FilePermissions

原文出处：https://wiki.ubuntu.org.cn/FilePermissions

原文作者：

授权许可：

翻译人员：左迟

校对人员：

贡献者：

适用版本：Ubuntu

文章状态：

理解和使用文件权限/Understanding and Using File Permissions

在Linux和Unix世界里，一切都是以文件的形式存在的。文件夹是文件，文件是文件，设备也是文件。当然，设备通常以一个节点作为代表，不过他们还是文件。在这样的环境下，所有的文件都有一个权限用以阻挡其他用户的读取，写入或者执行。如果是文件夹，相较于普通文件和设备，就有不同的动作限制。超级用户“root”(译者注：根用户，以下都为root)拥有对于系统中所有文件的一切权限。每一个文件都有在相应权限下的限制，用户则跟 文件拥有者 和 用户组 相关。 In Linux and Unix everything is a file. Directories are files, files are files and devices are files. Devices are usually refered to as a node, however, they are still files. All of the files on a system have permissions that allow or prevent others from viewing, modifying or executing. If the file is of type Directory then it restricts different actions than files and device nodes. The super user "root" has the ability to access any file on the system. Each file has access restrictions with permissions, user restrictions with owner/group association. Permissions are refered to as bits.

如果要改变或者编辑root用户的文件，sudo命令是不可或缺的 － 请参阅 "RootSudo" 细节。 To change or edit files that are owned by root, sudo must be used - please see RootSudo for details.

如果文件拥有者能读取和运行文件，那权限则是： If the owner read & execute bit are on, then the permissions are:

-r-x------

共有三种权限限制： There are three types of access restrictions:

另外对于用户，也有三种限制： There are also three types of user restrictions:

相应地，文件夹也有文件夹权限。当然，也与普通文件和设备不同。 Directories have directory permissions. The directory permissions restrict different actions than with files or device nodes.

• • • • 读取权限允许用户查看目录内容，用 ls 命令
      • 写入权限允许用户创造新文件或者删除文件夹中的文件 (注意： 文件夹的写入权限允许删除文件夹内的文件，即便用户并不拥有对于这些文件的写入权限)
      • 执行权限允许用户切换至该文件夹目录，用 cd 命令
      • read restricts or allows viewing the directories contents, i.e. ls command
      • write restricts or allows creating new files or deleting files in the directory. (Caution: write access for a directory allows deleting of files in the directory even if the user does not have write permissions for the file!)
      • execute restricts or allows changing into the directory, i.e. cd command

有关权限的动作/Permissions in Action

user@host:/home/user$ ls -l /etc/hosts
-rw-r--r--  1 root root 288 2005-11-13 19:24 /etc/hosts
user@host:/home/user$

通过上面的例子我们可以看到文件 "/etc/hosts" 被root用户和root用户组所拥有。 Using the example above we have the file "/etc/hosts" which is owned by the user root and belongs to the root group.

上面通过ls显示出来的关于/etc/hosts的权限，各自表示什么权限？ What are the permissions from the above /etc/hosts ls output?

-rw-r--r--

owner = Read & Write (rw-)
group = Read (r--)
other = Read (r--)

修改权限/Changing Permissions

修改权限的命令是 chmod 。我们可以通过数字或者字母的方式来修改权限。当然，用字母对于大多数人来说是更加容易理解的。在修改权限的时候注意一定不要引发安全问题。某些文件是被配置有非常苛刻的权限以阻止未知的命令。比如， /etc/shadow 文件(存储所有本地用户密码的文件)就是不允许普通用户读取或者进行其他动作的。 The command to use when modifying permissions is chmod. There are two ways to modify permissions, with numbers or with letters. Using letters is easier to understand for most people. When modifying permissions be careful not to create security problems. Some files are configured to have very restrictive permissions to prevent unauthorized access. For example, the /etc/shadow file (file that stores all local user passwords) does not have permissions for regular users to read or otherwise access.

user@host:/home/user# ls -l /etc/shadow
-rw-r-----  1 root shadow 869 2005-11-08 13:16 /etc/shadow
user@host:/home/user#

Permissions:
owner = Read & Write (rw-)
group = Read (r--)
other = None (---)

Ownership:
owner = root
group = shadow

用字母修改权限/chmod with Letters

Usage: chmod {options} filename

下面是一些用字母修改权限的例子(值得你尝试) Here are a few examples of chmod usage with letters (try these out on your system).

首先创建一些空文件 First create some empty files:

user@host:/home/user$ touch file1 file2 file3 file4
user@host:/home/user$ ls -l
total 0
-rw-r--r--  1 user user 0 Nov 19 20:13 file1
-rw-r--r--  1 user user 0 Nov 19 20:13 file2
-rw-r--r--  1 user user 0 Nov 19 20:13 file3
-rw-r--r--  1 user user 0 Nov 19 20:13 file4

添加拥有者的运行权限 Add owner execute bit:

user@host:/home/user$ chmod u+x file1
user@host:/home/user$ ls -l file1
-rwxr--r--  1 user user 0 Nov 19 20:13 file1

添加其他用户的写入和运行权限 Add other write & execute bit:

user@host:/home/user$ chmod o+wx file2
user@host:/home/user$ ls -l file2
-rw-r--rwx  1 user user 0 Nov 19 20:13 file2

去除用户组的读取权限 Remove group read bit:

user@host:/home/user$ chmod g-r file3
user@host:/home/user$ ls -l file3
-rw----r--  1 user user 0 Nov 19 20:13 file3

给所有人添加所有权限 Add read, write and execute to everyone:

user@host:/home/user$ chmod ugo+rwx file4
user@host:/home/user$ ls -l file4
-rwxrwxrwx  1 user user 0 Nov 19 20:13 file4
user@host:/home/user$

用数字修改权限/chmod with Numbers

Usage: chmod {options} filename

文件拥有者，用户组和其他用户是用三组数字区分的。了解这些数字的含意，他们决定着文件权限。 Owner, Group and Other is represented by three numbers. To get the value for the options determine the type of access needed for the file then add.

比如你西那个要让一个文件拥有 -rw-rw-rwx 权限，你可以用下面的步骤来试试 For example if you want a file that has -rw-rw-rwx permissions you will use the following:

user@host:/home/user$ chmod 667 filename

另一个例子，如果你想让一个文件拥有 --w--r-x--x 权限，跟着试试 Another example if you want a file that has --w-r-x--x permissions you will use the following:

user@host:/home/user$ chmod 251 filename

以下是一些通过数字修改权限的例子，你也可以试试 Here are a few examples of chmod usage with numbers (try these out on your system).

First create some empty files:

user@host:/home/user$ touch file1 file2 file3 file4
user@host:/home/user$ ls -l
total 0
-rw-r--r--  1 user user 0 Nov 19 20:13 file1
-rw-r--r--  1 user user 0 Nov 19 20:13 file2
-rw-r--r--  1 user user 0 Nov 19 20:13 file3
-rw-r--r--  1 user user 0 Nov 19 20:13 file4

添加拥有者的运行权限： Add owner execute bit:

user@host:/home/user$ chmod 744 file1
user@host:/home/user$ ls -l file1
-rwxr--r--  1 user user 0 Nov 19 20:13 file1

添加其他用户的写入和运行权限： Add other write & execute bit:

user@host:/home/user$ chmod 647 file2
user@host:/home/user$ ls -l file2
-rw-r--rwx  1 user user 0 Nov 19 20:13 file2

去除用户组的读取权限 Remove group read bit:

user@host:/home/user$ chmod 604 file3
user@host:/home/user$ ls -l file3
-rw----r--  1 user user 0 Nov 19 20:13 file3

给所有用户和用户组添加所有权限 Add read, write and execute to everyone:

user@host:/home/user$ chmod 777 file4
user@host:/home/user$ ls -l file4
-rwxrwxrwx  1 user user 0 Nov 19 20:13 file4
user@host:/home/user$

用sudo命令更改权限/chmod with sudo

修改不属于你的文件的权限：(注意如果你在错误的文件上进行了错误的权限修改，你的系统会马上挂掉！在使用sudo命令的时候，请一定要小心) Changing permissions on files that you do not have ownership of: (Note that changing permissions the wrong way on the wrong files can quickly mess up your system a great deal! Please be careful when using sudo!)

user@host:/home/user$ ls -l /usr/local/bin/somefile
-rw-r--r--  1 root root 550 2005-11-13 19:45 /usr/local/bin/somefile
user@host:/home/user$

user@host:/home/user$ sudo chmod o+x /usr/local/bin/somefile

user@host:/home/user$ ls -l /usr/local/bin/somefile
-rw-r--r-x  1 root root 550 2005-11-13 19:45 /usr/local/bin/somefile
user@host:/home/user$

更多/For more information

• man chmod
• man chown
• man chgrp

Changing Permissions For Volumes With umask

New users attempting to change permissions for certain volumes will find that changes made with chmod or a sudo/kdesu filebrowser window will not be applied. This is often because the umask modifier in the volume's fstab entry is overriding the changes they are attempting to make. A common example of this situation is a user attempting to add write permissions to a FAT volume on their dual-boot ubuntu/windows box. Permissions for volumes are most easily changed by adding a umask modifier to their fstab entries. Here is a sample fstab entry:

#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/hdb2       /               ext3    defaults,errors=remount-ro 0       1
/dev/hda1       /media/hda1     vfat    umask=000        0       0
/dev/hdb1       none            swap    sw              0       0
/dev/hdc        /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0
/dev/hda2 /media/windows ntfs ro,nls=utf8,umask=0222 0 0
/dev/hdd1 /media/storage ntfs ro,nls=utf8,umask=0222 0 0
/dev/hdd5       /media/fat     vfat umask=000 0 0

The umask modifier sets the permissions for all users of the volume. The umask modifier cannot be overridden by changing permissions through your file browser (not even using a root window,) so it is a good way to set relatively tamper-proof permissions. A umask entry of 0222 allows read access to all users and write access to root only, so it is good for NTFS partitions. A umask entry of 000 allows read and write access to all users.

There are analogous options called fmask and dmask. fmask applies to files and dmask applies to directories. They work in the same way as umask, but offer finer grained control. For example, you usually want directories to executable (i.e. listable), but most files don't need to be executable.

Changing permissions for a FAT volume with umask

To change permissions for a FAT volume, it must first be unmounted with the command

user@host:/home/user$ sudo umount /dev/xxxx

Where xxxx is the FAT volume you wish to modify. Begin by backing up the file /etc/fstab

user@host:/home/user$ sudo cp /etc/fstab /etc/fstab_backup1

Next, edit the fstab file with gedit, using the command

user@host:/home/user$ sudo gedit /etc/fstab

Modify the line detailing the FAT volume, changing

/dev/xxxx       /media/xxxx     vfat defaults 0 0

to

/dev/xxxx       /media/xxxx     vfat umask=000 0 0

Save and exit gedit. This will allow ALL users read and write access to the drive. (I am a home user who is willing to take his chances. A more knowledgeable contributor will clarify this section.)

To finish, mount your volumes as per the specifications of the fstab file by using the command

user@host:/home/user$ sudo mount -a

Voila! Your FAT partition now allows read and write access to all users.

For more information

• man mount

ACLs

ACLs are a way of achieving a finer granularity of permissions than is possible with the standard Unix file permissions. Documentation can be found in the online man pages:

• man acl
• man setfacl
• man getfacl

ToDo

• sticky bit
• umask (re-write and clarify umask section, with specific focus on security)
• Recursive chmod with -R
• * Suggestion: I often use find instead of chmod -R, because it's easier to differentiate between files and directories that way. Yes, I know about the 'X' permission, but I don't trust it.

等待翻译