ACL permissions for files in Linux systems

Source: Internet
Author: User
Tags uuid

An important part of the administrator's job is "manage accounts". Because the entire system is your management, and all the general user's account application must be assisted by you. In the first two blogs, we introduced the basic permissions of the file and special permissions, but also has been emphasizing the reusability of permissions, but the traditional permissions only three kinds of identities (ower, Group, others) with read, write, execute (R, W, x) Three kinds of permissions, I don't have to use ACLs (access control lists) to set specific permissions requirements for a particular user or group.

First, what is an ACL

An ACL is an abbreviation for access Control List, and is primarily intended to provide specific permission settings in addition to the basic permissions of the owner, the group, and others. ACLs can set R, W, x permissions for a single user, a single file, or a directory, which is useful for use where special permissions are required. ACLs are primarily for the following scenarios:

    • User: Can set permissions for users;

    • User group: Can set permissions for user groups;

    • Default property (Mask): You can set the default permissions to set new data when creating new files and directories in this directory;

Second, start the ACL

The above describes the ACL permissions set object and set the scene, then how to let your file support ACL, then take everyone to see.

Because ACLs are an additional support project for traditional unix-like (Unix-like) operating system permissions, it is necessary to have file system support to use ACLs. Currently, most of the file systems have the ability to support ACL permissions, the latest CentOS 7 operating system to create a partition by default and write to the file system will append the ACL properties, CentOS 6 in the new partition and write to the file system by default does not add ACL attributes.

    • View ACl Properties

To see if a partition has ACL permissions we can use the TUNE2FS command:

[[Email protected] /]# [[email protected] /]# mount /dev/sdb3 /mnt   #  when viewing, you must mount the partition [[EMAIL&NBSP;PROTECTED]&NBSP;/]#&NBSP;TUNE2FS&NBSP;-L&NBSP;/DEV/SDB3TUNE2FS  1.42.9  (28-dec-2013) filesystem volume name:   <none>last  Mounted on:          <not available> filesystem uuid:           9a9bac28-da60-4351-a21f-c6529385e944   #  partition UUID number, unique designator Filesystem magic number:   0xEF53Filesystem revision #:    1  (dynamic) filesystem  FEATURES:&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;HAS_JOURNAL&NBSP;EXT_ATTR&NBSP;RESIZE_INODE&NBSP, ..... Omit   #  file system features filesystem flags:          signed_directory_hash default mount options:    user_xattr acl     #  has ACL permissions ... Middle omitted ... Journal backup:           inode blocks[[email  protected] /]#

use TUNE2FS command to see if a file has ACL properties, but for a partition with no ACL attached to it by default, how do we add permissions and view it? TUNE2FS is actually looking at the partition Super block information.

 #.*.---------mount command to view mount Properties-----------. *.#[[email protected] /]# mount ... Omit .../dev/sdc1 on /app type xfs  (rw)  #  do not have ACL permissions, that is, default mount without ACL permissions ... Omit #.*.---------Mount temporarily add ACL permissions-----------. *.#[[email protected] /]# mount -o  remount,acl /dev/sda3     #  add ACL permissions to/dev/sdc3 this new partition [[email protected] &NBSP;/]#&NBSP;MOUNT&NBSP, ..... Omit .../dev/sdc1 on /app type xfs  (rw,acl)  #  add ACL permissions succeeded, here is only temporary effective, ... Omitted... [[email protected] /]##.*.---------ACL properties are permanently valid-----------. *.#[[email protected] /]# vim  /etc/fstab Append the following entry at the end of the file and save the exit: UUID=939EA6B9-9AA5-421C-908F-73691670AB75&NBSP;/MNT/SDC1&NBSP;&NBSP;EXT4   defaults 0 0 [[email protected] /]# mount -a  #  Reload the mount information in the/etc/fstab file so that the next boot will take effect [[email protected] /]# 

Description

  • It is not possible to see the actual options with Mount's simple fetch, as the new distributions often adds some default features

  • Mount-o remount (Acl,rw,ro,nodev ... ): Represents a re-mount and adds attributes, which are described in subsequent disk Management

  • /etc/fstab is the configuration file for the Mount entry: the meanings of each paragraph from left to right are:

    Device name (UUID,/dev/sd*, Volume label name) mount directory file system type right backup frequency check

  • When the partition is formatted, a UUID is assigned, which uniquely identifies the partition; You can use the command blkid to view

Iii. Settings for ACLs

After ensuring that the file system has ACL support enabled, the next step is to set the ACL properties, which mainly include adding ACL attributes and read ACL permissions, as well as backup and restore of ACLs.

1. Set ACL

To set the ACL is to add ACL permissions, use the SETFACL command to implement, the following see the use of Setfacl

[Email protected]/]# setfacl-[mbkdr ...] [-m|-x ACL parameter] file (destination file)

Options:

  • -M: Set subsequent ACL parameters for file use and cannot be used with-X

  • -B: Delete says ACL setting parameter

  • -x: Remove subsequent ACL parameters and not merge with-M

  • -K: Remove default ACL parameters

  • -D: Sets the default ACL parameters that are valid only for the directory, and the new data in the directory references this default option

  • -R: Recursively sets the ACL, and subdirectories inherit the property

We know that ACLs are set up in many ways, including single-user ACL settings, group ACL settings, and directory ACL settings, which are used as follows:

#.*.---------Single user set ACL-----------. *.#[[email protected] ~]# cd /app[[email protected]  app]# touch 1.txt   #  Create a file 1.txt[[email protected] app]#  Ll 1.txt -rw-r--r--.  1 root root 0 Aug 10 14:41 1.txt   #  view file properties as basic properties [[Email protected] app]# setfacl -m u:harry:rx 1.txt   #  Set the Harry user's permissions on the file to rx [[email protected] app]# ll 1.txt - rw-r-xr--+ 1 root root 0 aug 10 14:41 1.txt #  View the file again, the permissions section more than a &NBSP;+&NBSP, and the group permissions have changed #.*.---------all users to set ACL-----------. *.#[[email protected] app]# setfacl  -m u::rwx 1.txt [[email protected] app]# ll 1.txt -rwxr-xr--+  1 root root 0 aug 10 14:41 1.txt[[email protected] app]#  #.*.------------Group Settings acl-----------. *.#[[email protected] app]# set -m g:t1:rx 1 #  Settings  t1 The ACL permission for the   group on the file is RO (read-only) [[email protected] app]# ll 1.txt -rw-r-xr--+ 1  root root 0 aug 10 14:41 1.txt #  found no change [[email protected]  app]#

Description: the ACL properties of the above settings file, we can only see the macro, the group permissions have changed, and after the permission bit more than a +, but we do not see the specific ACL permissions.

2. Read ACL

To read ACL permissions for a file, we use the command Getfacl, which can view the file's ACL information in detail. The use of Getfacl is almost identical to that of Setfacl, which we understand with examples:

 [[email protected] app]# getfacl 1.txt  #  get  ACL  information for 1.txt files #  file: 1.txt   #  file name # owner: root   #  the owner #  Genus user::rwx         # for group: root   #  files   The user list is empty, the permissions for the owner of the file are user:harry:r-x    #  set to rxgroup::r--   for the user Harry The       #  group list is empty and represents the permissions of the group of files group:t1:r--      #   Set the permissions on the  t1  group above, so it shows up here mask::r-x         #  The default effective permission for this file, which controls the upper limit of permissions other::r--        #  other people have permissions [[email  protected] app]# 

Description: The ACL attribute of the file to be consulted through the GETFACL command is more detailed. The data is preceded by #, which indicates the default properties of the file, including the filename, the owner of the file, and the group of files. Rows without # represent effective permissions for different users and groups of users.

3. Mask value Meaning and function

The mask value in the ACL attribute defines the custom user, the custom group, the maximum property that the group can use, and the equivalent of a limit line, which is related to the permissions of the file group, and when you change the mask value, the group permissions of the file are changed accordingly.

[[email protected] app]# setfacl -m mask:r 1.txt   #  Set the mask value to r[[email protected] app]# getfacl 1.txt  #  view ACL properties # file:  1.txt# owner: root# group: rootuser::rwxuser:harry:r-x              #effective:r--     #   The Harry Group has the highest privilege of rgroup::r--mask::r--other::r--[[email protected] app]# setfacl -m mask:-  1.txt  #  Set mask value to null [[email protected] app]# getfacl 1.txt #  file: 1.txt# owner: root# group: rootuser::rwxuser:harry:r-x              #effective:--- #  because the mask value is empty, the valid permissions are empty, that is, there is no permission group :: r--                # Effective:---Mask::---other::r--[[email p rotected] app]# ll 1.txt -rwx---r--+ 1 root root 0 aug 10  14:41 1.txt  #  View the properties of the file and find that the permissions for the group have changed accordingly [[email protected] app]#

Description

    • Harry. The intersection of the user's permission and mask value is R, so the Harry user has only R (read) permissions

    • The Mask value provides maximum effective permissions, which avoids inadvertently opening some permissions to other users or groups of users

    • Personal advice can be given to mask only rwx, so that only the user or user group set the ACL properties alone can be

4. Backup and recovery of ACLs

The backup and recovery of ACL permissions is achieved primarily through replication, movement, and redirection. However, it is important to note that the main file Operations Command CP and MV both support ACLs, but you need to add the-p parameter when using the CP command. Common backup tools like tar do not preserve ACL information for directories and files.

#.*.------------Backup ACL-----------. *.#[[email protected] app]# getfacl -r 1.txt  >acl.bak #  get ACL information for 1.txt files redirected to the Acl.bak file [[Email protected] app]# cat acl.bak   #  View Acl.bak content with results consistent with  getfacl 1.txt  results indicating a successful backup # file: 1.txt#  owner: root# group: rootuser::rwxuser:harry:r-x     #effective:---group::r--      #effective:---Mask::---other::r--#.*.-----------restore ACL-----------. *.#[[email  protected] app]# setfacl -r -b 1.txt  #  the ACL information of the file before backing up [[email  protected] app]# getfacl 1.txt  #  again, and found the ACL permissions back to the original state # file: 1.txt#  owner: root# group: rootuser::rwxgroup::---other::r--[[email protected] app]#  setfacl -R --set-file=acl.bak 1.txt  #  Restore 1.txt of ACL information with Acl.bak file [email  protected] app]# getfacl 1.txt  #  again, the permission reverts back to # file: 1.txt# owner: root# group:  rootuser::rwxuser:harry:r-x            # Effective:---group::r--             #effective:--- Mask::---other::r--[[email protected] app]#

Description: the method of recovering file ACL properties is not limited to the methods in the above examples, but can also be used:

Setfacl--restore Acl.txt

Thank you for reading !


This article is from the "vinsent" blog, make sure to keep this source http://vinsent.blog.51cto.com/13116656/1955166

ACL permissions for files in Linux systems

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.