如何禁止一个用户访问文件? [英] How to disallow access to a file for one user?
问题描述
我试图禁止用户打开文件.目的是当用户尝试打开特定文件时,他将无法打开.
I am trying to disable a user from opening a file. The purpose is that when a user will try to open a specific file, he would not be able to.
此外,我希望能够返回权限并让用户打开文件.
Also, I want to be able to return the permissions and letting the user open the file.
我只找到了启用权限的方法:os.chmod(path, 0444),但我不明白如何禁用权限.
I only found ways to enable premissions: os.chmod(path, 0444), but I can not understand how to disable permissions.
推荐答案
Unix 权限入门:
每个文件都有一个user.这是系统上的用户.每个文件还有一个group.这是系统上的一个组.一个 user 可以在一个或多个 group 中.一个文件只有一个 user 和一个拥有"文件的 group.1
Every file has an user. This is a user on the system. Every file also has a group. This is a group on the system. A user can be in one or more groups. A file has exactly one user and one group that "own" the file.1
那么像 0444 这样的数字是什么意思?
So what does a number like 0444 mean?
第一个数字用于一些特殊标志,例如sticky、setuid、setgid.我们现在不需要为此烦恼.记得把它设置为 0
The first number is used for some special flags such as sticky, setuid, setgid. We don't need to bother with that right now. Just remember to set it to 0
接下来的三个数字表示三种权限:一个用于 user、group 和 other(不是 user 或 group),按此顺序.
The next three numbers indicate the three permissions: one for the user, group, and other (everybody that is not user or group), in that order.
要设置权限,我们使用从零到七的数字(八进制 数字).这实际上是一个位掩码.1为execute,2为write,4为>阅读.
To set the permissions we use a number from zero to seven (an octal number). This is actually a bitmask. 1 is for execute, 2 is for write, 4 is for read.
在表格中它看起来像:2
N Description ls output
0 No read, no write, no execute ---
1 No read, no write, execute --x
2 No read, write, no execute -w-
3 No read, write, execute -wx
4 Read, no write, no execute r--
5 Read, no write, execute r-x
6 Read, write, no execute rw-
7 Read, write, execute rwx
read 和 write 应该是不言自明的.execute 表示可以用./ls 运行文件(这不是安全措施,可以顺便绕过).请注意,在 Unix 系统(例如 Linux)上,目录也是 文件.如果您希望能够 cd 进入目录,则目录必须设置 execute 位.
read and write should be self-explanatory. execute means that you can run a file with ./ls (this is not a security measure, and can be circumvented by the way). Note that directories are also files on Unix systems such as Linux. A directory must have the execute bit set if you want to be able to cd into it.
您最常使用的号码是:
- 7,完全访问
- 6,除了执行之外的完全访问
- 4,只读.
因此,如果您查看您的命令 os.chmod(path, 0444),我们会看到您已为所有 用户设置了只读访问权限.这不是你想要的.
So, if you look at your command os.chmod(path, 0444) we see that you've set read-only access for all users. This is not what you want.
正确的权限取决于哪个user 和group 拥有该文件.如果该文件不属于您要禁止访问的用户,并且不属于该文件所属的组,您可以使用:
The correct permissions depend on which user and group own the file. If the file does not belong to the user you want to disallow access to, and is not in the group that the file belongs to, you can use:
os.chmod(path, 0440)
如果我们查看上表,我们会发现它的意思是:
If we look at the table above, we see that it means:
- 对
用户读、写、不执行. - 读、写、不执行
group. other没有权限.
- Read, write, no execute for
user. - Read, write, no execute for
group. - NO permissions for
other.
如果该文件不属于您要禁止访问的用户,并且属于该文件所属的组,您可以使用:>
If the file does not belong to the user you want to disallow access to, and is in the group that the file belongs to, you can use:
os.chmod(path, 0400)
这将使 user 仅可读.请注意,这可能有副作用,因为组中的其他人现在也无法阅读.
This will make it readable for the user only. Note that this may have side-effects, as everyone else in the group can't read it now either.
但是,如果文件属于用户,则需要更改文件user.这可以通过 os.chown() 来完成功能.例如:
However, if the file belongs to the user, then you need to change the file user. This can be done with the os.chown() function. e.g.:
os.chown(path, 'martin')
os.chmod(path, 0400)
<小时>
1:如果您想为一个文件分配更多用户或组,您可以使用 ACL,但在 >95% 的情况下没有必要,它只会增加可能难以实现的复杂性管理.默认情况下,它通常处于禁用状态.
1: You can use ACLs if you want to assign more users or groups to a file, but in >95% there is no need to, and it only adds complexity that may be difficult to manage. It's often disabled by default.
2:表格取自 FreeBSD 手册
这篇关于如何禁止一个用户访问文件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
