Learn Linux ACL permissions on the first day

 

Introduction

In the previous content, we mentioned that the traditional permission has only three identities (owner, group, others) combined with three permissions (r, w, x) and three special permissions (SUID, SGID, SBIT), with the development of applications, these permission combinations cannot meet the current complex file system permission control requirements.

For example, the permission for the directory data is drwxr-x-. The owner and the Group are both root. without changing the owner and the group, the user yufei is required to have full access permission (rwx) to the directory, but not to allow other useful full permissions (rwx ). This requirement does not seem to be feasible. As a result, the traditional permission management settings sometimes fail. To solve this problem, Linux has developed a new file system permission management method called the File Access Control List ACL (Access Control Lists ). At this time, we may implement it through ACL.

 

What is ACL?

ACL is the abbreviation of Access Control List. It mainly aims to provide partial permission settings beyond the read, write, and execute permissions of traditional owners, groups, and others. ACL can be used to set the permissions of r, w, and x for a single user, a single file or directory, especially when special permissions are required.

ACL controls permissions for users, groups, and masks.

To put it simply, ACL allows you to set the operation permissions of a specific user or user group for a file/directory.

In windows, without this ACL, ACL is an additional support item for Unix-like operating system permissions. Therefore, you must have file system support to use the ACL. It mainly includes ReiserFS, EXT2/EXT3/ext4, JFS, XFS and other file systems.

 

Check whether the system supports ACL

To check whether your system supports ACL, we can use the following method.

[Root @ yufei ~] # Df

Filesystem 1K-blocks Used Available Use % Mounted on

/Dev/sda1 15118728 2442140 11908588 18%/

[Root @ yufei ~] # Dumpe2fs/dev/sda1 | grep acl

Dumpe2fs 1.41.12 (17-May-2010) + '-

Default mount options: user_xattr acl

We can see that the default mount option already has an ACL. If you do not have this option when mounting your system, you can use

Mount-o remount, acl/dev/sda1

To remount. You can also add this mount option to the boot startup, that is, to the/etc/fatab file.

 

View and set ACL permissions (getfacl, setfacl)

I understand the meaning of ACL and whether the system supports ACL. How can I set/use this ACL?

Getfacl: view the ACL settings of a file/directory

Setfacl: Set the ACL content of the file/directory

 

Parameter description

Let's take a look at the parameter descriptions of the setfacl command.

Syntax: setfacl [-bkRd] [{-m |-x} acl parameter] File Name

-M: Set subsequent acl parameters.

-X: deletes subsequent acl parameters.

-B: delete all ACL settings.

-R: recursively sets acl parameters.

-D: Set the preset acl parameters (valid only for the directory, and the default ACL value will be used for files created in the directory)

-K: delete preset ACL parameters.

 

The format is as follows:

[D [efault]:] u [ser]: uid [: perms]

[D [efault]:] g [roup]: gid [: perms]

[D [efault]:] m [ask] [:] [: perms]

[D [efault]:] o [ther] [:] [: perms]

The preceding parameters and settings are described in MAN.

 

ACL settings for others

The following example shows how to set and view an ACL.

Perform operations in the/root directory.

First, check the ACL setting value of the install. log file.

[Root @ yufei ~] # Getfacl install. log

# File: install. log

# Owner: root

# Group: yufei

User: rwx

Group: r-

Other: r-

[Root @ yufei ~] # Ls-l install. log

-Rwxr-r-. 1 root yufei 31537 Jan 20 install. log

Through the comparison above, you can see the content displayed by getfacl! OK, I will not talk about it here. Let's take a look at the effect of setting the ACL value for this file.

[Root @ yufei ~] # Setfacl-m o: rwx install. log

[Root @ yufei ~] # Getfacl install. log

# File: install. log

# Owner: root

# Group: yufei

User: rwx

Group: r-

Other: rwx

[Root @ yufei ~] # Ls-l install. log

-Rwxr-rwx. 1 root yufei 31537 Jan 20 install. log

At this time, I have granted the rwx permission to other. We can switch to another user to write this file. You may also find that the other permission set through setfacl is the same as that set through chmod. That's right.

 

ACL settings for users

Copy install. log to the root directory,

[Root @ yufei ~] # Cp install. log/

[Root @ yufei ~] # Ls-l/install. log

-Rwxr-xr-1 root 31537 Feb 9 16:27/install. log

We use ACL to grant rwx permissions to yufei users.

[Root @ yufei ~] # Setfacl-m u: yufei: rwx/install. log

[Root @ yufei ~] # Getfacl/install. log

Getfacl: Removing leading '/' from absolute path names

# File: install. log

# Owner: root

# Group: root

User: rwx

User: yufei: rwx

Group: r-x

Mask: rwx

Other: r-

[Root @ yufei ~] # Ls-l/install. log

-Rwxrwxr-+ 1 root 31537 Feb 9 16:27/install. log

At this time, the File Permission viewed through ls-l is followed by a "+" number, which indicates that the file has ACL permission. We switch to yufei users and there is no problem in editing this file. We will not demonstrate it here. Let's do it by yourself.

 

Note:

1. The above users can be changed to the user list, separated by "," in the middle.

2. The ACL settings for the user group are similar to those for the user. This is not demonstrated here.

 

Delete ACL settings

What should I do if I delete the ACL permissions we set? There are two methods

 

1. Use-x to delete the subsequent ACL Permissions

[Root @ yufei ~] # Setfacl-x u: yufei/install. log

[Root @ yufei ~] # Getfacl/install. log

Getfacl: Removing leading '/' from absolute path names

# File: install. log

# Owner: root

# Group: root

User: rwx

Group: r-x

Mask: r-x

Other: r-

At this time, we found that the permissions of a mask were not removed,

[Root @ yufei ~] # Setfacl-x m:/install. log

[Root @ yufei ~] # Getfacl/install. log

Getfacl: Removing leading '/' from absolute path names

# File: install. log

# Owner: root

# Group: root

User: rwx

Group: r-x

Other: r-

 

After the above operation, the permission is restored, which is inconvenient. In addition, you cannot delete a permission when using-x. Otherwise, an error message is displayed. For example, the setfacl-x u: yufei: rwx/install. log command is not allowed. I don't know where I used the error or whether the command is like this. We recommend that you use the following method.

 

2. Use-B to delete all ACL permissions.

[Root @ yufei ~] # Setfacl-m u: yufei: rwx/install. log

[Root @ yufei ~] # Getfacl/install. log

Getfacl: Removing leading '/' from absolute path names

# File: install. log

# Owner: root

# Group: root

User: rwx

User: yufei: rwx

Group: r-x

Mask: rwx

Other: r-

 

[Root @ yufei ~] # Setfacl-B/install. log

[Root @ yufei ~] # Getfacl/install. log

Getfacl: Removing leading '/' from absolute path names

# File: install. log

# Owner: root

# Group: root

User: rwx

Group: r-x

Other: r-

This-B parameter clears all ACL permissions at one time and restores them to the original permissions of the file. I recommend that you use this parameter.

 

Set the ACL's mask

The group setting is similar to the user setting. This is not demonstrated here. Let's take a look at mask. Its role is to allow users/groups to have only some permissions on a file. Mask only affects the permissions of other users and groups, but does not affect the permissions of owner and other. Take/install. log as an example.

[Root @ yufei ~] # Ls-l/install. log

-Rwxr-xr-1 root 31537 Feb 9 :03/install. log

[Root @ yufei ~] # Setfacl-m u: yufei: rwx/install. log

[Root @ yufei ~] # Getfacl/install. log

Getfacl: Removing leading '/' from absolute path names

# File: install. log

# Owner: root

# Group: root

User: rwx

User: yufei: rwx

Group: r-x

Mask: rwx

Other: r-

At this time, we can see that mask: rwx has all permissions. Therefore, when switching to the yufei account, the/install. log file may be written. Next, let yufei users have only the read permission.

[Root @ yufei ~] # Setfacl-m: r/install. log

[Root @ yufei ~] # Getfacl/install. log

Getfacl: Removing leading '/' from absolute path names

# File: install. log

# Owner: root

# Group: root

User: rwx

User: yufei: rwx # valid tive: r-

Group: r-x # valid tive: r-

Mask: r-

Other: r-

We can see that the user: yufei: rwx is followed by a prompt # negative tive: r-, that is, yufei users only have the r permission. Switch to yufei and perform a write operation on the/install. log file. a message such as "-INSERT-W10: Warning: Changing a readonly file" is displayed.

 

I will not go into details about the role of the-d parameter here. The usage is the same, but it is only for directories and will also take effect for the files added after it, -R is the parameter we have been using. Some parameters are used in many places for the result of a recursive processing.

From yufei blog