Linux ACL permission File Access

Article Title: ACL permission file access on Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

In Unix/Linux systems, the permission mechanism has been used for many years. Due to lack of flexibility, it is far behind and not suitable for applications in today's information systems. However, a new permission mechanism standard has been developed.
This article will introduce the operating methods of this new mechanism on Linux.
---------------------------------------------------------
Typical File Permissions
Typical file permissions are as follows:
#> Ls-l
-Rwxrw-r -- 1 adam mis 272401 May 10 2003 test.doc
Indicates that the file belongs to the user adam, and the permission can be read and written and can be run; the permission of the group mis can be read and written; the permission of others can be read-only.
Traditional permissions can only be set for owners, groups, and others.
More complex permissions are dependent on ACL.
This posix acl function is officially supported on Linux kernel 2.6, and then back-port to 2.4 kernel. Commonly used file systems, such as ext3, xfs, jfs, and
ReiserFS can all use ACL. Of course, you need to start the ACL when compiling the kernel.
---------------------------------------------------------
Start ACL
Although posix acl support has been added to the kernel, It is not automatically enabled. You must specify the ACL when mounting the file system. For example:

Mount-t ext3-o acl/dev/sda1/home
The "-o acl" parameter indicates the option to enable ACL on/dev/sda1. You can also add the following options to/etc/fstab:

/Dev/sda1/home ext3 acl 1 2
---------------------------------------------------------
View the ACL information of a file
#> Getfacl test.doc
# File: test.doc
# Owner: adam
# Group: mis
User: rw-
Group: rw-
Other: r --
---------------------------------------------------------
ACL settings
Change ACL

The setfacl command can change the ACL of a file or directory. The usage is as follows:

Setfacl option rules files

Option:
-M is used to add or modify rules in the ACL.
-X is used to remove the ACL rules.

Rules:
User :( uid/name) :( perms) specifies the permissions of a user
Group :( gid/name) :( perms) specifies the permissions of a group.
Other: :( perms) Specify the permissions of other users
Mask: :( perms) set valid Permission Blocking
If you want to enable users in the hr group to read "javastest.doc", other users cannot read it. We can use the following command to achieve this:

Setfacl-m group: hr: r, other:-test.doc
View the new ACL with getfacl:
[Adam @ www adam] $ getfacl test.doc
# File: test.doc
# Owner: adam
# Group: mis
User: rw-
Group: rw-
Group: hr: r --
Mask: rw-
Other ::---
To enable users adam and eva to read and write data, group mis and hr can only read data, while others cannot read or write data. We only need to add two more rules to achieve this:

Setfacl-m group: r, user: eva: rw report.doc
[Adam @ www adam] $ getfacl report.doc
# File: report.doc
# Owner: adam
# Group: mis
User: rw-
User: eva: rw-
Group: r --
Group: hr: r --
Mask: rw-
Other ::---
---------------------------------------------------------
Preset ACL
The preset ACL can only be used for a directory. It determines the ACL of the newly created file or directory under the directory. To set a preset ACL, use "setfacl ". The difference is that before each rule, add"
Default: ", for example:
Setfacl-m default: user: rw/home/adam
If you think the command is too long, you can use the simple characters:
Long write abbreviation
User: u:
Group: g:
Other: o:
Mask: m:
Default: d:
Setfacl-m d: u: rw, d: u: eva: rw, d: g: r, d: o:-/home/adam

[Adam @ www adam] $ getfacl/home/adam
Getfacl: Removing leading '/' from absolute path names
# File: home/adam
# Owner: adam
# Group: adam
User: rwx
Group ::---
Other ::---
Default: user: rw-
Default: user: eva: rw-
Default: group: r --
Default: mask: rw-
Default: other ::---

Create a new file and view its access-type ACL:

[Adam @ www adam] $ touch newfile

[Adam @ www adam] $ getfacl newfile
# File: newfile
# Owner: adam
# Group: mis
User: rw-
User: eva: rw-
Group: r --
Mask: rw-
Other ::---