File System¶
In this chapter you will learn how to work with filesystems.
Objectives : In this chapter, future Linux administrators will learn how to:
manage partitions on disk;
use LVM for a better use of disk resources;
provide users with a filesystem and manage the access rights.
and also discover:
how the tree structure is organized in Linux;
the different types of files offered and how to work with them;
hardware, disk, partition, lvm, linux
Knowledge:
Complexity:
阅读时间: 20 分钟
Partitioning¶
Partitioning will allow the installation of several operating systems because it is impossible to have several of them cohabit on the same logical drive. Partitioning also allows the separation of data logically (security, access optimization, ...).
The division of the physical disk into partitioned volumes is recorded in the partition table, stored in the first sector of the disk (MBR: Master Boot Record).
The same physical disk can be divided into a maximum of 4 partitions:
- Primary (or main)
- Extended
!!! Warning There can be only one extended partition per physical disk. In order to benefit from additional drives, the extended partition can be split into logical partitions
The devices are the files identifying the various hardware detected by the motherboard. These files are stored without /dev
. The service which detects new devices and gives them names is called udev.
They are identified by their type.
Storage devices are named hd for IDE hard drives and sd for other media. Then comes a letter that starts with a for the first device, then b, c, ...
Finally we will find a number that defines the partitioned volume: 1 for the first primary partition, ...
!!! Warning Beware, the extended partition, which does not support a file system, still has a number.
There are at least two commands for partitioning a disk: fdisk
and cfdisk
. Both commands have an interactive menu. cfdisk
is more reliable and better optimized, so it is best to use it.
The only reason to use fdisk
is when you want to list all logical devices with the -l
option.
sudo fdisk -l
sudo fdisk -l /dev/sdc
sudo fdisk -l /dev/sdc2
parted
command¶
The parted
(partition editor) command is able to partition a disk.
parted [-l] [device]
It also has a recovery function capable of rewriting a deleted partition table.
Under graphical interface, there is the very complete gparted
tool: Gnome PARtition EDitor.
The gparted -l
command lists all logical devices on a computer.
The gparted
command alone will return to an interactive mode with its own internal options:
help
or an incorrect command will display these options.print all
in this mode will have the same result asgparted -l
on the command line.quit
to return to the prompt.
cfdisk
command¶
The cfdisk
command is used to manage partitions.
cfdisk device
Example:
$ sudo cfdisk /dev/sda
Disk: /dev/sda
Size: 16 GiB, 17179869184 bytes, 33554432 sectors
Label: dos, identifier: 0xcf173747
Device Boot Start End Sectors Size Id Type
>> /dev/sda1 * 2048 2099199 2097152 1G 83 Linux
/dev/sda2 2099200 33554431 31455232 15G 8e Linux LVM
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Partition type: Linux (83) x
x Attributes: 80 x
xFilesystem UUID: 54a1f5a7-b8fa-4747-a87c-2dd635914d60 x
x Filesystem: xfs x
x Mountpoint: /boot (mounted) x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
[Bootable] [ Delete ] [ Resize ] [ Quit ] [ Type ] [ Help ]
[ Write ] [ Dump ]
The preparation, without LVM, of the physical media goes through five steps:
- Setting up the physical disk;
- Partitioning of the volumes (geographical division of the disk, possibility of installing several systems, ...);
- Creation of the file systems (allows the operating system to manage the files, the tree structure, the rights, ...);
- Mounting of file systems (registration of the file system in the tree structure);
- Manage user access.
Logical Volume Manager (LVM)¶
Logical Volume Manager (LVM])
Volume management creates an abstract layer on top of physical storage, offering advantages over using physical storage directly:
- More flexible disk capacity;
- Online data movement;
- Disks in stripe mode;
- Mirrored volumes (recopy);
- Volume snapshots (snapshot).
The disadvantage is that if one of the physical volumes becomes out of order, then all the logical volumes that use this physical volume are lost. You will have to use LVM on raid disks.
LVM is available under Linux from kernel version 2.4.
!!! Note LVM is only managed by the operating system. Therefore the BIOS needs at least one partition without LVM to boot.
Volume groups¶
The physical volumes PV Physical Volumes (from partitions) are combined into volume groups VG. Each VG represents disk space that can be partitioned into LV Logical Volumes. Extension is the smallest unit of fixed-size space that can be allocated.
- PE : Physical Extension
- LE : Logical Extension
Logical volumes¶
A volume group, VG, is divided into logical volumes, LV, offering different operating modes:
- Linear volumes;
- Volumes in stripe mode;
- Mirrored volumes.
!!! Tip Striping_ improves performance by writing data to a predetermined number of physical volumes with a round-robin technique.
LVM commands for volume management¶
pvcreate
command¶
The pvcreate
command is used to create physical volumes. It turns Linux partitions (or disks) into physical volumes.
pvcreate [-options] partition
Example:
[root]# pvcreate /dev/hdb1
pvcreate -- physical volume « /dev/hdb1 » successfully created
You can also use a whole disk (which facilitates disk size increases in virtual environments for example).
[root]# pvcreate /dev/hdb
pvcreate -- physical volume « /dev/hdb » successfully created
Option | Description |
---|---|
-f |
Forces the creation of the volume (disk already transformed into physical volume). |
vgcreate
command¶
The vgcreate
command is used to create volume groups. It groups one or more physical volumes into a volume group.
vgcreate volume physical_volume [PV...]
Example:
[root]# vgcreate volume1 /dev/hdb1
…
vgcreate – volume group « volume1 » successfully created and activated
lvcreate
command¶
The lvcreate
command creates logical volumes. The file system is then created on these logical volumes.
lvcreate -L size [-n name] VG_name
Example:
[root]# lvcreate –L 600M –n VolLog1 volume1
lvcreate -- logical volume « /dev/volume1/VolLog1 » successfully created
Option | Description |
---|---|
-L size |
Logical volume size in K, M or G. |
-n name |
LV name. Special file created in /dev/name_volume with this name. |
LVM commands to view volume information¶
pvdisplay
command¶
The pvdisplay
command allows you to view information about the physical volumes.
pvdisplay /dev/PV_name
Example:
[root]# pvdisplay /dev/PV_name
vgdisplay
command¶
The vgdisplay
command allows you to view information about volume groups.
vgdisplay VG_name
Example:
[root]# vgdisplay volume1
lvdisplay
command¶
The lvdisplay
command allows you to view information about the logical volumes.
lvdisplay /dev/VG_name/LV_name
Example:
[root]# lvdisplay /dev/volume1/VolLog1
Preparation of the physical media¶
The preparation with LVM of the physical support is broken down as follows:
- Setting up the physical disk
- Partitioning of the volumes
- LVM physical volume
- LVM volume groups
- LVM logical volumes
- Creating file systems
- Mounting file systems
- Manage user access
Structure of a file system¶
A file system FS is in charge of the following actions:
- Securing access and modification rights to files;
- Manipulating files: create, read, modify and delete;
- Locating files on the disk;
- Managing partition space.
The Linux operating system is able to use different file systems (ext2, ext3, ext4, FAT16, FAT32, NTFS, HFS, BtrFS, JFS, XFS, ...).
mkfs
command¶
The mkfs
command allows you to create a Linux file system.
mkfs [-t fstype] filesys
Example:
[root]# mkfs -t ext4 /dev/sda1
Option | Description |
---|---|
-t |
Indicates the type of file system to use. |
!!! Warning Without a file system it is not possible to use the disk space.
Each file system has a structure which is identical on each partition. A boot block and a super block initialized by the system and then an inode table and a data area initialized by the administrator.
!!! Note The only exception is the swap partition.
Boot block¶
The boot block occupies the first block on the disk and is present on all partitions. It contains the program that starts and initializes the system and is therefore only filled in for the boot partition.
Super block¶
The size of the super block table is defined at creation. It is present on each partition and contains the elements necessary for its utilization.
It describes the File System:
- Name of the Logical Volume;
- Name of the File System;
- Type of the File System;
- File System Status;
- Size of the File System;
- Number of free blocks;
- Pointer to the beginning of the list of free blocks;
- Size of the inode list;
- Number and list of free inodes.
A copy is loaded in the central memory as soon as the system is initialized. This copy is updated as soon as it is modified and the system saves it periodically (command sync
).
When the system stops, it also copies this table in memory to its block.
Table of inodes¶
The size of the inode table is defined at its creation and is stored on the partition. It consists of records, called inodes, corresponding to the files created. Each record contains the addresses of the data blocks making up the file.
!!! Note An inode number is unique within a file system.
A copy is loaded in the central memory as soon as the system is initialized. This copy is updated as soon as it is modified and the system saves it periodically (command sync
).
When the system stops, it also copies this table in memory to its block.
A file is managed by its inode number.
!!! Note The size of the inode table determines the maximum number of files the FS can contain.
Information present in the inode table :
- Inode number;
- File type and access permissions;
- Owner identification number;
- Identification number of the owner group;
- Number of links on this file;
- Size of the file in bytes;
- Date the file was last accessed;
- Date the file was last modified;
- Date of the last modification of the inode (= creation);
- Table of several pointers (block table) to the logical blocks containing the pieces of the file.
Data area¶
Its size corresponds to the rest of the available space of the partition. This area contains the catalogs corresponding to each directory and the data blocks corresponding to the contents of the files.
In order to guarantee the consistency of the file system, an image of the superblock and the inode table is loaded into memory (RAM) when the operating system is loaded so that all I/O operations are done through these system tables. When the user creates or modifies files, this memory image is updated first. The operating system must therefore regularly update the superblock of the logical disk (sync
command).
These tables are written to the hard disk when the system is shut down.
!!! Danger In the event of a sudden stop, the file system may lose its consistency and cause data loss.
Repairing the file system¶
It is possible to check the consistency of a file system with the fsck
command.
In case of errors, solutions are proposed to repair the inconsistencies. After repair, files that remain without entries in the inode table are attached to the /lost+found
folder of the logical drive.
fsck
command¶
The fsck
command is a console-mode integrity check and repair tool for Linux file systems.
fsck [-sACVRTNP] [ -t fstype ] filesys
Example:
[root]# fsck /dev/sda1
To check the root partition, it is possible to create a forcefsck
file and reboot or run shutdown
with the -F
option.
[root]# touch /forcefsck
[root]# reboot
or
[root]# shutdown –r -F now
!!! Warning The partition to be checked must be unmounted.
Organization of a file system¶
By definition, a File System is a tree structure of directories built from a root directory (a logical device can only contain one file system).
!!! Note In Linux everything is a file.
Text document, directory, binary, partition, network resource, screen, keyboard, Unix kernel, user program, ...
Linux meets the FHS (Filesystems Hierarchy Standard) (see man hier
) which defines the names of folders and their roles.
Directory | Observation | Abbreviation of |
---|---|---|
/ |
Contains special directories | |
/boot |
Files related to system startup | |
/sbin |
Commands necessary for system startup and repair | system binaries |
/bin |
Executables of basic system commands | binaries |
/usr/bin |
System administration commands | |
/lib |
Shared libraries and kernel modules | libraries |
/usr |
Everything that is not necessary for minimal system operation | UNIX System Resources |
/mnt |
For mounting temporary SF | mount |
/media |
For mounting removable media | |
/root |
Administrator's login directory | |
/home |
User data | |
/tmp |
Temporary files | temporary |
/dev |
Special device files | device |
/etc |
Configuration and script files | editable text configuration |
/opt |
Specific to installed applications | optional |
/proc |
Virtual file system representing different processes | processes |
/var |
Miscellaneous variable files | variables |
- To perform a mount or unmount, at the tree level, you must not be under its mount point.
- Mounting on a non-empty directory does not delete the content. It is only hidden.
- Only the administrator can perform mounts.
- Mount points to be automatically mounted at boot time must be entered in
/etc/fstab
.
/etc/fstab
file¶
The /etc/fstab
file is read at system startup and contains the mounts to be performed. Each file system to be mounted is described on a single line, the fields being separated by spaces or tabs.
!!! Note Lines are read sequentially (fsck
, mount
, umount
).
/dev/mapper/VolGroup-lv_root / ext4 defaults 1 1
UUID=46….92 /boot ext4 defaults 1 2
/dev/mapper/VolGroup-lv_swap swap swap defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
1 2 3 4 5 6
Column | Description |
---|---|
1 | File system device (/dev/sda1 , UUID=..., ...) |
2 | Mount point name, absolute path (except swap) |
3 | Filesystem type (ext4, swap, ...) |
4 | Special options for mounting (defaults , ro , ...) |
5 | Enable or disable backup management (0:not backed up, 1:backed up) |
6 | Check order when checking the SF with the fsck command (0:no check, 1:priority, 2:not priority) |
The mount -a
command allows new mounts to be taken into account without rebooting. They are then written to the /etc/mtab
file which contains the current mounts.
!!! Warning Only the mount points listed in /etc/fstab
will be mounted on reboot.
It is possible to make a copy of the /etc/mtab
file or to copy its contents to /etc/fstab
.
Mount management commands¶
mount
command¶
The mount
command allows you to mount and view the logical drives in the tree.
mount [-option] [device] [directory]
Example:
[root]# mount /dev/sda7 /home
Option | Description |
---|---|
-n |
Mount without writing to /etc/mtab . |
-t |
To indicate the type of file system to use. |
-a |
Mounts all filesystems mentioned in /etc/fstab . |
-r |
Mounts the file system read-only (equivalent to -o ro ). |
-w |
Mounts the file system read/write, by default (equivalent -o rw ). |
-o |
Argument followed by a comma-separated list of options (remount , ro , ...). |
!!! Note The mount
command alone displays all mounted file systems.
umount
command¶
The umount
command is used to unmount logical drives.
umount [-option] [device] [directory]
Example:
[root]# umount /home
[root]# umount /dev/sda7
Option | Description |
---|---|
-n |
Unmount without writing to /etc/mtab . |
-r |
If unmount fails, remount as read-only. |
-f |
Force unmount. |
-a |
Unmount all filesystems mentioned in /etc/fstab . |
!!! Note When disassembling, you must not stay below the mounting point. Otherwise, the following error message is displayed: device is busy
.
Types of files¶
As in any system, in order to be able to find one's way through the tree structure and the file management, it is important to respect the file naming rules.
- Files are coded on 255 characters;
- All ASCII characters can be used;
- Uppercase and lowercase letters are differentiated;
- No notion of extension.
Groups of words separated by spaces must be enclosed in quotation marks:
[root]# mkdir "working dir"
!!! Note While there is nothing technically wrong with creating a file or directory with a space in it, it is generally a "best practice" to avoid this and replace any space with an underscore.
!!! Note The . at the beginning of the file name only serves to hide it from a simple ls
.
!!! Warning Under Linux, the extension of a file is not a necessary reference to open or modify it. However, it can be useful for the user.
Examples of extension agreements:
.c
: source file in C language;.h
: C and Fortran header file;.o
: object file in C language;.tar
: data file archived with thetar
utility;.cpio
: data file archived with thecpio
utility;.gz
: data file compressed with thegzip
utility;.tgz
: data file archived with thetar
utility and compressed with thegzip
utility;.html
: web page.
Details of a file name¶
[root]# ls -liah /usr/bin/passwd
266037 -rwsr-xr-x 1 root root 59K mars 22 2019 /usr/bin/passwd
1 2 3 4 5 6 7 8 9
Row | Description |
---|---|
1 |
Inode number |
2 |
File type (1st character of the block of 10) |
3 |
Access rights (last 9 characters of the block of 10) |
4 |
Number of links (ordinary) or subdirectories (directories) |
5 |
Name of the owner |
6 |
Name of the group |
7 |
Size (byte, kilo, mega) |
8 |
Date of last update |
9 |
Name of the file |
Different types of files¶
The following types of files can be found on a system:
- Ordinary (text, binary, ...);
- Directories;
- Special (printers, screens, ...);
- Links;
- Communications (tubes and socket).
Ordinary files¶
These are text, program (source), executable (after compilation) or data (binary, ASCII) and multimedia files.
[root]# ls -l myfile
-rwxr-xr-x 1 root root 26 nov 31 15:21 myfile
The dash -
at the beginning of the rights group (10-character block) indicates that it is an ordinary file type.
Directory files¶
Directory files contain references to other files.
By default in each directory are present . and ...
- The . represents the position in the tree.
- The .. represents the father of the current position.
[root]# ls -l mydirectory
drwxr-xr-x 1 root root 26 nov 31 15:21 mydirectory
The letter d
at the beginning of the rights group indicates that it is a directory type file.
Special files¶
In order to communicate with peripherals (hard disks, printers, ...), Linux uses interface files called special files (device file or special file). They allow identification by the peripherals.
These files are special because they do not contain data but specify the access mode to communicate with the device.
They are defined in two modes:
- block mode;
- character mode.
Block mode¶
The special block mode file allows, using the system buffers, to transfer data to the device.
[root]# ls -l /dev/sda
brw------- 1 root root 8, 0 jan 1 1970 /dev/sda
The letter b
at the beginning of the rights group indicates that it is a special file block.
Character mode¶
The special character mode file is used to transfer data to the device as a stream of one character at a time without using a buffer. These are devices like printer, screen or DAT tapes, ...
The standard output is the screen.
[root]# ls -l /dev/tty0
crw------- 1 root root 8, 0 jan 1 1970 /dev/tty0
The letter c
at the beginning of the rights group indicates that it is a special character file.
Communication files¶
These are the pipe (pipes) and the socket files.
-
Pipe files pass information between processes by FIFO (First In, First Out). One process writes transient information to a pipe file and another reads it. After reading, the information is no longer accessible.
-
Socket files allow bidirectional inter-process communication (on local or remote systems). They use an inode of the file system.
Link files¶
These files give the possibility to give several logical names to the same physical file. A new access point to the file is therefore created.
There are two types of link files:
- Physical links;
- Symbolic links.
Physical link¶
The link file and the source file have the same inode number and the link counter is incremented. It is not possible to link different directories or files from different file systems.
!!! Warning If the source file is destroyed, the counter is decremented and the link file still accesses the file.
Command ln
for a physical link¶
The ln
command allows you to create physical links.
[root]# ls –li letter
666 –rwxr--r-- 1 root root … letter
[root]# ln /home/paul/letter /home/jack/read
[root]# ls –li /home/*/*
666 –rwxr--r-- 2 root root … letter
666 –rwxr--r-- 2 root root … read
Symbolic link¶
Unlike the physical link, the symbolic link involves the creation of a new inode. At the symbolic link level, only a path is stored in the inode table.
The file created contains only an indication of the path to the file. This notion no longer has the limitations of physical links and it is now possible to link directories and files belonging to different file systems.
!!! Warning If the source file is destroyed, the link file can no longer access the file.
ln
command for a symbolic link¶
The command ln
with the argument -s
allows to create symbolic links.
[root]# ls –li letter
666 -rwxr--r-- 1 root root … letter
[root]# ln -s /home/paul/letter /tmp/read
[root]# ls –li /home/paul/letter /tmp/read
666 -rwxr--r--- 1 root root … letter
678 lrwxrwxrwx 1 root root … read -> letter
File attributes¶
Linux is a multi-user operating system where the control of access to files is essential.
These controls are functions of:
- file access permissions ;
- users (ugo Users Groups Others).
The command ls -l
allows to display the attributes.
There are 4 file access rights:
- read;
- write;
- execution;
- - no right.
!!! Warning The rights associated with files differ from those associated with directories (see below).
The user types associated with file access rights are:
- user_ (owner) ;
- group_ (owner group);
- others (others users);
In some commands it is possible to designate everyone with a (all).
a = ugo
Rights associated with ordinary files¶
- read: Allows reading a file (
cat
,less
, ...) and copying a file (cp
, ...). - write: Allows modification of the file content (
cat
,>>
,vim
, ...). - execute: Considers the file as an eXecutable (binary or script).
- -: No permissions.
!!! Note Moving or renaming a file depends on the rights of the target directory. Deleting a file depends on the rights of the parent directory.
Rights associated with directories¶
- read: Allows reading the contents of a directory (
ls -R
). - write: Allows modification of the contents of a directory (
touch
) and allows creation and deletion of files if the x permission is enabled. - execute: Allows descending in the directory (
cd
). - -: No rights.
Attribute management¶
The display of rights is done with the command ls -l
. It is the last 9 characters of the block of 10. More precisely 3 times 3 characters.
[root]# ls -l /tmp/myfile
-rwxrw-r-x 1 root sys ... /tmp/myfile
1 2 3 4 5
Row | Description |
---|---|
1 | Owner (user) permissions, here rwx |
2 | Owner group permissions (group), here rw- |
3 | Other users' permissions (others), here r-x |
4 | File owner |
5 | Group owner of the file |
!!! Note Permissions apply to user, group and other (ugo) depending on the owner and group.
By default, the owner of a file is the one who creates it. The group of the file is the group of the owner who created the file. The others are those which are not concerned by the previous cases.
The attributes are changed with the chmod
command.
Only the administrator and the owner of a file can change the rights of a file.
chmod
command¶
The chmod
command allows you to change the access permissions to a file.
chmod [option] mode file
The mode indication can be an octal representation (e.g. 744
) or a symbolic representation ([ugoa
][+=-
][rwxst
]).
Several symbolic operations can be separated by commas
Example:
[root]# chmod -R u+rwx,g+wx,o-r /tmp/file1
[root]# chmod g=x,o-r /tmp/file2
[root]# chmod -R o=r /tmp/file3
[root]# ls -l /tmp/fic*
-rwxrwx--- 1 root root … /tmp/file1
-rwx--x--- 1 root root … /tmp/file2
-rwx--xr-- 1 root root … /tmp/file3
[root]# chmod 741 /tmp/file1
[root]# chmod -R 744 /tmp/file2
[root]# ls -l /tmp/fic*
-rwxr----x 1 root root … /tmp/file1
-rwxr--r-- 1 root root … /tmp/file2
Option | Observation |
---|---|
-R |
Recursively modify the permissions of directories and their contents. |
There are two methods for making rights changes:
- The octal method;
- The symbolic method.
!!! Warning The rights of files and directories are not dissociated. For some operations, it will be necessary to know the rights of the directory containing the file. A write-protected file can be deleted by another user as long as the rights of the directory containing it allow this user to perform this operation.
Principle of the octal method¶
Each right has a value.
[root]# ls -l /tmp/myfile
-rwxrwxrwx 1 root root ... /tmp/myfile
[root]# chmod 741 /tmp/myfile
-rwxr----x 1 root root ... /tmp/myfile
Principle of the symbolic method¶
This method can be considered as a "literal" association between a user type, an operator, and rights.
[root]# chmod u+rwx,g+wx,o-r /tmp/myfile
[root]# chmod g=x,o-r /tmp/myfile
[root]# chmod o=r /tmp/myfile
[root]# ls -l /tmp/myfile
r--r-- 1 root root … /tmp/myfile
[root]# chmod u+rwx,g+wx,o-r /tmp/myfile
[root]# ls -l /tmp/myfile
-rwxrwx--- 1 root root … /tmp/myfile
Special rights¶
In addition to the fundamental rights (rwx
), there are the particular rights:
- set-user-ID (SUID])
- set-group-ID (SGID])
- sticky-bit
As with the fundamental rights, the particular rights each have a value. This value is placed before the ugo
set of rights.
!!! Danger S
, S
and T
in capital letters if the right does not exist.
The sticky-bit¶
One of the peculiarities of rights in Linux is that the right to write to a directory also allows deletion of all files, owner or not.
The sticky-bit set on the directory will only allow users to delete files they own. This is the basic case for the /tmp
directory.
The setting of the sticky-bit can be done as follows:
Octal method:
[root]# chmod 1777 directory
Symbolic method:
[root]# chmod o+t directory
Verification:
[root]# ls -l
drwxrwxrwt … directory
SUID and SGID on a command¶
These rights allow execution of a command according to the rights set on the command, and not according to the user's rights.
The command is executed with the identity of the owner (SUID) or the group (SGID) of the command.
!!! Note The identity of the user requesting the execution of the order is no longer taken into account.
This is an additional possibility of access rights assigned to a user when it is necessary for them to have the same rights as the owner of a file or those of the group concerned.
Indeed, a user may have to run a program (usually a system utility) but not have the necessary access rights. By setting the appropriate rights (s at the owner level and/or at the group level), the user of the program has, for the time of its execution, the identity of the owner (or that of the group) of the program.
Example:
The file /usr/bin/passwd
is an executable file (a command) with a SUID.
When the user bob runs it, he will have to access the /etc/shadow
file, but the permissions on this file do not allow bob to access it.
Having a SUID this command, /usr/bin/passwd
, will be executed with the UID of root and the GID of root. The latter being the owner of the /etc/shadow
file, he will have read rights.
The setting of SUID and SGID can be done as below with the command chmod
:
Octal method:
[root]# chmod 4777 command1
[root]# chmod 2777 command2
Symbolic method:
[root]# chmod u+s command1
[root]# chmod g+s command2
Verification:
[root]# ls -l
-rwsrwxrwx … command1
-rwxrwsrwx … command2
!!! Warning It is not possible to pass the SUID or SGID to a shell script. The system does not allow it because it is too dangerous for security!
SGID on a file¶
In a directory with the SGID right, any file created will inherit the group that owns the directory instead of that of the creating user.
Example:
[rockstar] $ ls -ld /data/
drwxrwsr-x 2 root users 4096 26 oct. 19:43 /data
[rockstar] $ touch /data/test_sgid /tmp/fic_reference
[rockstar] $ ls -ld /data/test_sgid /tmp/fic_reference
-rw-r--r--. 1 rockstar users 0 26 oct. 19:43 /data/test_sgid <1>
-rw-r--r--. 1 rockstar rockstar 0 26 oct. 19:43 /tmp/fic_ref
<1> The test_sgid
file inherits the group owner of its /data
folder (in this case users
) whatever the main group of the rockstar
user is.
Default rights and mask¶
When a file or directory is created, it already has permissions.
- For a directory:
rwxr-xr-x
or 755. - For a file:
rw-r-r-
or 644.
This behavior is defined by the default mask.
The principle is to remove the value defined by the mask at maximum rights without the execution right.
For a directory :
For a file, the execution rights are removed:
umask
command¶
The umask
command allows you to display and modify the mask.
umask [option] [mode]
Example:
$ umask 033
$ umask
0033
$ umask -S
u=rwx,g=r,o=r
$ touch umask_033
$ ls -la umask_033
-rw-r--r-- 1 rockstar rockstar 0 nov. 4 16:44 umask_033
$ umask 025
$ umask -S
u=rwx,g=rx,o=w
$ touch umask_025
$ ls -la umask_025
-rw-r---w- 1 rockstar rockstar 0 nov. 4 16:44 umask_025
Option | Description |
---|---|
-S |
Symbolic display of file rights. |
!!! Warning umask
does not affect existing files.
!!! Note umask
modifies the mask until the disconnection.
To keep the value, you have to modify the following profile files: For all users:
/etc/profile
/etc/bashrc
For a particular user:
~/.bashrc
!!! Warning umask -S
displays the file rights (without the execute right) of the files that will be created. So it is not the display of the mask used to subtract the maximum value.
!!! Tip The umask
command being a bash command, (a type umask
returns umask is a shell primitive
) you have to search umask
in man bash
.