Go ACL permissions for Linux

Transferred from: http://www.2cto.com/os/201110/108736.html

Introduction

In the previous content, we talked about the traditional permissions of only three identities (Owner,group,others) with three permissions (R,W,X) and three special permissions (Suid,sgid,sbit), with the development of the application, These combinations of permissions are no longer suitable for complex file system permission control requirements today.

For example, the permissions of the directory data are: drwxr-x-, the owner and the owning group are root, and the user is required to have full access to the directory (RWX) without changing the owner and owning group, but not for other useful full permissions (RWX). This requirement seems to be impossible to achieve, and it is evident that traditional rights management settings can sometimes be inadequate. To solve this problem, Linux has developed a new set of file system Rights management methods called File access Control List ACLs (Access controls Lists). At this point, we may be able to implement it through ACLs.

What is an ACL

ACLs are abbreviations for access Control list, and the main purpose is to provide local permission settings outside of the traditional owner,group,others Read,write,execute permissions. ACLs can be r,w,x for individual users, individual files, or directories, especially for use where special permissions are required.

ACLs control permissions primarily for users, user groups (group), and mask.

Simply put, an ACL is a way to set permissions on a file/directory for a specific user or group of users.

On Windows systems, there is no additional support for the Acl,acl Unix-like (unix-like) operating system permissions, so it is necessary to have file system support to use ACLs. Mainly including ReiserFS, EXT2/EXT3/EXT4, JFS, XFS and other file systems.

To see if the system supports ACLs

To see if your system supports ACLs, we can look at them in the following ways.

[[email protected] ~]# DF

Filesystem 1k-blocks used Available use% mounted on

/DEV/SDA1 15118728 2442140 11908588 18%/

[[email protected] ~]# dumpe2fs/dev/sda1 |grep ACL

DUMPE2FS 1.41.12 (17-may-2010) + '-

Default Mount Options:user_xattr ACL

We see that the default Mount option already has an ACL, and if your system is mounted without this option, you can

Mount-o remount,acl/dev/sda1

To re-mount. You can also add this mount option to the boot, which is written to the/etc/fatab file.

View and settings for ACL permissions (GETFACL, Setfacl)

Knowing the meaning of the ACL, but also know whether the system supports ACLs, then the following is how to set/use this ACL?

Getfacl: View ACL settings for files/directories

Setfacl: Setting ACL content for files/directories

Related parameter description

Let's take a look at the Setfacl parameter description of this command

Syntax: Setfacl [-BKRD] [{-m|-x} ACL parameter] file name

-M: Set subsequent ACL parameters

-x: Remove subsequent ACL parameters

-B: Remove all ACL setting parameters

-r: Recursively setting ACL parameters

-D: Sets the default ACL parameter (valid only for the directory, which is also used by the new file in the directory)

-K: Delete the default ACL parameters

Set the format as follows

[D[efault]:] u[ser]:uid [:p erms]

[D[efault]:] g[roup]:gid [:p erms]

[D[efault]:] m[ask][:] [:p erms]

[D[efault]:] o[ther][:] [:p erms]

The above parameters and formatting instructions can be found in man

ACL settings for other people

Let's use an example to illustrate the ACL settings and view

We operate under the/root directory

What is the ACL setting value for the Install.log file first?

[Email protected] ~]# Getfacl Install.log

# File:install.log

# Owner:root

# Group:yufei

User::rwx

group::r–

other::r–

[Email protected] ~]# ls-l Install.log

-rwxr–r–. 1 root Yufei 31537 Jan 05:09 Install.log

I think through the above comparison, we should be able to see what GETFACL shows! OK, I'm not going to say much here, let's take a look at the effect of setting the ACL value for this file.

[Email protected] ~]# setfacl-m o:rwx Install.log

[Email protected] ~]# Getfacl Install.log

# File:install.log

# Owner:root

# Group:yufei

User::rwx

group::r–

Other::rwx

[Email protected] ~]# ls-l Install.log

-rwxr–rwx. 1 root Yufei 31537 Jan 05:09 Install.log

At this time, I gave rwx permissions to other, we can switch to other users, it is possible to write to this file. You may also find that the other permissions set by Setfacl are the same as those set by chmod. Yes, that's true.

ACL settings for the user

Copy the Install.log to the root directory,

[email protected] ~]# CP Install.log/

[Email protected] ~]# ls-l/install.log

-rwxr-xr–1 root root 31537 Feb 9 16:27/install.log

We grant RWX permissions to Yufei users through ACLs

[Email protected] ~]# setfacl-m U:yufei:rwx/install.log

[Email protected] ~]# Getfacl/install.log

Getfacl:removing leading '/' from absolute path names

# File:install.log

# Owner:root

# Group:root

User::rwx

User:yufei:rwx

Group::r-x

Mask::rwx

other::r–

[Email protected] ~]# ls-l/install.log

-rwxrwxr–+ 1 root root 31537 Feb 9 16:27/install.log

At this time, the file permissions viewed through ls-l have a "+" sign, which indicates that the file has ACL permissions. We switch to the Yufei user, to do the editing of this file is absolutely no problem, here is not a demonstration, do it yourself.

Note:

1, the above user can be replaced by the user list, the middle in English "," the separation is OK.

2. The ACL settings for the user group are similar to those set by the user, and are not shown here.

Delete Settings for ACLs

What do we do if we delete the ACL permissions we set? There are two ways

1. Use-X to remove subsequent ACL permissions

[Email protected] ~]# setfacl-x U:yufei/install.log

[Email protected] ~]# Getfacl/install.log

Getfacl:removing leading '/' from absolute path names

# File:install.log

# Owner:root

# Group:root

User::rwx

Group::r-x

Mask::r-x

other::r–

This time found that there is a mask permission is not removed,

[Email protected] ~]# setfacl-x m::/install.log

[Email protected] ~]# Getfacl/install.log

Getfacl:removing leading '/' from absolute path names

# File:install.log

# Owner:root

# Group:root

User::rwx

Group::r-x

other::r–

After the above operation to restore the permissions, it is a bit inconvenient, and in the use of-X, you can not delete a single permission. Otherwise, an error message will appear. such as Setfacl-x U:yufei:rwx/install.log, these commands are not allowed, do not know where I used the wrong, or this command is the case. Or use the following method to raise the direct.

2. Remove all ACL permissions with-b

[Email protected] ~]# setfacl-m U:yufei:rwx/install.log

[Email protected] ~]# Getfacl/install.log

Getfacl:removing leading '/' from absolute path names

# File:install.log

# Owner:root

# Group:root

User::rwx

User:yufei:rwx

Group::r-x

Mask::rwx

other::r–

[Email protected] ~]# Setfacl-b/install.log

[Email protected] ~]# Getfacl/install.log

Getfacl:removing leading '/' from absolute path names

# File:install.log

# Owner:root

# Group:root

User::rwx

Group::r-x

other::r–

This-b parameter, once all the ACL permissions are emptied, restore the original permissions of the file. I recommend that you use this parameter.

Mask Settings for ACLs

The setting for group is similar to the user's setting, so there is no demo, so let's take a look at mask and let the user/group have some permissions on a file. Mask affects only the permissions of other users and groups, and the permissions on owner and other are not affected. We still use/install.log as an example to experiment.

[Email protected] ~]# ls-l/install.log

-rwxr-xr–1 root root 31537 Feb 9 17:03/install.log

[Email protected] ~]# setfacl-m U:yufei:rwx/install.log

[Email protected] ~]# Getfacl/install.log

Getfacl:removing leading '/' from absolute path names

# File:install.log

# Owner:root

# Group:root

User::rwx

User:yufei:rwx

Group::r-x

Mask::rwx

other::r–

At this time we see MASK::RWX is the full permission, so, switch to Yufei This account, the/install.log file may be written operation. Below we let the Yufei user have only read permission on it.

[Email protected] ~]# setfacl-m M::r/install.log

[Email protected] ~]# Getfacl/install.log

Getfacl:removing leading '/' from absolute path names

# File:install.log

# Owner:root

# Group:root

User::rwx

USER:YUFEI:RWX #effective: r –

Group::r-x #effective: r –

mask::r–

other::r–

We can see that there is a hint #effective:r– behind user:yufei:rwx, that is, now Yufei users only have R permission. Switch to Yufei user to write to the/install.log file, there will be "–insert-w10:warning:changing a readonly files" prompt.

About the function of the-d parameter I will not repeat here, the usage is the same, but he is for the table of contents, but also on the inside after adding the file function, and-R is we have been using the parameters, a recursive processing effect, many places will use some parameters

Go ACL permissions for Linux