ACL permission control in CentOS

ACL permission Control

Set ACL permissions: setfacl

View ACL permissions: getfacl

ACL permission control is designed to provide specific permission settings beyond the read, wirte, and execute permissions of the traditional owner, group, and other. Specific permissions can be set for a single user or group.

For example, the permission for a directory is

Drwx ------ 2rootroot409603-1013: 51./acldir

User Users have no permission for this directory, so they cannot access this directory. ACL can separately set permissions for this directory for user users so that they can operate on this directory.

ACL startup

To use an ACL, you must have file system support. Currently, most file systems support it. The EXT3 file system starts the ACL by default.

Check whether the file system supports ACL

[root@localhost tmp]# dumpe2fs -h /dev/sda2dumpe2fs 1.39 (29-May-2006)……sparse_super large_fileDefault mount options:    user_xattr acl

Attach an ACL

If UNIXLIKE supports ACL, but the file system does not load this function by default, you can add it by yourself.

[root@localhost tmp]# mount -o remount,acl /[root@localhost tmp]# mount/dev/sda2 on / type ext3 (rw,acl)

You can also modify the disk mounting configuration file to set the default boot loading.

[root@localhost tmp]# vi /etc/fstabLABEL=/                 /                       ext3    defaults,acl        1 1

View ACL Permissions

Syntax: getfaclfilename

Set ACL Permissions

Syntax: setfacl [-bkRd] [-m |-xacl parameter] target file name

Options and parameters:

-M: sets the subsequent acl parameters, which cannot be used with-x.

-X: deletes subsequent acl parameters and cannot be used with-m.

-B: delete all acl parameters.

-K: deletes the default acl parameter.

-R: recursively sets acl parameters.

-D: sets the default acl parameter, which is only valid for directories.

For special users

Format: u: User Account List: Permission

Permission: the combination of rwx

If the user list is empty, the current file owner permission is set.

Example:

[Root @ localhost tmp] # mkdir-m 700. /acldir; ll-d. /acldir drwx ------ 2 root 4096 03-10. /acldir [root @ localhost tmp] # su tkf [tkf @ localhost tmp] $ cd. /acldir/bash: cd :. /acldir/: insufficient permissions => the user does not have the X permission [tkf @ localhost tmp] $ exitexit [root @ localhost tmp] # setfacl-m u: tkf: x. /acldir/=> set the acldir directory permission to x [root @ localhost tmp] # ll-d for the user tkf. /acldir/drwx -- x --- + 2 root 4096 03-10. /acldir/=> via AC L adding permissions adds one or more "+" at the end of the permission, and the original permission of the file also changes. => You can use getfacl to view the original directory permission [root @ localhost tmp] # getfacl. /acldir/# file: acldir # owner: root # group: rootuser: rwxuser: tkf: -- x => record that tkf users have acl permissions for this directory group: --- mask:: -- xother: --- => special instructions are required here, except that the tkf user has the X permission, other users still do not have permission to [root @ localhost tmp] # su tkf [tkf @ localhost tmp] $ cd. /acldir/[tkf @ localhost acldir] $ => the user tkf can have the x permission to access the directory.

For specific user groups

Format: g: User Group list: Permission

Permission: the combination of rwx

If the user group list is empty, the user group permission of the current file is set.

Example:

[Root @ localhost tmp] # setfasetfacl setfattr [root @ localhost tmp] # setfacl-m g: users: rx. /acldir/[root @ localhost tmp] # getfacl. /acldir/# file: acldir # owner: root # group: rootuser: rwxuser: tkf: -- xgroup: --- => permission group for other user groups (non-acl settings: users: r-x => record that the users user group has acl permissions for this directory. mask: r-xother ::---

Set valid Permissions

The valid permission (mask) is the limit value of acl permission settings, that is, the acl permission you set must be a subset of the mask. If it exceeds the range of the mask, the excessive permissions will be removed.

Format: m: Permission

Permission: the combination of rwx

Example:

[root@localhost tmp]# setfacl -m m:x ./acldir/[root@localhost tmp]# getfacl ./acldir/# file: acldir# owner: root# group: rootuser::rwxuser:tkf:--xgroup::r-x                      #effective:--xgroup:users:r-x                 #effective:--xmask::--xother::---

Set Default Permissions

We previously set specific permissions for a user (group) for a directory, but if the newly created file in this directory does not have specific permissions for this user. To solve this problem, you need to set the default acl permission so that the newly created files under this directory have the same ACL-specific permissions as the directories.

Format: d: [u | g]: user (Group) List: Permission

Example

[Root @ localhost tmp] # mkdir-m 711. /defdir [root @ localhost tmp] # setfacl-m u: tkf: rxw. /defdir [root @ localhost tmp] # ll-d. /defdir/drwxrwx -- x + 2 root 4096 03-10. /defdir/=> the directory permission has acl-specific permissions (followed by +) [root @ localhost tmp] # touch. /defdir/. file; ll. /defdir/-rw-r -- 1 root 0 03-10 15:25. file => the newly created file does not have acl-specific permissions (not followed by +) [root @ localhost tmp] # setfacl-m d: u: tkf: rxw. /defdir => set the default permission [root @ localhost Tmp] # getfacl. /defdir/# file: defdir # owner: root # group: rootuser: rwxuser: tkf: rwxgroup: -- xmask: rwxother: -- xdefault: user: rwxdefault: user: tkf: rwxdefault: group: -- xdefault: mask: rwxdefault: other: -- x [root @ localhost tmp] # touch. /defdir/B. file; ll. /defdir/-rw-r -- 1 root 0 03-10 15:25. file-rw ---- + 1 root 0 03-10 15:26 B. file => by default, newly created files have acl-specific permissions [root @ localhost tmp] # getfacl. /defd Ir/B. file # file: defdir/B. file # owner: root # group: rootuser: rw-user: tkf: rwx # valid tive: rw-group: -- x # valid tive: --- mask: rw-other :: --- => I have a question about this. Why is the mask value rw? I guess it is related to the maximum File Permission? => for files, the maximum permission is 666 by default, that is, UMASK is 0000. for executable files, if there is no X, do you still need to use chmod settings? Question !!