ACL权限
Setfacl - sets file access control list commands
Format 1: setfacl [-bkndrlb0-x} acl_spec] [{-m | - x} acl_file]
Format 2: setfacl - restore = file
describe
Setfacl is used to set the acl in the command.
Option -m and -x followed by the acl rule. Multiple acl rules are separated by a comma. The options -m and -x are used to read the acl rules from the file or standard input.
Options - set and - set - file is used to set the acl rules for files or directories, and the previous Settings will be overwritten.
Option -m (- the modify and -m (-modi-file) option modifies the acl rule for the file or directory.
The options - x (- remove) and -c (-de--file) option delete the acl rule.
When the -m, -x option reads the rules from the file, setfacl accepts the format that getfacl command outputs.
When the setfacl command is used on a file system that does not support acls, setfacl modifies file permissions. If the acl rules do not exactly match the file permissions, setfacl will
modify the file permissions make it as far as possible the reaction of the acl rules, and to the standard error to send error messages, return to greater than zero.
permissions
Root is the only user with CAP_FOWNERr capability.
options
- b - remove - all
Remove all the extended acl rules, and the basic acl rule (owner, group, and others) will be preserved.
- k - remove - default
Delete the default acl rule.
-n, - no - mask
Do not recompute the valid permissions. Setfacl defaults to recalculating the acl mask unless the mask is explicitly made.
- the mask
Recompute the valid permissions even if the acl mask is specified explicitly.
- d - the default
Set the default acl rule.
- restore = file
The acl rules that are backed up from the file (these files can be generated by getfacl-r). This mechanism can restore the acl rule for the entire directory tree. This parameter cannot be executed with any parameter except for test.
- the test
The test mode will not change the acl rule of any file, and the acl rule will be listed.
- R, -- recursive
Recursively operates on all files and directories.
- L - logical
Follow the symbolic link, which by default only tracks the symbolic link files and skips the symbolic link directory.
- P - physical
Skip all symbolic links, including symbolic link files.
- the version
Output the version number of setfacl and exit.
-- help
Output help information.
--
Identify the command line parameter and all subsequent parameters will be considered filenames.
-
If the file name is -, setfacl reads the file name from the standard input.
The ACL rules
The setfacl command identifies the following rule format.
[a] [[[] [[[] [[[] [[[] [[[] [[[] [[[] [[[] [[[]] [[[] [[[] [[[]] [[[
Specify the user's permissions, the permissions of the file owner (if the uid is not specified).
[f] : [[[] [] [[[] [] [[[] [] [[[] [] [[[] [[[] [] [[[] [[[] [] [[[]
Specify the permissions of the group, the permissions of all groups of the file (if the gid is not specified).
[[efault]]
Valid permissions mask
[5] [[[] [] [[[] [] [[[] [] [[[] [] [[[] [] [[[]
Other permissions
For uid and gid, you can specify a number, or you can specify a name.
Perms domain is a representative letter combinations of all permissions: read - write r - w execution - x, directory and execute only suitable for some executable file, perms domain can also be set to octal format.
Automatically created rules
The file directory contains three basic acl rules.
* 3 basic rules cannot be deleted.
* any rule that contains a specified user name or group name must contain valid permission combinations.
* any rule that contains the default rule must exist when it is used.
-- -- -- -- -- -- -- -- -- -
1, the ACL
Linux file permission.
Under Linux, the operation can be performed to the a file object is divided into three categories: the file owner (the owner of the file), group (group, pay attention to is not necessarily the file owner's group), the other (other).
Simply speaking, an acl is the ability to set a particular user or user group for a file, and there are only three commands that you need to master: getfacl, setfacl, chacl.
An ACL is a series of access entries. The first access entry defines the operation privileges that a specific category can have for the file. Access entry has three components: entry tag type, qualifier (optional), permission
The Entry tag type has the following types:
ACL_USER_OBJ: equivalent to the permission of file_owner in Linux
ACL_USER: defines the permissions that additional users can have for this file
ACL_GROUP_OBJ: equivalent to the permission of the group in Linux
ACL_GROUP: defines additional groups that can have permission for this file
ACL_MASK: defines the maximum permissions for ACL_USER,
ACL_GROUP_OBJ, and ACL_GROUP
ACL_OTHER: equivalent to the other permisssion of Linux
Ex. :
$getfacl - the parent-header a.t xt # parameter - - - header can hide the first three defined file names, file owner and group, starting with # #
User: : RWX # define ACL_USER_OBJ
User: mis3: RWX # define ACL_USER
Group: : r -- # define ACL_GROUP_OBJ
Group: RWX # define ACL_GROUP
Mask: : RWX # define ACL_MASK
Other: RWX # define ACL_OTHER
How to set up the ACL file
Access entry has three components: entry tag type, qualifier (optional), permission. The first is the Entry tag type; The second field is qualifier, which defines the permissions of a particular user and group for the file, such as user mis3 and group misg; The third field is permission.
Ex. :
$ll a.t xt
- rw-rw-rw-r - + root root 12 jul 919:50 a.t xt # "+" : indicates that the file has the value of acl_user or acl_group, which we call the acl file.
3, acl_mask and Effective permission
Acl_mask is another key to mastering acls.
In the Linux file permission inside everyone know for rw - rw - r - for instance, of the rw - refers to file group permission. But in the acl this kind of situation is only in the case of acl_mask does not exist. If the file has the acl_mask value, then the rw - represents the mask value instead of the group permission.
Ex. :
$ll l.
-rwxrw-r - 1 itadmin misg 1 jul 9 21:39 a.t xt # file does not have the acl permissions, acl_mask does not work.
$getfacl -- unit-header a.t xt
User: : RWX
Group: : rw -
Mask: : RWX
Other: : r --
Acc4: RWX a.t xt
$ll
-rwxrwxr - + 1 itadmin misg 1 jul 9 21:39 a.t xt # gives the file acl permissions, and then the mask works
$getfacl - the unit-header a.t xt # group permission is not your own, but the mask permissions.
User: : RWX
User: acc4: RWX
Group: : rw -
Mask: : RWX
Other: : r --
Now other users of the misg group want to execute the a.t.xt program, which is where the user of the misg group actually only has read and write permission. The RWX shown here is the value of acl_mask, not the group's permission.
Example: if I set the mask of a.t xt to read only, will the misg user have write permission?
$setfacl - m mask: : r - a.t. xt
$getfacl -- unit-header a.t xt
User: : RWX
Acc4: RWX # effective:
Group: : rw - # effective: r -
The mask: : r --
Other: : r --
Here we can see that acl_user and acl_group_obj are more than $effective: r -- what does that mean? This is because acl_mask specifies the maximum permissions for acl_user, acl_group_obj and acl_group. So acl_user and acl_group_obj have only read permissions.
$ll l.
-rwxr - r - 1 itadmin misg 1 jul 9 21:39 a.t xt # now the group permission also displays the value of its mask
4, the Default ACL
Mentioned above are the access acl, in view of the file, and the default acl is refers to the default acl Settings for a directory, and file in this directory will inherit the
directory of the acl.
$mkdir a.
Mis3: rw a
$getfacl -- -- -- -- - header a
User: : RWX
Group: : RWX
Other: : r - x
Default: user: : RWX
Default: user: mis3: RWX
Default: group: : RWX
Default: mask: : RWX
Default: other: : r - x
$touch a/test. TXT
A/test.txt
- rw-rw-r - 1 itadmin misg 1 jul 9 21:39. / a/test.txt
$getfacl - unit-header. / a/test.txt
User: : rw -
User: mis3: rw-# inherits the permissions of the folder.
Group: : RWX # effective: rw -
Mask: : rw -
Other: : r --
5, ACL related commands
Getfacl command is used to read the file acl, setfacl is used to set the file access acl, another chacl is used to change the file and directory access acl and the default acl, including chacl - B: it can delete a file or directory of acl attributes (including the default acl), for example, you use setfacl - x to delete all the acl file attributes, the + number will appear at the end of the file, so the right to delete method should be used chacl - B.
To copy the file with the cp when we can now add the -p option, so that at the time of copying files will copy files of acl attributes, for can't copy the acl attributes will give warning.
The mv command will move the acl properties of the file by default, as well as warning if the operation is not allowed.
6, pay attention to
If your file system does not support acls, you may need to remount your file system
Mount - o remount, acl [mount point]
The corresponding acl values will also change if you change the Linux file permissions with the chmod command, and vice versa.