ACL权限

ACL权限 Setfacl - sets file access control list commands Format 1: setfacl [-bkndrlb0-x} acl_spec] [{-m | - x} acl_file] Format 2: setfacl - restore = file describe Setfacl is used to set the acl in the command. Option -m and -x followed by the acl rule. Multiple acl rules are separated by a comma. The options -m and -x are used to read the acl rules from the file or standard input. Options - set and - set - file is used to set the acl rules for files or directories, and the previous Settings will be overwritten. Option -m (- the modify and -m (-modi-file) option modifies the acl rule for the file or directory. The options - x (- remove) and -c (-de--file) option delete the acl rule. When the -m, -x option reads the rules from the file, setfacl accepts the format that getfacl command outputs. When the setfacl command is used on a file system that does not support acls, setfacl modifies file permissions. If the acl rules do not exactly match the file permissions, setfacl will modify the file permissions make it as far as possible the reaction of the acl rules, and to the standard error to send error messages, return to greater than zero. permissions Root is the only user with CAP_FOWNERr capability. options - b - remove - all Remove all the extended acl rules, and the basic acl rule (owner, group, and others) will be preserved. - k - remove - default Delete the default acl rule. -n, - no - mask Do not recompute the valid permissions. Setfacl defaults to recalculating the acl mask unless the mask is explicitly made. - the mask Recompute the valid permissions even if the acl mask is specified explicitly. - d - the default Set the default acl rule. - restore = file The acl rules that are backed up from the file (these files can be generated by getfacl-r). This mechanism can restore the acl rule for the entire directory tree. This parameter cannot be executed with any parameter except for test. - the test The test mode will not change the acl rule of any file, and the acl rule will be listed. - R, -- recursive Recursively operates on all files and directories. - L - logical Follow the symbolic link, which by default only tracks the symbolic link files and skips the symbolic link directory. - P - physical Skip all symbolic links, including symbolic link files. - the version Output the version number of setfacl and exit. -- help Output help information. -- Identify the command line parameter and all subsequent parameters will be considered filenames. - If the file name is -, setfacl reads the file name from the standard input. The ACL rules The setfacl command identifies the following rule format. [a] [[[] [[[] [[[] [[[] [[[] [[[] [[[] [[[] [[[]] [[[] [[[] [[[]] [[[ Specify the user's permissions, the permissions of the file owner (if the uid is not specified). [f] : [[[] [] [[[] [] [[[] [] [[[] [] [[[] [[[] [] [[[] [[[] [] [[[] Specify the permissions of the group, the permissions of all groups of the file (if the gid is not specified). [[efault]] Valid permissions mask [5] [[[] [] [[[] [] [[[] [] [[[] [] [[[] [] [[[] Other permissions For uid and gid, you can specify a number, or you can specify a name. Perms domain is a representative letter combinations of all permissions: read - write r - w execution - x, directory and execute only suitable for some executable file, perms domain can also be set to octal format. Automatically created rules The file directory contains three basic acl rules. * 3 basic rules cannot be deleted. * any rule that contains a specified user name or group name must contain valid permission combinations. * any rule that contains the default rule must exist when it is used. -- -- -- -- -- -- -- -- -- - 1, the ACL Linux file permission. Under Linux, the operation can be performed to the a file object is divided into three categories: the file owner (the owner of the file), group (group, pay attention to is not necessarily the file owner's group), the other (other). Simply speaking, an acl is the ability to set a particular user or user group for a file, and there are only three commands that you need to master: getfacl, setfacl, chacl. An ACL is a series of access entries. The first access entry defines the operation privileges that a specific category can have for the file. Access entry has three components: entry tag type, qualifier (optional), permission The Entry tag type has the following types: ACL_USER_OBJ: equivalent to the permission of file_owner in Linux ACL_USER: defines the permissions that additional users can have for this file ACL_GROUP_OBJ: equivalent to the permission of the group in Linux ACL_GROUP: defines additional groups that can have permission for this file ACL_MASK: defines the maximum permissions for ACL_USER, ACL_GROUP_OBJ, and ACL_GROUP ACL_OTHER: equivalent to the other permisssion of Linux Ex. : $getfacl - the parent-header a.t xt # parameter - - - header can hide the first three defined file names, file owner and group, starting with # # User: : RWX # define ACL_USER_OBJ User: mis3: RWX # define ACL_USER Group: : r -- # define ACL_GROUP_OBJ Group: RWX # define ACL_GROUP Mask: : RWX # define ACL_MASK Other: RWX # define ACL_OTHER How to set up the ACL file Access entry has three components: entry tag type, qualifier (optional), permission. The first is the Entry tag type; The second field is qualifier, which defines the permissions of a particular user and group for the file, such as user mis3 and group misg; The third field is permission. Ex. : $ll a.t xt - rw-rw-rw-r - + root root 12 jul 919:50 a.t xt # "+" : indicates that the file has the value of acl_user or acl_group, which we call the acl file. 3, acl_mask and Effective permission Acl_mask is another key to mastering acls. In the Linux file permission inside everyone know for rw - rw - r - for instance, of the rw - refers to file group permission. But in the acl this kind of situation is only in the case of acl_mask does not exist. If the file has the acl_mask value, then the rw - represents the mask value instead of the group permission. Ex. : $ll l. -rwxrw-r - 1 itadmin misg 1 jul 9 21:39 a.t xt # file does not have the acl permissions, acl_mask does not work. $getfacl -- unit-header a.t xt User: : RWX Group: : rw - Mask: : RWX Other: : r -- Acc4: RWX a.t xt $ll -rwxrwxr - + 1 itadmin misg 1 jul 9 21:39 a.t xt # gives the file acl permissions, and then the mask works $getfacl - the unit-header a.t xt # group permission is not your own, but the mask permissions. User: : RWX User: acc4: RWX Group: : rw - Mask: : RWX Other: : r -- Now other users of the misg group want to execute the a.t.xt program, which is where the user of the misg group actually only has read and write permission. The RWX shown here is the value of acl_mask, not the group's permission. Example: if I set the mask of a.t xt to read only, will the misg user have write permission? $setfacl - m mask: : r - a.t. xt $getfacl -- unit-header a.t xt User: : RWX Acc4: RWX # effective: Group: : rw - # effective: r - The mask: : r -- Other: : r -- Here we can see that acl_user and acl_group_obj are more than $effective: r -- what does that mean? This is because acl_mask specifies the maximum permissions for acl_user, acl_group_obj and acl_group. So acl_user and acl_group_obj have only read permissions. $ll l. -rwxr - r - 1 itadmin misg 1 jul 9 21:39 a.t xt # now the group permission also displays the value of its mask 4, the Default ACL Mentioned above are the access acl, in view of the file, and the default acl is refers to the default acl Settings for a directory, and file in this directory will inherit the directory of the acl. $mkdir a. Mis3: rw a $getfacl -- -- -- -- - header a User: : RWX Group: : RWX Other: : r - x Default: user: : RWX Default: user: mis3: RWX Default: group: : RWX Default: mask: : RWX Default: other: : r - x $touch a/test. TXT A/test.txt - rw-rw-r - 1 itadmin misg 1 jul 9 21:39. / a/test.txt $getfacl - unit-header. / a/test.txt User: : rw - User: mis3: rw-# inherits the permissions of the folder. Group: : RWX # effective: rw - Mask: : rw - Other: : r -- 5, ACL related commands Getfacl command is used to read the file acl, setfacl is used to set the file access acl, another chacl is used to change the file and directory access acl and the default acl, including chacl - B: it can delete a file or directory of acl attributes (including the default acl), for example, you use setfacl - x to delete all the acl file attributes, the + number will appear at the end of the file, so the right to delete method should be used chacl - B. To copy the file with the cp when we can now add the -p option, so that at the time of copying files will copy files of acl attributes, for can't copy the acl attributes will give warning. The mv command will move the acl properties of the file by default, as well as warning if the operation is not allowed. 6, pay attention to If your file system does not support acls, you may need to remount your file system Mount - o remount, acl [mount point] The corresponding acl values will also change if you change the Linux file permissions with the chmod command, and vice versa.