1.mask

Introduction

Mask permission refers to the maximum ACL permission that a user or group can have, that is, the ACL permission set for a user or group cannot exceed the limits specified by mask, and the excess part is invalid.

# Setfacl and getfacl add ACL permissions for a directory or file to a user or group
[root@localhost /] # getfacl project
#file: Project <-File name
#owner: Root <-owner of the file
#group: Tgroup <-the group of the file
User::rwx <-the user name field is empty, indicating that it is the owner's permission
Group::rwx <-the group name column is empty, indicating the permissions of the group to which it belongs
Other::--- <-permissions of others
[root@localhost] # setfacl-m u:st:rx / project
#Set rx permissions for the project directory to user st 
[root@localhost /] # getfacl project
#file: Project
#owner: Root
#group: Tgroup
User::rwx
User:st:r-x <-permissions of user st
Group::rwx
Mask::rwx <-mask permission
Other::

Compare the output information of the getfacl command before and after adding the ACL permission, the latter has two more lines of information, one line is the st permission we set for the st user, and the other line is the mask permission.

Psrinciple

Give the st user r-x permission to access the project directory, at this time does not mean that the st user has read and access permissions to the directory, but also needs to compare with the mask permission, r-x is indeed in the rwx range, then it can be said that the st user has r-x permissions. It should be noted that the process of comparing permissions here is actually to do a "bitwise AND" operation on the two permissions, and the final value obtained is the effective ACL permission of the st user. Taking the read (r) permission as an example, the results of the operation are shown in Table 1:

Table 1 Read permission phase and operation

However, if you change the mask permission to r--, and then compare it with the st user's permission r-x (r-- and r-w do and operation), because r-w is outside the scope of r--- permissions, the st user finally only has r permissions, and the manually given w permission is invalid. This is where the mask permission comes into play when setting ACL permissions. The function of mask permission can be understood in this way, which limits the ACL permissions set by users or groups to the scope specified by mask, and the excess part is directly invalidated.

Example

Mask permissions can be changed manually using the setfacl command. However, we generally do not change the mask permission, as long as the mask is given the maximum permission (that is, rwx), the ACL permission given to the user or group itself is valid.

# Change the mask permission value of the project directory to rmurx
[root@localhost] # setfacl-m m:rx / project
#Set the mask permission to r-x, and use the "m: permission" format
[root@localhost ~] # getfacl / project
#file：project 
#owner：root 
#group：tgroup 
User::rwx
Group::rwx
Mask::r-x <-- mask permission changes to rmerx
Other::

2.umask

Introduction

Linux is a security-oriented operating system, and the basis of security lies in the setting of permissions, not only the necessary access permissions for all existing files and directories, but also the necessary initial permissions when creating new files and directories.

Unlike Windows, where newly created files and directories are granted initial permissions by inheriting permissions from their parent directories, Linux gives initial permissions to all newly created files and directories by using umask default permissions.

# Get the value of umask default permission directly through the umask command
[root@192 ~] # umask
0022
[root@192 ~] # su-wangjie
Last login: Sun Jan 16 12:06:10 CST 2022 on pts/1
[wangjie@localhost ~] $umask
0002
#The default is 0022 for root users and 0002 for normal users

The umask default permissions do consist of 4 octal numbers, but the first number represents the special permissions that the file has (SetUID, SetGID, Sticky BIT). The last 3 digits "022" is the umask permission value that is really used in this section, and converts it to letter form ----w--w-.

Calculation methods

(1) Official calculation

Although umask default permissions are used to set the initial permissions of a file or directory, it is not directly used as the initial permissions of a file or directory, but also to "rework".

Initial permissions for a file (or directory) = Maximum default permission for a file (or directory) - umask permission

According to the official standard algorithm, you need to use binary for the umask default permission, and perform logical AND and logical NOT operations to obtain the initial permission of the final file or directory.

(2) Brief calculation

If we want to end up with the initial permission value for a file or directory, we also need to know the maximum default permission value for the file or directory. On Linux systems, the maximum default permissions for files and directories are different:

• For a file, the maximum default permission it can have is 666, which is rw-rw-rw-. That is, any user using the file does not have execute (x) permissions. The reason is very simple, the execution permission is the highest authority of the file, and it must be given with absolute caution, so it must never be given by default when creating a new file, and can only be given manually by the user.
• For directories, the maximum default permission they can have is 777, which is rwxrwxrwx. Next, the initial permissions for a file or directory are calculated using letter permissions. Take the umask value of 022 as an example to calculate the initial permissions for new files and directories:
• The maximum default permission for a file is 666, converted to letters as "-rw-rw-rw-", and umask values to 022, converted to letters "-----w--w-". Subtract the two letter permissions to get (-rw-rw-rw-) - (-----w--w-) = (-rw-r--r--), which is the initial permission for creating new files.

<pre class="brush:py;"> [root@localhost ~] # umask 0022

The default value of umask is 0022

[root@localhost ~] # touch file <-- create an empty file file [root@localhost] # ll-d file -rw-r--r--. 1 root root 0 Apr 18 02:36 file </pre>

• The default permission for the directory can be up to 777, converted to letters as "drwxrwxrwx", and the value of umask is 022, which is "-----w--w-". Subtract the two letter permissions and get the default permission for creating new directories, which is (drwxrwxrwx) - (-----w--w-) = (drwxr-xr-x). Let's test it again:

<pre class="brush:py;"> [root@localhost ~] # umask 0022 [root@localhost ~] # mkdir catalog <-- New catalog directory [root@localhost] # ll-d catalog Drwxr-xr-x. 2 root root 4096 Apr 18 02:36 catalog </pre>

Note that when calculating the initial permissions of a file or directory, you cannot directly subtract using the numerical form of the maximum default permissions and umask permissions, which is incorrect. For example, if the default permission value of umask is 033, the initial permission of the file is calculated as a number, 666-033=633, but we calculate it alphabetically and we get (rw-rw-rw-) - (----wx-wx) = (rw-r--r---), which translates to 644 in numeric form. The subtraction here is actually the meaning of "masking", that is, the part of the maximum default permission that is public with umask permission will be covered up through subtraction operations, and the final remaining "maximum default permission" is the initial permission finally given to the file or directory.

3. Modification method of default permission of umask

<pre class="brush:py;">

Temporary modification, once rebooted or re-logged in to the system, it will fail.

[root@localhost ~] # umask 002 [root@localhost ~] # umask 0002 [root@localhost ~] # umask 033 [root@localhost ~] # umask 0033

If it takes effect permanently, you need to modify the corresponding environment variable configuration file / etc/profile

[root@localhost ~] # vim / etc/profile ... Omit part of the content. If [$UID-gt 199] & & ["'id-gn'" = "'id-un'"]; then Umask 002 #If the UID is greater than 199 (normal user), this umask value is used Else Umask 022 #If the UID is less than 199 (superuser), this umask value is used Fi ... Omit part of the content...

The umask of an ordinary user is defined by the first paragraph of the if statement

The umask value of the superuser root is defined by the else statement.

Modify this file, and the umask value will take effect permanently.

</pre>