~/.profile), it will effectively change the default mask for your work sessions.

9.3.2. ACLs - Access Control Lists

Many filesystems, e.g. Btrfs, Ext3, Ext4, JFS, XFS, etc., support the use of Access Control Lists (ACLs). These extend the basic features of file ownership and permission, described in the previous section, and allow for a more fine-grained control of each (file) object. For example: A user wants to share a file with another user and that user should only be able to read the file, but not write or change it.
For some of the filesystems, the usage of ACLs is enabled by default (e.g. Btrfs, Ext3, Ext4). For other filesystems or older systems it must be enabled using the acl mount option - either in the mount command directly or in /etc/fstab. In the same way the usage of ACLs can be disabled by using the noacl mount option. For Ext* filesystems one can also use the tune2fs -o [no]acl /dev/device command to enable/disable the usage of ACLs by default. The default values for each filesystem can usually be found in their homonym manual pages in section 5 (filesystem(5)) or in mount(8).
After enabling ACLs, permissions can be set using the setfacl(1) command, while getfacl(1) allows one to retrieve the ACLs for a given object or path. These commands are part of the acl package. With setfacl one can also configure newly created files or directories to inherit permissions from the parent directory. It is important to note that ACLs are processed in their order and that an earlier entry that fits the situation has precedence over later entries.
If a file has ACLs set, the output of the ls -l command will show a plus-sign after the traditional permissions. When using ACLs, the chmod command behaves slightly different, and umask might be ignored. The extensive documentation, e.g. acl(5) contains more information.