Configure the access control list ACL in Linux

Configure the access control list ACL in Linux

In Linux, the traditional permission setting method is simple. There are only three identities and three permissions. You can use commands such as chmod and chown to set the permissions or owner of a file. For complex permission settings, such as opening a directory to a specific user, these traditional methods cannot meet the requirements.

For example, for the/home/project directory, the owner of the directory is the student user and the group is the users group. The default permission is 770. Now there is a user named natasha who belongs to the natasha group and wants to have read and write permissions on the/home/project directory. There is also a user named instructor, which belongs to the instructor group, you want to have read and execute permissions on the/home/project directory.

Obviously, the chmod or chown command cannot fulfill this requirement. Therefore, the Linux system provides an Access Control List (ACL) for detailed permission settings.

1.   Set ACL

The setfacl command is used to set the ACL. The command format is as follows:

 

Setfacl [Option]Set Value File Name

 

 

Common options:

• -M: Set an ACL rule.

• -X: cancels an ACL rule.

• -B: cancels all ACL rules.

  For example, set natasha to have the rwx permission on the/home/project directory.

   

   

  [Root @ localhost ~] #Setfacl-m u: natasha: rwx/home/project/

  [Root @ localhost ~] #Ll-d/home/project/

  Drwxrwxrwx + 2 student users 4096 16:43/home/project/

   

   

  After the ACL is set, a "+" identifier is added to the permission section when you view the file details, indicating that the ACL permission is enabled for the file.

   

  Next, set the policuctor user to have the r-x permission on the/home/project directory.

   

  [Root @ localhost ~] #Setfacl-m u: instructor: r-x/home/project/

   

   2.ManagementACL

  You can use the getfacl command to view ACL permissions.

   

  [Root @ localhost ~] #Getfacl/home/project/

  Getfacl: Removing leading '/' from absolute path names

  # File: home/project/

  # Owner: student

  # Group: users

  User: rwx

  User: policuctor: r-x

  User: natasha: rwx

  Group: rwx

  Mask: rwx

  Other: rwx

   

   

  You can use the "setfacl-m" command to modify the ACL.

  For example, modify the permissions of the uctor user to rwx.

   

  [Root @ localhost ~] #Setfacl-m u: instructor: rwx/home/project/

   

  You can use the "setfacl-x" command to remove a user from the ACL.

  For example, the uctor user is removed from the ACL.

   

  [Root @ localhost ~] # Setfacl-x u: instructor/home/project/

   

   

   

   3.StartACLSupported

  ACL can be set for users or for user groups. To use ACL, you must have file system support. In Linux, standard EXT2/EXT3/EXT4 file systems support ACL. Note that the default file system in RHEL6 supports ACL. If it is a newly mounted partition, the ACL application is not supported, you can use the "-o acl" option to enable ACL support when mounting a file system.

  For example, mount the/dev/sdb1 partition to the/home directory and enable ACL support. After the file system is mounted, run the mount command to verify that the ACL has been started.

   

  [Root @ localhost ~] #Mount-o acl/dev/sdb1/home

  [Root @ localhost ~] #Mount | grep home

  /Dev/sdb1 on/home type ext4 (rw, acl)

   

  To automatically apply the ACL function when the system starts, modify the/etc/fstab file and add the following lines:

   

  [Root @ localhost ~] #Vim/etc/fstab

  /Dev/sdb1/home ext4 defaults, acl 0 0

   

   

   4. ConfigurationACLNotes

  ACL is used to provide additional permissions. It is mainly used to fine-tune permissions. In the system, the traditional methods such as chmod and chown should be used to set the permission, rather than ACL. Otherwise, maintenance will be difficult.

  Therefore, when you set the permission in the production environment, we recommend that you first set the overall permission with chmod and chown, and then set the detailed permission with ACL as needed.