You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/books/admin_guide/14-special-authority.md
+20-11Lines changed: 20 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Special Authority
2
+
title: Special permissions
3
3
author: tianci li
4
4
contributors: Serge, Ganna Zhyrnova
5
5
tags:
@@ -69,13 +69,14 @@ For directory:
69
69
70
70
For directories, **r** and **x** permissions usually appear at the same time.
71
71
72
-
## Special authority
72
+
## Special permissions
73
73
74
74
In GNU/Linux, in addition to the basic permissions mentioned above, there are also some special permissions, which we will introduce one by one.
75
75
76
76
### ACL permissions
77
77
78
-
What is ACL?
78
+
**Q: What is ACL?**
79
+
79
80
ACL(Access Control List), the purpose is to solve the problem that the three identities under Linux can not meet the needs of resource permission allocation.
80
81
81
82
For example, the teacher gives lessons to the students, and the teacher creates a directory under the root directory of OS. Only the students in this class are allowed to upload and download, and others are not allowed. At this point, the permissions for the directory are 770. One day, a student from another school came to listen to the teacher, how should permissions be assigned? If you put this student in the **owner group**, he will have the same permissions as the students in this class - **rwx**. If the student is put into the **other users**, he will not have any permissions. At this time, the basic permission allocation cannot meet the requirements, and you need to use ACL.
@@ -86,7 +87,8 @@ There is a similar feature in the Windows operating system. For example, to assi
86
87
87
88
The same is true of GNU/Linux: add the specified user/group to the file/directory and grant the appropriate permissions to complete the ACL permission assignment.
88
89
89
-
How do I enable an ACL?
90
+
**Q: How do I enable an ACL?**
91
+
90
92
You need to find the file name of the device where the mount point is located and its partition number. For example, on my machine, you could do something like this:
91
93
92
94
```bash
@@ -186,7 +188,8 @@ other::---
186
188
187
189
#### Maximum valid permissions of ACL
188
190
189
-
When using the `getfacl` command, what does the "mask:: rwx" in the output message mean?
191
+
**Q: When using the `getfacl` command, what does the "mask:: rwx" in the output message mean?**
192
+
190
193
The **mask** is used to specify the maximum valid permissions. The permissions given to the user are not real permissions, the real permissions can only be obtained by using the "logical and" of the user's permissions and mask permissions.
191
194
192
195
!!! info
@@ -234,7 +237,8 @@ Shell > setfacl -b FILE_NAME
234
237
235
238
#### Default and recursion of ACL permissions
236
239
237
-
What is the recursion of ACL permissions?
240
+
**Q: What is the recursion of ACL permissions?**
241
+
238
242
For ACL permissions, this means that when the parent directory sets ACL permissions, all subdirectories and sub-files will have the same ACL permissions.
239
243
240
244
!!! info
@@ -260,7 +264,8 @@ Shell > ls -l /project
260
264
-rw-r-xr--+ 1 root root 0 Jan 12 14:35 file2
261
265
```
262
266
263
-
Now there is a question: if I create a new file in this directory, does it have ACL permission?
267
+
**Q: if I create a new file in this directory, does it have ACL permission?**
268
+
264
269
The answer is no, because the newly created file is after the command `setfacl-m u:tom:rx -R /project` is executed.
265
270
266
271
```bash
@@ -308,7 +313,8 @@ The role of "SetUID":
308
313
* The executor of the command obtains the identity of the owner of the program file when executing the program.
309
314
* The identity change is only valid during execution, and once the binary program is finished, the executor's identity is restored to the original identity.
310
315
311
-
Why does GNU/Linux need such strange permissions?
316
+
**Q: Why does GNU/Linux need such strange permissions?**
317
+
312
318
Take the most common `passwd` command as an example:
313
319
314
320
@@ -453,7 +459,8 @@ The role of "Sticky BIT":
453
459
454
460
SBIT is represented by the number **1**.
455
461
456
-
Can the file or directory have **7755** permission?
462
+
**Q: Can the file or directory have **7755** permission?**
463
+
457
464
No, they are aimed at different objects. SUID is for executable binary files; SGID is used for executable binaries and directories; SBIT is only for directories. That is, you need to set these special permissions according to different objects.
458
465
459
466
The directory **/tmp** has SBIT permission. The following is an example:
@@ -621,10 +628,12 @@ Shell > chattr -a /etc/tmpfile1 /etc/dira/
621
628
622
629
!!! question
623
630
624
-
What happens when I set the ai attribute on a file?
631
+
**Q: What happens when I set the ai attribute on a file? **
632
+
625
633
You cannot do anything with the file other than to view it.
626
634
627
-
What about the directory?
635
+
**Q: What about the directory?**
636
+
628
637
Allowed are: free modification, appending file contents, and viewing.
0 commit comments