permissions.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Permissions</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="UNIX Basics" href="basics.html" />
<link rel="PREVIOUS" title="Virtual Consoles and Terminals" href="consoles.html" />
<link rel="NEXT" title="Directory Structure" href="dirstructure.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="consoles.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 3. UNIX Basics</td>
<td width="10%" align="right" valign="bottom"><a href="dirstructure.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="PERMISSIONS" name="PERMISSIONS">3.3. Permissions</a></h1>

<p>FreeBSD, being a direct descendant of BSD <span class="TRADEMARK">UNIX</span>&reg;, is
based on several key <span class="TRADEMARK">UNIX</span> concepts. The first and most
pronounced is that FreeBSD is a multi-user operating system. The system can handle
several users all working simultaneously on completely unrelated tasks. The system is
responsible for properly sharing and managing requests for hardware devices, peripherals,
memory, and CPU time fairly to each user.</p>

<p>Because the system is capable of supporting multiple users, everything the system
manages has a set of permissions governing who can read, write, and execute the resource.
These permissions are stored as three octets broken into three pieces, one for the owner
of the file, one for the group that the file belongs to, and one for everyone else. This
numerical representation works like this:</p>

<div class="INFORMALTABLE"><a id="AEN3656" name="AEN3656"></a>
<table border="0" frame="void" class="CALSTABLE">
<col />
<col />
<col />
<thead>
<tr>
<th>Value</th>
<th>Permission</th>
<th>Directory Listing</th>
</tr>
</thead>

<tbody>
<tr>
<td>0</td>
<td>No read, no write, no execute</td>
<td><var class="LITERAL">---</var></td>
</tr>

<tr>
<td>1</td>
<td>No read, no write, execute</td>
<td><var class="LITERAL">--x</var></td>
</tr>

<tr>
<td>2</td>
<td>No read, write, no execute</td>
<td><var class="LITERAL">-w-</var></td>
</tr>

<tr>
<td>3</td>
<td>No read, write, execute</td>
<td><var class="LITERAL">-wx</var></td>
</tr>

<tr>
<td>4</td>
<td>Read, no write, no execute</td>
<td><var class="LITERAL">r--</var></td>
</tr>

<tr>
<td>5</td>
<td>Read, no write, execute</td>
<td><var class="LITERAL">r-x</var></td>
</tr>

<tr>
<td>6</td>
<td>Read, write, no execute</td>
<td><var class="LITERAL">rw-</var></td>
</tr>

<tr>
<td>7</td>
<td>Read, write, execute</td>
<td><var class="LITERAL">rwx</var></td>
</tr>
</tbody>
</table>
</div>

<p>You can use the <var class="OPTION">-l</var> command line argument to <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ls</span>(1)</span> to view a long
directory listing that includes a column with information about a file's permissions for
the owner, group, and everyone else. For example, a <tt class="COMMAND">ls -l</tt> in an
arbitrary directory may show:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> ls -l
total 530
-rw-r--r--  1 root  wheel     512 Sep  5 12:31 myfile
-rw-r--r--  1 root  wheel     512 Sep  5 12:31 otherfile
-rw-r--r--  1 root  wheel    7680 Sep  5 12:31 email.txt
...
</pre>

<p>Here is how the first column of <tt class="COMMAND">ls -l</tt> is broken up:</p>

<pre class="SCREEN">
-rw-r--r--
</pre>

<p>The first (leftmost) character tells if this file is a regular file, a directory, a
special character device, a socket, or any other special pseudo-file device. In this
case, the <var class="LITERAL">-</var> indicates a regular file. The next three
characters, <var class="LITERAL">rw-</var> in this example, give the permissions for the
owner of the file. The next three characters, <var class="LITERAL">r--</var>, give the
permissions for the group that the file belongs to. The final three characters, <var
class="LITERAL">r--</var>, give the permissions for the rest of the world. A dash means
that the permission is turned off. In the case of this file, the permissions are set so
the owner can read and write to the file, the group can read the file, and the rest of
the world can only read the file. According to the table above, the permissions for this
file would be <var class="LITERAL">644</var>, where each digit represents the three parts
of the file's permission.</p>

<p>This is all well and good, but how does the system control permissions on devices?
FreeBSD actually treats most hardware devices as a file that programs can open, read, and
write data to just like any other file. These special device files are stored on the <tt
class="FILENAME">/dev</tt> directory.</p>

<p>Directories are also treated as files. They have read, write, and execute permissions.
The executable bit for a directory has a slightly different meaning than that of files.
When a directory is marked executable, it means it can be traversed into, that is, it is
possible to ``cd'' (change directory) into it. This also means that within the directory
it is possible to access files whose names are known (subject, of course, to the
permissions on the files themselves).</p>

<p>In particular, in order to perform a directory listing, read permission must be set on
the directory, whilst to delete a file that one knows the name of, it is necessary to
have write <span class="emphasis"><i class="EMPHASIS">and</i></span> execute permissions
to the directory containing the file.</p>

<p>There are more permission bits, but they are primarily used in special circumstances
such as setuid binaries and sticky directories. If you want more information on file
permissions and how to set them, be sure to look at the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">chmod</span>(1)</span> manual page.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN3736" name="AEN3736">3.3.1. Symbolic Permissions</a></h2>

<i class="AUTHORGROUP"><span class="CONTRIB">Contributed by</span> Tom Rhodes.</i> 

<p>Symbolic permissions, sometimes referred to as symbolic expressions, use characters in
place of octal values to assign permissions to files or directories. Symbolic expressions
use the syntax of (who) (action) (permissions), where the following values are
available:</p>

<div class="INFORMALTABLE"><a id="AEN3748" name="AEN3748"></a>
<table border="0" frame="void" class="CALSTABLE">
<col />
<col />
<col />
<thead>
<tr>
<th>Option</th>
<th>Letter</th>
<th>Represents</th>
</tr>
</thead>

<tbody>
<tr>
<td>(who)</td>
<td>u</td>
<td>User</td>
</tr>

<tr>
<td>(who)</td>
<td>g</td>
<td>Group owner</td>
</tr>

<tr>
<td>(who)</td>
<td>o</td>
<td>Other</td>
</tr>

<tr>
<td>(who)</td>
<td>a</td>
<td>All (``world'')</td>
</tr>

<tr>
<td>(action)</td>
<td>+</td>
<td>Adding permissions</td>
</tr>

<tr>
<td>(action)</td>
<td>-</td>
<td>Removing permissions</td>
</tr>

<tr>
<td>(action)</td>
<td>=</td>
<td>Explicitly set permissions</td>
</tr>

<tr>
<td>(permissions)</td>
<td>r</td>
<td>Read</td>
</tr>

<tr>
<td>(permissions)</td>
<td>w</td>
<td>Write</td>
</tr>

<tr>
<td>(permissions)</td>
<td>x</td>
<td>Execute</td>
</tr>

<tr>
<td>(permissions)</td>
<td>t</td>
<td>Sticky bit</td>
</tr>

<tr>
<td>(permissions)</td>
<td>s</td>
<td>Set UID or GID</td>
</tr>
</tbody>
</table>
</div>

<p>These values are used with the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">chmod</span>(1)</span> command just like before, but with letters.
For an example, you could use the following command to block other users from accessing
<var class="REPLACEABLE">FILE</var>:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod go= FILE</kbd>
</pre>

<p>A comma separated list can be provided when more than one set of changes to a file
must be made. For example the following command will remove the groups and ``world''
write permission on <var class="REPLACEABLE">FILE</var>, then it adds the execute
permissions for everyone:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">chmod go-w,a+x <var
class="REPLACEABLE">FILE</var></kbd>
</pre>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="consoles.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="dirstructure.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Virtual Consoles and Terminals</td>
<td width="34%" align="center" valign="top"><a href="basics.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Directory Structure</td>
</tr>
</table>
</div>
</body>
</html>