Recently, I developed a project with several friends, during which I used a server running model. This server is shared by many people, many people have their own accounts on it, and they do not interfere in each other’s internal affairs. Everything seems to be in good order.
Recently, a new hard drive was mounted on this server by a friend who mounted it as root and mapped it to a folder. However, after mounting the folder, he found that he did not have permission to operate under the folder using the normal account, so he simply changed the folder permission to 777. I thought to myself, this still get, change 777, other people in the inside disorderly change how to do? People will die!
Therefore, I will comb this matter in detail under the Linux user, user group, file permissions and other basic knowledge, after reading these, do not always change the folder to 777 permissions.
Basic operation
First, let’s comb through the basic knowledge of Linux users, user groups, file permissions, and so on. Then, a case will be used to demonstrate some operations of permission setting.
First of all, in Linux system, there is the concept of user and user group, user is a symbol of identity, we have to operate a system as a certain user identity, in fact, this corresponds to the account we log in to the system. A user group is a collection of users. We can divide and manage some users by user group.
For example, I want to send a circle of friends in wechat, I just want to give my relatives to see, do I have to tick off all the people one by one when I send? It’s too much trouble. In order to solve this problem, wechat has the concept of tag. We can classify friends in the way of tag in advance, and just check a tag when sending, which is simple and efficient. In fact, this is the concept of user groups, where we can group and categorize certain people, and then just specify the category or group, instead of having an individual figure it out, which saves a lot of time.
In Linux, a user can belong to multiple groups, and a group can contain multiple users. I will use an Ubuntu Linux as an example to demonstrate the related commands and operations.
Users and user groups
To view all users, run the following command:
cut -d':' -f 1 /etc/passwd
Copy the codeResults:
root
daemon
bin
sys
...
ubuntu
mysql
Copy the codeHere is a line of the user name, because there are so many, the part is omitted, in fact, the command is from the password file to list the user name separately.
To view all user groups, the command is similar:
cut -d':' -f 1 /etc/group
Copy the codeResults:
root
daemon
bin
sys
...
ubuntu
mysql
Copy the codeThe results are similar because each user automatically creates a group with the same name as its default user group when it is created.
Here I am using the Ubuntu account to log in. Now let me see which groups the Ubuntu account belongs to.
The command to view the group of a user is in the following format:
gorups <username>
Copy the codeIf the user name is not added, the user will default to the current user.
For example, to view the group to which the Ubuntu user belongs, run the following command:
groups ubuntu
Copy the codeResults:
ubuntu : ubuntu adm cdrom sudo dip plugdev lxd lpadmin sambashare
Copy the codeQuite a few, the user is assigned to a number of groups, such as the group ubuntu with the same name, the sudo group, and a number of other groups.
The sudo group is special. If the account is assigned to this group, it has the root permission and can use the sudo command.
Having learned how to see which groups users belong to, we should also learn how to see which users are in a user group.
To view all users in a user group, run the following command:
members <group>
Copy the codeYou need to install the members package. The following command is available:
sudo apt-get install members
Copy the codeFor example, to view all the users in the sudo user group, that is, the users with root permission:
members sudo
Copy the codeResults:
ubuntu hadoop
Copy the codeAs you can see, there are two root users, Ubuntu and Hadoop, and the results will be different on different machines.
A more useful command is the ID command, which can be used to check the user’s group. The format is as follows:
id <username>
Copy the codeFor example, to view information about Ubuntu users, look like this:
id ubuntu
Copy the codeResults:
uid=500(ubuntu) gid=500(ubuntu) groups=500(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
Copy the codeThere is a GID, which acts as the main group, followed by groups, which lists all the groups that the user is in. There is only one main working group and an unlimited number of the latter. You can see that the result for the user group is the same as the result you would see using the groups command.
Next, let’s look at how to create a user and how to assign users to groups.
Add a user command in the following format:
sudo adduser <username>
Copy the codeFor example, if I wanted to add a user CQC, the command would read:
sudo adduser cqc
Copy the codeThe commands used here are preceded by sudo because, after all, these are system-level operations.
To add a group, run the following command:
sudo groupadd <group>
Copy the codeThe format is similar, followed by a group name. For example, if I want to create a user group for my lab, I can use the following command:
sudo groupadd lab
Copy the codeAdd a user to a group. Add a user to a group.
sudo adduser <username> <group>
Copy the codeOr use the usermod command:
sudo usermod -G <group> <username>
Copy the codeIf you want to add more than one group, you can specify multiple names with the -a option:
sudo usermod -aG <group1,group2,group3.. > <username>Copy the codeFor example, if I want to add user CQC to the sudo group, the command would be:
sudo adduser cqc sudo
Copy the codeOr:
sudo usermod -G sudo cqc
Copy the codeIn this way, users and user groups are associated.
File Permission Management
With that in mind, let’s take a look at file permissions. Let’s look at the list of files in a random directory.
The command for listing details about files in a directory is as follows:
ll
Copy the codeOr use:
ls -l
Copy the codeFor example, here is a list of files in the /etc/nginx directory:
total 80 drwxr-xr-x 7 root root 4096 Jun 21 22:16 ./ drwxr-xr-x 103 root root 4096 Sep 4 18:04 .. / drwxr-xr-x 2 root root 4096 Jul 12 2017 conf.d/ -rw-r--r-- 1 root root 1077 Feb 12 2017 fastcgi.conf -rw-r--r-- 1 root root 1007 Feb 12 2017 fastcgi_params -rw-r--r-- 1 root root 2837 Feb 12 2017 koi-utf -rw-r--r-- 1 root root 2223 Feb 12 2017 koi-win -rw-r--r-- 1 root root 3957 Feb 12 2017 mime.types -rw-r--r-- 1 root root 1505 Jun 21 20:24 nginx.conf -rw-r--r-- 1 root root 12288 Jun 21 20:44 .nginx.conf.swp -rw-r--r-- 1 root root 180 Feb 12 2017 proxy_params -rw-r--r-- 1 root root 636 Feb 12 2017 scgi_params drwxr-xr-x 2 root root 4096 Jun 21 22:42 sites-available/ drwxr-xr-x 2 root root 4096 Jun 21 19:08 sites-enabled/ drwxr-xr-x 2 root root 4096 Jun 21 19:08 snippets/ -rw-r--r-- 1 root root 664 Feb 12 2017 uwsgi_params drwxr-xr-x 2 root root 4096 Jun 22 02:44 vhosts/ -rw-r--r-- 1 root root 3071 Feb 12 2017 win-utfCopy the codeWe notice that each line contains information about a file or folder, which consists of seven columns:
-
The first column is the file’s permission information
-
The second column shows the number of files connected to the folder
-
The third column indicates the user to whom the file belongs
-
The fourth column indicates the user group to which the file belongs
-
The fifth column indicates the file size (in bytes)
-
The sixth column shows the date of last modification
-
The seventh column indicates the file name
The file permission information in the first column is very important and consists of ten characters:
-
The first character represents the type of file, and there are three types, – for this is a file, D for this is a folder, and L for this is a link.
-
Characters 2-4 represent the permissions that the file owner has on the file. R means read, w means write, and x means execute. In the case of a folder, execute means to view the contents of the folder.
-
Characters 5-7 indicate the permissions of the owning group to the file. For example, r-x indicates that all users in the owning group of the file have the permissions to read and execute the file.
-
Characters 8-10 represent the permissions that other users have on the file and have the same meaning. For example, r– represents the non-owner, and users who are not in the user group only have access to the file.
You can use the chmod command to change permissions on a file or directory in several ways.
RWX corresponds to a binary number. For example, 101 represents read and execute permissions. When converted to decimal, r represents 4, W represents 2, and x represents 1. For example, 7=4+2+1, this corresponds to RWX; 5 is equal to 4 plus 1, so that corresponds to r minus x. Accordingly, 777 represents RWXRWXRWX, which means that the owner, owner group, and other users have the permission to read, write, and execute the file, which is quite dangerous!
The commands to grant permission are as follows:
sudo chmod <permission> <file>
Copy the codeFor example, if I want to grant 777 permission to a file.txt, I would write:
sudo chmod 777 file.txt
Copy the codeIn addition, we can also use code to grant permissions, code u, G, O, a four, respectively, representing owner permissions, user group permissions, other user permissions and all user permissions, these code by + and – symbols to control the addition and removal of permissions, followed by the type of permission. For example:
sudo chmod u-x file.txt
Copy the codeRemove the x permission from the owner, which is the execute permission.
sudo chmod g+w file.txt
Copy the codeAdd the w permission, that is, write permission, to the user group.
You can also recursively assign permissions to folders, such as:
sudo chmod -R 777 share
Copy the codeGive 777 permissions to the share folder and everything in it.
Ok, now that we have the permission identifier, we have to associate the user and user group with the file. The commands used here are chown and CHGRP.
The command format is as follows:
sudo chown <username> <file>
sudo chgrp <group> <file>
Copy the codeFor example, if I want to change the owner of file.txt to CQC, I can use the following command:
sudo chown cqc file.txt
Copy the codeIf I want to replace file. TXT with lab, I can use the following command:
sudo chgrp lab file.txt
Copy the codeYou can also recursively use -r to change the owner of the share folder and all its contents to CQC as follows:
sudo chown -R cqc share/
Copy the codeNow that we have chown, CHGRP, and chmod, we have the flexibility to control file permissions.
Practical demonstration
Maybe the above said a little abstract, let’s use an example to demonstrate the process of permission control, through this process, I believe that understanding the above command is no problem.
The first thing is, I’m going to share some files with people from my lab on a host that is being used by other non-lab people, and I just want the lab people to view and modify the files, and no one else.
In addition, my own account should have the highest permission to manage the sharing of these files, that is, to have the root permission.
Now I have logged in to an Ubuntu account, which is system initialized and has root permission.
I’ll simulate creating three accounts and a user group to get the following effect:
-
The account CQC is my own account, which has the highest permission. I can freely adjust the file permission information and assign a user group to a certain user.
-
The account LBD is a staff member of my lab and has no root permission, but it can view and modify the files shared by me.
-
The account SLB is not a member of my lab. It has no root permission and cannot modify the files I share.
Create your own account
First I created an account for myself and added a CQC user:
sudo adduser cqc
Copy the codeThis will prompt you for your password and other information:
Adding user `cqc'... Adding new group `cqc'(1002)... Adding new user `cqc' (1002) with group `cqc'. Creating home directory `/home/cqc'... Copying files from `/etc/skel'. Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user informationfor cqc
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
Copy the codeAt this point, a group with the same name is created. Check the group where CQC belongs:
groups cqc
Copy the codeHere are the results:
cqc : cqc
Copy the codeRun the id command to check the information:
id cqc
Copy the codeHere are the results:
uid=1002(cqc) gid=1002(cqc) groups=1002(cqc)
Copy the codeYou can see that the current CQC belongs only to the CQC user group.
Next we create a user group called lab to identify my lab with the following command:
sudo groupadd lab
Copy the codeThen look at the members of the user group:
members lab
Copy the codeThere is no result, indicating that we have created an empty group with no members.
Then we will add the CQC created just now to the group, because I also belong to the lab, I must also add it, the command is as follows:
sudo adduser cqc lab
Copy the codeResults:
Adding user `cqc' to group `lab'. Adding user cqc to group lab Done.Copy the codeThen look at the group members:
members lab
Copy the codeResults:
cqc
Copy the codeIn this way, the LAB group has CQC as a user.
Let’s not forget that CQC also needs to have root permission, so we need to add CQC to sudo group as follows:
sudo adduser cqc sudo
Copy the codeResults:
Adding user `cqc' to group `sudo'. Adding user cqc to group sudo Done.Copy the codeNow that I have successfully joined the sudo group, THE CQC which is my account can use the sudo command.
Check the user status:
id cqc
Copy the codeHere are the results:
uid=1002(cqc) gid=1002(cqc) groups=1002(cqc),27(sudo),1003(lab)
Copy the codeCQC then belongs to three user groups, both as a lab member and as a root user.
We can also use usermod to assign groups:
sudo usermod -aG sudo,lab cqc
Copy the codeThis adds to multiple groups.
Adding lab users
Next, add another lab person, LBD, and then add it to the lab group. The process is similar with the following command:
sudo adduser lbd
sudo adduser lbd lab
Copy the codeAfter running, run the id command to view its information:
id lbd
Copy the codeHere are the results:
uid=1004(lbd) gid=1005(lbd) groups=1005(lbd),1003(lab)
Copy the codeThe LBD is successfully created and added to the lab Lab group.
Add a non-lab user
Finally, add another user SLB, a non-lab member, and create the account as follows:
sudo adduser slb
Copy the codeBut we’re not adding him to the lab group.
Check his status:
id slb
Copy the codeHere are the results:
uid=1003(slb) gid=1004(slb) groups=1004(slb)
Copy the codeSo the status of the three is like this:
id cqc
uid=1002(cqc) gid=1002(cqc) groups=1002(cqc),27(sudo),1003(lab)
id lbd
uid=1004(lbd) gid=1005(lbd) groups=1005(lbd),1003(lab)
id slb
uid=1003(slb) gid=1004(slb) groups=1004(slb)
Copy the codeFile Permission Assignment
Next we create a folder to share lab data under/SRV. Create a folder named share using the mkdir command.
cd /srv
sudo mkdir share
Copy the codeNote that I’m still using the Ubuntu account to create this.
First look at the current directory permissions:
ls -l
Copy the codeHere are the results:
total 12 drwxr-xr-x 3 root root 4096 Sep 4 18:17 ./ drwxr-xr-x 24 root root 4096 Sep 4 18:17 .. / drwxr-xr-x 2 root root 4096 Sep 4 18:17 share/Copy the codeYou can see that the owner of the share file is root, and the user group is root, and the permission is 755, that is, only root has the modification permission, and the others only have the read and execute permission.
Then go to the share folder and create a names.txt:
cd share
sudo vi names.txt
Copy the codeThe edited content is as follows:
cqc
lbd
Copy the codeAfter saving, check the file permissions as follows:
-rw-r----- 1 root root 8 Sep 4 20:00 names.txt
Copy the codeThe permission is 640, which means that only the owner, root, has write permission, and the group in which he belongs has read permission.
At this time, open another terminal and log in to CQC account. In fact, you cannot view and modify any contents of the file. The following modification and read commands will prompt that the permission is insufficient:
vi names.txt
cat names.txt
Copy the codeWhy is that? Because the file was just created by the Ubuntu account using the sudo command, the owner of the file is root, not CQC, so even if the file has 640 permissions, it cannot use the permissions of the file owner, and CQC does not belong to the root group. So you can’t use filegroup permissions anymore, so you can’t see anything, you can’t change anything.
If CQC belongs to the sudo group, you can use the sudo command to temporarily obtain the root permission to operate the file, so you can view and modify the file. Therefore, the following command is valid:
sudo vi names.txt
sudo cat names.txt
Copy the codeHowever, this still requires the use of sudo to modify, which is very inconvenient.
If we changed the owner of the file to CQC, the situation would be different.
Change the owner of names. TXT to CQC using the Ubuntu account:
sudo chown cqc names.txt
Copy the codeCheck the file information:
-rw-r----- 1 cqc root 8 Sep 4 20:29 names.txt
Copy the codeYou can see that the owner information has changed to CQC, so the CQC account can be directly viewed and modified, then it is ok, no longer need to sudo command:
vi names.txt
cat names.txt
Copy the codeThere will be no permission prompt, and sudo will be fine.
Ok, what about the LBD next? Let’s log in and try it.
First, the current file status looks like this:
-rw-r----- 1 cqc root 8 Sep 4 20:31 names.txt
Copy the codeLBD is no longer the owner, so the rw-permission is useless, but it belongs to the lab group, and the file has r–, or read permission, to the user group.
Let’s use the LBD account to try to see the contents of the file:
cat names.txt
cat: names.txt: Permission denied
Copy the codeUnfortunately, it’s not authorized. Because of what? Because the user group of this file is not lab, and the user LBD is not in the root group, so there is no permission.
To do that? Change the user group of the file to lab, use ubuntu or CQC account to operate:
sudo chgrp lab names.txt
Copy the codeIn this way, the user group of the file is successfully changed to lab. Next, use LBD account to check the contents of the file:
cat names.txt
Copy the codeAnd I read it successfully.
However, LBD does not have write permission at this time, because for the user group, the file’s permission is r–. To obtain write permission, we can use the following command:
sudo chmod g+w names.txt
Copy the codeOr:
sudo chmod 660 names.txt
Copy the codeThis is equivalent to granting rW – permission. Let’s try to modify the file using the LBD account:
vi names.txt
Copy the codeWe’ll be fine.
What about SLB for non-lab students? It does not have any permissions, we log in to the SLB account to try to modify and read the file:
cat names.txt
vi names.txt
Copy the codeNo permission.
So, in this way, we’ve succeeded in giving access to people in the lab, whereas people outside the lab have no access to anything.
What if I want to give the SLB read permission? It’s easy, just add it:
sudo chmod o+r names.txt
Copy the codeThis adds read permission for other users. In this case, the SLB can read the file, but cannot modify the file, which is also safer.
Okay, what if I have a lot of files? Let’s say ten or twenty of them are in the share folder. You can’t set permissions one by one, right?
At this time, we only need to operate on the folder. The following command can grant 775 permission to the share folder, that is, the owner CQC and the group LAB can view and modify it, while other people can only see and cannot change it:
sudo chmod -R 775 share/
sudo chown -R cqc share/
sudo chgrp -R lab share/
Copy the codeNote that folders are usually given x permission, otherwise you won’t even have access to the folder. This is why folders are usually given 775 and 755, and files are given 664, 600, 644 and 640.
After granting 775 permissions, share’s permissions become:
drwxrwxr-x 2 cqc lab 4096 Sep 4 20:31 share/
Copy the codeSo other users can only look at it, they can’t change it, so normal files are fine.
If the folder contains executable files, you can also remove x permissions for other users on executable files separately, such as removing executable permissions for Python files:
sudo chmod o-x *.py
Copy the codeAll right, so far, we’ve done the access control with ease!
I believe that if you have the patience to read the words, what user management, permission management, are not under the words!
Hello, my name is Cui Qingcai, a big data engineer of Microsoft China. I work in the Xiaoice department of Microsoft. Of course, this is my career. I also engage in the research and development of Web crawler, Web development, deep learning and other directions.
Personally, I like to summarize and share. This time, I am honored to share my crawler experience with you on the platform of Nuggets, including climbing, parsing, anti-creep, acceleration and so on. I hope you can gain something after listening to it.
I’ll be at the Bilibili studio in Denver this Sunday (October 21) for a live broadcast of the Robust and Efficient Web Crawler. During the live broadcast, I will also send five friends a book of Python3 Web Crawler Development. I hope you can support me.
