1) real user ID, real group ID: represents who the user is, it is normally determined from passwd file when user log in.
2) effective user ID, effective group ID: used to determine the file access permission. Normally, they are equal to real user ID and real group ID, but sometimes they could be different. For example, when file's set-user-ID bit and set-group-ID bit is on, when the process executes this file, its effective user ID and effective group ID will become the file's owner user ID, and owner group ID.
set-user-ID and set-group-ID is in st_mode member of struct stat, could be tested with macro: S_ISUID and S_ISGID.
3) saved set-user-ID, saved set-group-ID: contains copies of effective user ID and effective group ID when a program is executed.
2. File Access Rule:
1) Whenever we want to open any type of file by name, we must have execution permission in each directory mentioned in the name, including the current directory.
a) List current files under current directory, we have one directory called test, under test, there is one file called test.txt
b) Open the ./test/test.txt, we can print out the file content successfully
c) Remove the execute permission of "test" directory
d) Open the ./test/test.txt again, this time, we failed.
It indicates that we must have execute permission of each directory in the path to open the file.
ubuntu@ip-172-31-23-227:~$ ls -lrt
total 4
drwxrwxr-x 2 ubuntu ubuntu 4096 Aug 21 01:10 test
ubuntu@ip-172-31-23-227:~$ cat ./test/test.txt
Hello world!
ubuntu@ip-172-31-23-227:~$ chmod -x ./test
ubuntu@ip-172-31-23-227:~$ cat ./test/test.txt
cat: ./test/test.txt: Permission denied
If we want to open a file at the current directory, we need to have the execute permission for current directory
2) Read permission for directory is different from the execute permission.
Read permission allows user to get a list of all items(including files and directory) under that directory, but user can't open any file inside that directory. Execute permission allows user to pass through that directory to open file under that.
a) list all items under current directory, for test directory, we don't have the execute permission but having the read permission
b) try to enter test directory but failed. So this behavior needs user having execute permission
c) list all items under test directory, although it indicates "permission denied" , but we still can read all items(test.txt) under test directory, because we have "read" permission.
ubuntu@ip-172-31-23-227:~$ ls -lrt
total 4
drw-rw-r-- 2 ubuntu ubuntu 4096 Aug 21 01:10 test
ubuntu@ip-172-31-23-227:~$ cd test
-bash: cd: test: Permission denied
ubuntu@ip-172-31-23-227:~$ ls ./test
ls: cannot access ./test/test.txt: Permission denied
test.txt
3) To create or delete a file under one directory, we need to have the write and execute permission for that directory
a) List all items under current directory, we have one directory test for which we don't have write and execute permission.
b) Try to create a new file "test2.txt" under test, but got denied, since we don't have the write and execute permission for test directory
c) Try to remove the file "text.txt" under test, but got denied, since we don't have the write and execute permission for test directory.
d) We add the write and execute permission for ./test directory
e) Try to add a new file "test2.txt" under test, now successful
f) Try to remove the file "test2.txt" under test, now successful
ubuntu@ip-172-31-23-227:~$ ls -lrt
total 4
dr--r--r-- 2 ubuntu ubuntu 4096 Aug 21 01:10 test
ubuntu@ip-172-31-23-227:~$ echo "Hello world!" > ./test/test2.txt
-bash: ./test/test2.txt: Permission denied
ubuntu@ip-172-31-23-227:~$ rm ./test/test.txt
rm: cannot remove ‘./test/test.txt’: Permission denied
ubuntu@ip-172-31-23-227:~$ chmod +wx ./test
ubuntu@ip-172-31-23-227:~$ ls -lrt
total 4
drwxrwxr-x 2 ubuntu ubuntu 4096 Aug 21 01:10 test
ubuntu@ip-172-31-23-227:~$ echo "Hello world!" > ./test/test2.txt
ubuntu@ip-172-31-23-227:~$ ls -lrt ./test
total 8
-rw-rw-r-- 1 ubuntu ubuntu 13 Aug 21 01:10 test.txt
-rw-rw-r-- 1 ubuntu ubuntu 13 Aug 21 01:27 test2.txt
ubuntu@ip-172-31-23-227:~$ rm ./test/test2.txt
ubuntu@ip-172-31-23-227:~$ ls -lrt ./test
total 4
-rw-rw-r-- 1 ubuntu ubuntu 13 Aug 21 01:10 test.txt
ubuntu@ip-172-31-23-227:~$
4) To execute one file, we must have execute permission.
3. File Permission Determination Procedure
Run through following steps in order:
1)If the effective user id is 0(super user), permission granted, quit the procedure
2) If the effective user id is equal to file owner id, then grant or deny the permission based on the "user" permission bit: read, write, execution, then quit procedure
3) If the effective group id is equal to file group id, then grant or deny the permission based on the "group" permission bit: read, write, execution, then quit procedure
4) Grant or deny the permission based on "other" permission bit: read, write, execution.
4. Ownership of new files and directories
User ID of new file is the effective user id of current process.
Group ID of new file can be customized to:
1) effective group id of current process
2) group id of the directory in which the file is being created
No comments:
Post a Comment