Linux中读写权限

learn the auth of Linux. Generally, r-xw: write , modify and delete  -2r: read   -4x: execute  -1 A file has 3 auth show:-owner-group-other 当时用sudo的时候表示使用root用户的身份，因此，新建的文件或者dir都是root用户的而不是你自己的。这时，自己反而没有权限：我sudo创建了文件，然后想要修改的时候说没有权限。在脚本中，>输出这个命令就无法执行了。 the owner has the 7 with the file, group useually 5, other 5. If I don’t want others read the file , just chmod 750, but there is a problem: how can the specific person get the auth? That is I want someone or a specific group get the auth of a file but others can’t. Then, the ACL is do this.  1.Auth to specificerThe following show auth to dir for user:st //create a dir named projectmkdir projectchmod 770 project/ //add two uers to tgroupuseradd bimmuseradd canglsgroupadd tgroupgpasswd -a bimm tgroupgpasswd -a cangls tgroupchown root:tgroup project/ //auth to user:stuseradd stsetfacl -m u:st:rx project///then the ll show +[root@bogon temp]# ll -d project/drwxrwx—+ 2 root tgroup 16 5月  14 21:14 project/ [root@bogon temp]# getfacl project/# file: project/# owner: root# group: tgroupuser::rwxuser:st:r-xgroup::rwxmask::rwxother::— //auth to group:tgroup2[root@bogon temp]# setfacl -m g:tgroup2:rwx project/  [root@bogon temp]# getfacl project/# file: project/# owner: root# group: tgroupuser::rwxuser:st:r-xgroup::rwxgroup:tgroup2:rwxmask::rwxother::—  2.change mask, the top effective authwhen auth to someone or somegroup by setfacl with a auth like rwx, it will &mask to get their auth.For instance, ifsetfacl -m u:st:rw project, and the project’s auth is r-x, then, the auth of user:st to project is r–. Howerver, we can also change the mask: [root@bogon temp]# setfacl -m u:st:rw project/[root@bogon temp]# getfacl project/# file: project/# owner: root# group: tgroupuser::rwxuser:st:rw-group::rwxgroup:tgroup2:rwxmask::rwxother::— [root@bogon temp]# setfacl -m m:r-x project/[root@bogon temp]# getfacl project/# file: project/# owner: root# group: tgroupuser::rwxuser:st:rw-            #effective:r–group::rwx            #effective:r-xgroup:tgroup2:rwx        #effective:r-xmask::r-xother::—   3.delete ACL  -x u:st file(s) , –remove=acl        remove entries from the ACL(s) of file(s)  -b file(s) , –remove-all                remove all extended ACL entries  [root@bogon temp]# setfacl -x u:st project/[root@bogon temp]# setfacl -x g:tgroup2 project/[root@bogon temp]# getfacl project/# file: project/# owner: root# group: tgroupuser::rwxgroup::rwxmask::rwxother::—  4.recursive set ACL and default ACL for dirif you do it as step2, you just set ACL to the specify dir, not works with the sub-file of the dir.if you want to do the same with the sub-file, set option -R [root@bogon temp]# touch project/abc[root@bogon temp]# ll project/abc-rw-r–r– 1 root root 0 5月  14 21:14 project/abc[root@bogon temp]# ll -d project/drwxrwx— 2 root tgroup 16 5月  14 21:14 project/[root@bogon temp]# setfacl -m u:st:rx project/[root@bogon temp]# ll -d project/drwxrwx—+ 2 root tgroup 16 5月  14 21:14 project/[root@bogon temp]# setfacl -m u:st:rx project/[root@bogon temp]# getfacl project/# file: project/# owner: root# group: tgroupuser::rwxuser:st:r-xgroup::rwxmask::rwxother::— [root@bogon temp]# getfacl project/abc# file: project/abc# owner: root# group: rootuser::rw-group::r–other::r– //-R just work with the exists files, but new file doesn’t[root@bogon temp]# setfacl -m u:st:rx -R project/[root@bogon temp]# getfacl project/abc# file: project/abc# owner: root# group: rootuser::rw-user:st:r-xgroup::r–mask::r-xother::r– [root@bogon temp]# touch project/newabc[root@bogon temp]# getfacl project/newabc# file: project/newabc# owner: root# group: rootuser::rw-group::r–other::r–  You can see -R dosen’t work with new file, if you want the new sub-file also has the auth, use the default ACL by orption d: [root@bogon temp]# setfacl -m d:u:st:rx project/[root@bogon temp]# getfacl project/newabc# file: project/newabc# owner: root# group: rootuser::rw-group::r–other::r– [root@bogon temp]# touch project/newabc2[root@bogon temp]# getfacl project/newabc2# file: project/newabc2# owner: root# group: rootuser::rw-user:st:r-x            #effective:r–group::rwx            #effective:rw-mask::rw-other::—  -R for the exists and d: for the future. 5.setUID[root@bogon temp]# ll /usr/bin/passwd-rwsr-xr-x. 1 root root 27832 6月  10 2014 /usr/bin/passwd s表示用户在执行时暂时获得文件owner的权限，因为passwd会操作shadow，而只有root才有shadow权限，因此需要在用户运行passwd的时候有权力写入shadow。要求该文件必须是可执行文件。