Linux ACL permission settings

Linux ACL permission settings

1. ACL (Access Control List) allows r, w, and x permission specifications for a single user, single file, or directory. ACL controls permissions in the following ways:

1) User: It can be targeted at users. To set permissions

2) group: sets permissions for groups as objects.

3) default properties: You can also standardize the default data permissions when creating new files and directories under this directory.

2. ACL is an additional item supported by the traditional Unix-Like operating system. Therefore, the ACL must be supported by the file system. Currently, most file systems support ACL functions, including ReiserFS, EXT2/EXT3, JFS, and XFS.

3. How to start acl:

1) mount-o remount, acl/: valid only for this time, but the test on the virtual machine is invalid.

2) directly modify/etc/fstab and add ", acl" to the ults of the first record"

4. setfacl [-bkRd] [{-m |-x} acl parameter] target file name: Get the ACL settings item and parameters of a file or directory,

1)-m: sets the subsequent acl parameters for file use. It cannot be used with-x.

2)-x: deletes subsequent acl parameters and cannot be used with-m.

3)-B: Remove all ACL setting parameters.

4)-k: Remove preset ACL parameters.

5)-R: recursively sets the acl, that is, including this directory.

6)-d: specifies the meaning of "preset acl Parameters", which is only valid for the directory. The default value is referenced in the data created in this directory.

7) method for specific users u: [user list]: [rwx]

5. getfacl filename: Get the acl permission of the file. The parameter is basically the same as that of setfacl.

6. su [-lm] [-c command] [username]: switch user, parameter,

1)-User name: simply using-for example, "su-" indicates logging on to the system using the variable file reading method of login-shell (that is, this parameter reads the User-Defined login-related files, and modify the current environment variable). If the user name is not added, the system switches to the root identity.

2)-l: similar to-, but the user's account needs to be switched

3)-m:-m is the same as-p, indicating that "use the current environment settings without reading the configuration files of new users

4)-c: Only one command is executed. Therefore, instructions can be directly added after-c.

7. sudo [-B] [-u new user]: Switch the account without entering the password of the user to switch. This method is relatively safe.

1)-B: place subsequent commands in the background for the system to execute them independently, without affecting the current shell.

2)-u: the user who wants to switch can be followed. If this option is not available, the switching identity is root, and commands can be directly followed later.

By default, this command can only be executed by the root user. to execute this command, you need to modify/etc/sudoers. You can use the mongodo command to modify this document.

8. mongodo: Set The sudo pass. To enable the account to execute the sudo command, you only need to find the root row, create a new row under the row, and change the root location to the specified account, the value of this row is root ALL = (ALL) ALL. The meaning of the four components of this row is as follows:

1) which account of the system can use the sudo command? The default value is root.

2) When the host of this account comes online to this Linux host, it means that this account may come online from which network host, this setting value can specify the client computer (trusted user ). By default, root can be from any network host.

3) What identity can this account switch to issue Subsequent commands? By default, root can switch to anyone.

4) What commands can be issued using this identity? This command must be written using absolute paths. By default, the root user can switch any identity and execute any commands.

You can use User_Alias and Cmnd_Alias to set the user list and command list for batch processing.

If the interval between two sudo commands is no more than 5 minutes, you do not need to enter the password again for the second command execution.

9. w, who: view the users currently logged on to the system. w has more comprehensive information and can view Server Load balancer and other related information. who only has the user name, terminal information, and logon time.

10. lastlog: only the root identity can use this command to read/var/log/lastlog files.

11. write the recipient's account [user's Terminal interface]: followed by the content. You can use this command to talk to the account currently logged on to the system.

12. mesg [yn]: This command can be used to receive or reject information sent from the user through write, but cannot be used to reject the information sent from the root. y indicates receiving, n indicates rejecting

13. wall messge: This command can send messages to all accounts logged on to the system.

This article permanently updates the link address: