- Concept:
ACL is the abbreviation of Access Control List. The main purpose of ACL is to provide detailed permission settings other than the read, write and execute permissions of traditional owner, group and other. ACL can specify the permissions of r, W and X for a single user, single file or directory, which is very helpful for the use of special permissions. What aspects can ACL control its authority? He can focus on several projects:
(1) user: You can set permissions for users;
(2) Groups: set permissions for group s as objects;
(3) The default attribute (mask): You can also specify the default permissions for new data when creating new files/directories under this directory. -
See if the file system supports ACL
[root@CentOS ~]# mount /dev/sda2 on / type ext4 (rw) [root@CentOS ~]# dumpe2fs -h /dev/sda2 Default mount options: user_xattr acl # If the file system does not support ACL, you can manually: [root@CentOS ~]# mount -o remount,acl / [root@CentOS ~]# mount /dev/sda2 on / type ext4 (rw,acl) # If you want every boot to take effect: [root@CentOS ~]# vim /etc/fstab LABEL=/1 / ext4 defaults,acl 1 1 -
setfacl: ACL specification for setting a file/directory
Parameters:
- m: Set the subsequent acl parameters for file use, not - x;
- x: Delete the subsequent acl parameters and cannot be used with - m.
- b: Remove all ACL settings;
- k: Remove the "default" ACL parameter and introduce the so-called "default" parameter in subsequent examples.
- R: Recursive settings acl, that is, subdirectories will be set up;
- d: Set the meaning of "default acl parameter"! Only valid for directories where new data will refer to this default value# User-specific approaches # Setting rules: "u:[user account list]: [rwx]", such as permission specification rx for vbird1 [root@CentOS ~]# touch acl_test1 [root@CentOS ~]# ll acl_test1 -rw-r--r--. 1 root root 0 Mar 18 15:27 acl_test1 [root@CentOS ~]# setfacl -m u:kevin:rx acl_test1 [root@CentOS ~]# ll acl_test1 -rw-r-xr--+ 1 root root 0 Mar 18 15:27 acl_test1 # One more privilege+ [root@CentOS ~]# setfacl -m u::rwx acl_test1 [root@CentOS ~]# ll acl_test1 -rwxr-xr--+ 1 root root 0 Mar 18 15:27 acl_test1 # No user list, representing the settings of the file owner, so the permission to display root above becomes rwx -
getfacl: Get an ACL setup project for a file/directory
Parameters:
The getfacl option is almost the same as setfacl! So Brother Bird doesn't have options here.# List the permissions you just set up [root@CentOS ~]# getfacl acl_test1 # file: acl_test1 #Describe the name of the document! # owner: root #Describe the owner of this file, the third user field seen by ls-l # group: root #The group to which this file belongs, that is, the fourth group field seen by ls-l user::rwx #The user list bar is empty, representing the permissions of the file owner user:kevin:r-x #The permission for vbird1 is set to rx, unlike the owner! group::r-- #Permission settings for file groups are only r mask::r-x #The default valid permission (mask) for this file other::r-- #The authority of others # The displayed data is preceded by # That represents the default properties of the file, including the text //File name, file owner and group to which the file belongs. The user, group, mask, or other values that appear below belong to different users, groups, and masks. # For specific user groups: # Setting specifications: "g:[Groups List]: [rwx]", such as permission specifications rx for mygroup1 [root@CentOS ~]# setfacl -m g:group1:rx acl_test1 [root@CentOS ~]# getfacl acl_test1 # file: acl_test1 # owner: root # group: root user::rwx user:kevin:r-x group::r-- group:group1:r-x #Additional parts mask::r-x other::r-- # The permissions set by users or groups must exist within the scope of the permissions set by mask s before they can take effect. This is called "effective permission". # How to set up effective permission mask //Setting up specifications: " m:[rwx] ",For example, the specifications for just-in-progress documents are only r [root@CentOS ~]# setfacl -m m:r acl_test1 [root@CentOS ~]# getfacl acl_test1 # file: acl_test1 # owner: root # group: root user::rwx user:kevin:r-x #effective:r-- # kevin+mask exists only with r group::r-- group:group1:r-x #effective:r-- mask::r-- other::r-- # The set of kevin and mask finds that only R exists, so vbird1 only has the permission of r, not x! That's what mask does! By using masks to specify the maximum permissible permissions, we can avoid inadvertently opening certain permissions to other users or groups. Usually, however, Brother Bird sets mask to rwx! Then they can regulate their rights according to different users/groups. -
Practice
New user user1, new directory / srv/projecta to allow user 1 to access, but myuser1 does not have the right to modify#New user myuser1, new directory / srv/projecta [root@CentOS ~]# useradd -G group1 -c "1st user" user1 [root@CentOS ~]# echo "password" | passwd --stdin user1 [root@CentOS ~]# mkdir /srv/projecta # Check whether user1 has permission to enter the directory [user1@CentOS ~]$ cd /srv/projecta/ bash: cd: /srv/projecta/: Permission denied # Modifying permissions with root identity [root@CentOS ~]# setfacl -m u:user1:rx /srv/projecta/ [root@CentOS ~]# getfacl /srv/projecta/ getfacl: Removing leading '/' from absolute path names # file: srv/projecta/ # owner: root # group: root # flags: -s- user::rwx user:user1:r-x # View settings group::rwx mask::rwx other::--- # Use user1 to view permissions [user1@CentOS ~]$ cd /srv/projecta/ [user1@CentOS projecta]$ ll -a drwxrws---+ 2 root root 4096 Mar 18 15:00 . drwxr-xr-x. 3 root root 4096 Mar 18 15:00 .. [user1@CentOS projecta]$ touch testing touch: cannot touch `testing': Permission denied # There is no write permission.Test whether ACL privileges can be inherited by subdirectories
# Check to see if inheritance exists [root@CentOS ~]# cd /srv/projecta/ [root@CentOS projecta]# touch abc1 [root@CentOS projecta]# mkdir abc2 [root@CentOS projecta]# ll -d abc* -rw-r--r--. 1 root root 0 Mar 18 15:50 abc1 drwxr-sr-x. 2 root root 4096 Mar 18 15:50 abc2 # There is no + sign after permission, which means that ACL permission is not inherited. -
Want to inherit ACL privileges:
Format: d:[u|g]:[user|group]: permissions# Let user1 always have default permissions for rx under / srv/projesta [root@CentOS ~]# setfacl -m d:u:user1:rx /srv/projecta/ [root@CentOS ~]# getfacl /srv/projecta/ getfacl: Removing leading '/' from absolute path names # file: srv/projecta/ # owner: root # group: root # flags: -s- user::rwx user:user1:r-x group::rwx mask::rwx other::--- default:user::rwx default:user:user1:r-x default:group::rwx default:mask::rwx default:other::--- [root@CentOS ~]# cd /srv/projecta/ [root@CentOS projecta]# touch zzz1 [root@CentOS projecta]# mkdir zzz2 [root@CentOS projecta]# ll -d zzz* -rw-rw----+ 1 root root 0 Mar 18 15:54 zzz1 drwxrws---+ 2 root root 4096 Mar 18 15:54 zzz2 # There is indeed inheritance, use getfacl to continue validating [root@CentOS projecta]# getfacl zzz2 # file: zzz2 # owner: root # group: root # flags: -s- user::rwx user:user1:r-x group::rwx mask::rwx other::--- default:user::rwx default:user:user1:r-x default:group::rwx default:mask::rwx default:other::--- -
Want all ACL attributes to disappear
[root@CentOS projecta]# getfacl /srv/projecta/ getfacl: Removing leading '/' from absolute path names # file: srv/projecta/ # owner: root # group: root # flags: -s- user::rwx user:user1:r-x group::rwx mask::rwx other::--- default:user::rwx default:user:user1:r-x default:group::rwx default:mask::rwx default:other::--- [root@CentOS projecta]# setfacl -b [root@CentOS projecta]# getfacl /srv/projecta/ getfacl: Removing leading '/' from absolute path names # file: srv/projecta/ # owner: root # group: root # flags: -s- user::rwx group::rwx other::---
Bird Brother's linux Private Vegetable Learning Notes ACL Authority Management of "Twenty-six"
Added by samadams83 on Thu, 18 Jul 2019 01:18:00 +0300