Article Directory
I. Introduction and open
1.1 Introduction
In the previous article Linux privilege management command I said before, different users will have to file a Three Identities: the owner, the owning group members, other people. Each identity corresponding to different read, write, and execute permissions, such as 770, that the owner has read, write, and execute permissions, a member of the owning group also has read, write, and execute permissions, other people do not have any rights. So if a user then again, I just want to let him have read access to a particular file, how should I do it? He joined belongs to the group apparently does not work, because your group members have read, write, and execute permissions, empathy, turning him into the file's owner does not work, other people will not do more, because other people do not have any authority, and we hope that the new user has read access.
Then there have been insufficient identity. To solve this problem, the Linux introduced the concept of ACL permissions. ACL stands for Access Control List, namely access control lists. By ACL, we can specify user permissions for the file, and the user does not have to belong to any of those three identities. In this case, even if the permissions of a file is 770, we can also make A user's permissions for the file is 5, B user for access to the file is 4, C 6, and so is the user's permission.
For a file, in order to use ACL, the partition where the file resides must support the ACL for the job by following this command we can see a partition supports ACL:
dumpe2fs -h /dev/sda5
Default mount options in this line, if there acl, it indicates that the partition support ACL. Which /dev/sda5represents the root partition, use the df -hcommand to view all the partitions in the system:
1.2 open ACL permissions
Now the Linux system, disk partitions are enabled by default ACL permissions, zoning case where there is no open file is encountered ACL permissions, we need to manually open the ACL permissions.
1.2.1 temporary open
As the name suggests, it is only temporary permission to temporarily open the ACL take effect, reboot the system once, there is no ACL permissions. Temporary open ACL permissions required to perform the following command:
mount -o remount,acl / #重新挂载根分区,并挂载加入ACL权限
The last face that ' /' is the name of the root partition, if you want to open ACL permissions other partitions, the " /replace" to the name of the corresponding partition on it.
1.2.2 permanent open
Permanent open ACL permissions requires two steps.
The first step **: ** modify system configuration files. Path to the file is: /etc/fstab.
Open the file, find the line where the partition to open ACL permissions, plus behind defaults " ,acl" can, as shown below:
** Step Two: ** remount the file system or restart the system.
Remount system:
mount -o remount /
Reboot the system:
Linux shutdown restart command
Second, the view and setting
2.1 ACL permissions set
ACL permissions set command is: setfaclThe syntax setfacl 选项 文件名is: .
Setfacl command options are:
| Options | effect |
|---|---|
| -m | Setting ACL permissions |
| -x | Delete the specified ACL permissions |
| -b | Remove all ACL permissions |
| -d | Set the default ACL permissions |
| -k | Remove the default ACL permissions |
| -R | Set ACL permissions recursively |
为了演示,我们模拟一个教学场景:老师是 root 用户,他为班上的每个学生都创建了一个用户,把这些学生的用户都加到 tgroup 组里。他在服务器上创建了一个 project 目录,把 project 目录的所有者设成 root,所属组设成 tgroup,老师通过这个目录留作业,学生们把做好的作业上传到这个目录里,因此,老师和学生对 project 目录都需要有读、写、执行的权限,而其他人对于 project 目录没有任何权限,所以 project 目录的权限应该是 770。这时来了一个试听的学生,他对于 project 目录应该有读和执行的权限,不能有写权限,所以应该为他设定 ACL 权限。
#添加几个学生用户
useradd andy
useradd jack
useradd jay
#添加一个组
groupadd tgroup
#把学生用户添加到tgroup组里
gpasswd -a andy tgroup
gpasswd -a jack tgroup
gpasswd -a jay tgroup
#添加一个试听学生的用户
useradd st
#在根目录下创建一个project目录并修改其所属组及权限
mkdir /project
chown root:tgroup /project/
chmod 770
好了,至此我们已经创建好了一个实验环境,接下来开始正式的学习如何设定 ACL 权限。
为 st 用户添加读和执行 project 目录的权限:
setfacl -m u:st:rx /project/
此外,我们还可以为一个组设定 ACL 权限,假设有一个试听组 stgroup,我们为这个试听组添加读和执行 project 目录的权限:
setfacl -m g:stgroup:rx /project/
设定完 ACL 权限之后,查看一下 project 目录的属性:
在表示权限的那一列里,最后面有一个加号,说明该目录除了普通权限,还有 ACL 权限,下面我们学习如何查看 ACL 权限。
2.2 查看文件的 ACL 权限
查看文件的 ACL 权限用 getfacl 命令,后面跟文件名或目录名就可以了,比如:
getfacl /project #查看 /project/ 的ACL权限
第 1 行是报错信息,大概意思是这个命令不支持绝对路径,让你把目录前面的「/」去掉,这个报错信息其实忽略就好。
三、最大有效权限
mask 是用来指定最大有效权限的。如果我给用户赋予了 ACL 权限,是需要和 mask 的权限「相与」才能得到用户的真
正权限。
设定有效最大权限的命令:
setfacl -m m:rx /project/ #把目录/project/的最大有效权限设为r-x
设定完最大有效权限之后,查看一下该目录的 ACL 权限:
Fourth, delete ACL permissions
Delete ACL permissions with the setfaclcommand -xoption or -boptions.
If you want to remove an ACL permission to use -xoptions such as:
setfacl -x u:用户名 文件名 #删除指定用户的ACL权限
setfacl -x g:组名 文件名 #删除指定用户组的ACL权限
If you want to delete all ACL permissions, use -boptions.
setfacl -b 文件名 #删除文件的所有ACL权限
Fifth, the ACL permissions recursively
Recursion is the parent directory when setting ACL permissions, files in all subdirectories and subdirectories will have the same ACL permissions. Set ACL permissions recursively way:
setfacl -m u:用户名:权限 -R 目录名
Sixth, the default ACL permissions
The default ACL permissions role is, if the parent directory is set to the default ACL permissions, then the parent directory ACL permissions newly created sub-file will inherit the parent directory of all.
setfacl -m d:u:用户名:权限 文件名