Security of Linux’s Network – File privilege
Linux user’s group is collection of users who have the same property.This is a convenience for defining a group of users.The configuration is located in /etc/group.
The privilege of file is list as the following formation: -rw-rw-rwr. In the above string showed the information about file type and operating privilege.The first signature of this string indicate the type of file.”-” means general files,”d” means directory,”l” means link,and “s” means security socket.The follow three signature “rw-” indicates the privilege of the file’s owner.”r” means read,”w” means write, and “x” means execute.”-” means no privilege for operate the file.The middle three signature such as “rw-” is used for identifing the privelege of group.and the final three indicate the privilege of others.
If user A has the privilege of the directory,he can delete the file belong to others.How to forbid this?We could use the following command :
# chmod + t
And then,the file could not be deleted by others including those men who have the operating privilege of the specific directory.For example, the /tmp directory could be benifit from this.All the user could only operate their own files and directories.
When a general user creates a directory,the default privilege is set as “drwxrwxr-x” 664; if a general file is created,its default property is “-rw-rw-r–” which also be called 775.
umask command is used to set the customer’s default privilege.For example,if the umask value is 002,the realy privilege is the value set by user substrate “002”.if the value set by user is 666,then the result is 664 which is created by substation between 666 and 002.
In this way,we could create the strictest privilege by setting the umask value to 777 because 777 is the maximal number and any other number substrate with 777 will get the result “0” that means no privilege for operating. But the most common way is setting the umask value to 077.It means only the owner could operate the file,groups and others have no privilege.
The grant rules: first,grant the strictest privilege by setting the umask value to 077,and then modify the privileges for identified usage.This method could avoid many unnecessary troubles because adding privilege is easier than deleting them.