Analyzing the Linux file system access control List

1.What is Facl?

Facl, the file system access control list, that is, the filesystem. Based on previous knowledge of the Linux permissions model, it is probably as follows:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/2F/4E/wKioL1OfCQXjMb5aAADyJpA5D_Q227.jpg "title=" Facl " alt= "Wkiol1ofcqxjmb5aaadyjpa5d_q227.jpg"/>

Let's say there's a scenario:

The file that the user Tom created, and wants the user Lucy to be able to access and edit.

Analysis:

First, can tom user temporarily change file owner to Lucy, so that the purpose is achieved. Obviously, this is not feasible. Because the normal user does not have the Chown permission at all. Second, can you set Lucy in the group of file and belong to the group permissions have RW or file of other permissions have RW. Achievable, but with obvious drawbacks. The user in the group is not just a user of Lucy. What we need to achieve is fine-grained access control. Third, can use SUID special permission to realize. Indeed, as long as we set suid on file, both Lucy and other users can access and edit it. So the shortcomings and the above are also obvious.

In other words, we want to realize the sharing of resources between users and users, and Linux provides facl to help us achieve.

2.How to use Facl?

#获取file的访问控制列表 Getfacl file #设置 Setfacl-m u:username:permission File Setfacl-m g:groupname:permission File #取消 Setfacl-x u:username File Setfacl-x g:groupname File

3.Some examples about FACL

[[email protected] backup]# cp /etc/inittab  Inittab[[email protected] backup]# ls -ltotal 8-rw-r--r-- 1 root root  1666 Jun 15 22:28 inittab[[email protected] backup]$ echo  "Hello  facl " >> inittab -bash: inittab: Permission denied[[email  protected] backup]# setfacl -m u:tom:rw inittab [[email protected]  Backup]# getfacl inittab# file: inittab# owner: root# group: rootuser: :rw-user:tom:rw-group::r--mask::rw-other::r--[[email protected] backup]$ echo  "Hello  Facl " >> inittab [[email protected] backup]$ tail -2 inittab  x:5:respawn:/etc/x11/prefdm -nodaemonhello facl

4. Analysis and summary

A Note Once we have set up the Access control list, then: [Email protected] backup]# ls-l Inittab -rw-rw-r--+ 1 root root 1677 June 22:30 Inittab That is, there will be more than a +, in fact, Facl is through the file's extended properties to save the permissions information. B Copy the file with Facl, what happens? "may be lost facl, need to pass some options or commands to avoid, later say it ~" C if we set Facl to the directory, the files under the directory will inherit Facl. "Not much to apply, to understand" Set the Facl for the directory, in the following format: Setfacl-m d:u:username:permission File D user access files are illustrated as follows: 650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/2F/4E/wKiom1OfELKD2SDkAAEf9rsEd9Q273.jpg "title=" Facl " alt= "Wkiom1ofelkd2sdkaaef9rsed9q273.jpg"/>

This article is from the "I want to surpass myself" blog, please be sure to keep this source http://zhangfengzhe.blog.51cto.com/8855103/1427116