I am trying to understand the following commands:
- mkdir /data 0770 root system
- mkdir /data 0770 system system
- mkdir /data 0770 system room
mkdir is creating the directory,
/data is path,
0770 giving read write permissions to the directory,
root system I don’t know.
Advertisement
Answer
The format is
mkdir <path> [mode] [user] [group]
The path defines which directory has to be created. The mode defines the permissions for the directory. The user and group define who is the owner of the directory. The permissions are relative to the user and the group owning the directory. For example, mkdir /data 0770 root system
means the /data
directory is owned by the user root
and the group system
. The root
user has read/write/execute permissions (because of the first 7
) and the same holds for every user that is a member of the system
group (because of the second 7
). Every other user has no permissions (because of the last 0
). The leading 0
has no special meaning in this case, it just signifies the beginning of an octal number.
The commands that can be used in the init.rc
are defined here.
You can also inspect the user and group that owns a directory from the command line, using ls -l
:
# ls -l ... drwxrwx--- 45 root system 920 1971-02-01 00:26 data
Since you mentioned security labels: These permissions are unrelated to SE Linux labels. The file permissions are considered Discretionary Access Control (DAC), whereas SE Linux labels are Mandatory Access Control (MAC).
You can inspect the SE Linux label with ls -lZ
:
# ls -lZ ... drwxrwx--x 45 root system u:object_r:system_data_file:s0 920 1971-02-01 00:26 data
So in this case the SE Linux label would be u:object_r:system_data_file:s0
. In general, the SE Linux label of a file would not be set dynamically via the init.rc
. Rather, the labels are defined statically via the file_contexts
file in the SE Linux policy (reference). Newly created files by default inherit the SE Linux label of their parent directory. To apply the label from the policy to a newly created file, the restorecon
command can be used, as can be seen e.g. here.