Home > Developer > Linux

ACL for Advanced file permissions in Linux

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

ACL (Access Control List) is the Access Control List. The rwx permission is set in detail for a single user, a single file or directory. Users, groups, and default attribute masks can be set. ACL is an additional function supported by Linux system permissions and must be supported by the file system, such as ReiserFS, EXT2, EXT3, EXT4, JFS, and XFS. * ACL:

  1. [Root @ rhel6 ~] # Mount-o acl/dev/iscsi/sharedisk/data/
  2. [Root @ rhel6 ~] # Mount | grep sharedisk
  3. /Dev/mapper/iscsi-sharedisk on/data type ext4 (rw, acl)
  5. Note: If you use the tune2fs command to enable the partition ACL function, you cannot use the mount command.
  6. [Root @ rhel6 ~] # Tune2fs-o acl/dev/iscsi/sharedisk
  7. [Root @ rhel6 ~] # Tune2fs-l/dev/iscsi/sharedisk | grep-I "default mount option"
  8. Default mount options: acl
  9. [Root @ rhel6 ~] # Umount/data/
  10. [Root @ rhel6 ~] # Mount/dev/iscsi/sharedisk/data/
  11. [Root @ rhel6 ~] # Mount | grep sharedisk
  12. /Dev/mapper/iscsi-sharedisk on/data type ext4 (rw)
ACL-related setting command getfacl: obtains the ACL settings of a file or directory. setfac: sets ACL settings for files or directories. chacl: Same as setfacl. It is also used to set ACL settings (not commonly used ).
  1. [Root @ rhel6 data] # setfacl -- help
  2. Setfacl 2.2.49 -- set file access control lists
  3. Usage: setfacl [-bkndRLP] {-m |-M |-x |-X...} file...
  4. -M, -- modify = acl: changes the ACL rules of files or directories.
  5. -M, -- modify-file = file: Read ACL settings from a file and modify the ACL rules of the current file or directory as a template.
  6. -X, -- remove = acl: delete a specified ACL rule for a file or directory.
  7. -X, -- remove-file = file Read ACL settings from a file and delete the ACL rules of the current file or directory as a template
  8. -B, -- remove-all Delete all ACL rules of a file or directory
  9. -K, -- remove-default delete default ACL rules for files or directories
  10. -- Set = acl: sets the ACL rules for the current file.
  11. -- Set-file = file: Read ACL rules from a file to set ACL rules for the current file or directory
  12. -- The mask recalculates valid permissions, even if the ACL mask is explicitly specified
  13. -N, -- no-mask do not recalculate valid permissions. By default, setfacl recalculates the ACL mask, unless the mask is explicitly formulated.
  14. -D, -- default: Set the default ACL rules for the directory (only valid for the Directory)
  15. -R, -- recursive Processing
  16. -L, -- logical walk, follow symbolic links
  17. -P, -- physical walk, do not follow symbolic links
  18. -- Restore = file restore ACLs (inverse of 'getfacl-R ')
  19. -- Test mode (ACLs are not modified)

Note: If the ACL is set for a directory or file, a "+" number will appear at the last digit of the attribute. To view the exact permissions of the file or directory group, use the getfacl command.

 
  1. Directory:
  2. [Root @ rhel6 data] # mkdir acl_dir
  3. [Root @ rhel6 data] # ll-d acl_dir
  4. Drwxr-xr-x. 2 root 1024 Mar 24 :29 acl_dir/
  5. [Root @ rhel6 data] # getfacl acl_dir/
  6. # File: acl_dir
  7. # Owner: root "Basic Rules"
  8. # Group: root
  9. User: rwx
  10. Group: r-x "Default rule"
  11. Other: r-x
  13. [Root @ rhel6 data] # su-user1
  14. [User1 @ rhel6 ~] $ Touch/data/acl_dir/acl_user1
  15. Touch: cannot touch '/data/acl_dir/acl_user1': Permission denied // The user of user1 has no write Permission on the acl_dir directory and cannot create files
  16. [User1 @ rhel6 ~] $ Exit
  17. [Root @ rhel6 data] # setfacl-m u: user1: rwx acl_dir // grant user1 the permission to read and write the acl_dir directory.
  18. [Root @ rhel6 data] # getfacl -- all-valid tive acl_dir/
  19. # File: acl_dir
  20. # Owner: root
  21. # Group: root
  22. User: rwx
  23. User: user1: rwx # valid tive: rwx
  24. Group: r-x # valid tive: r-x
  25. Mask: rwx
  26. Other: r-x
  27. [Root @ rhel6 data] # su-user1
  28. [User1 @ rhel6 ~] $ Touch/data/acl_dir/acl_user1 // the file can be created successfully.
  29. [User1 @ rhel6 ~] $ Ll-d/data/acl_dir // a "+" is added to the directory attribute of acl_dir"
  30. Drwxr-xr-x + 2 root 1024 Mar 24/data/acl_dir/
  31. Note: The executable permission must be granted to the directory; otherwise, the directory cannot be cd-ed.
  33. File:
  34. [Root @ rhel6 data] # touch acl_file
  35. [Root @ rhel6 data] # getfacl acl_file
  36. # File: acl_file
  37. # Owner: root
  38. # Group: root
  39. User: rw-
  40. Group: r --
  41. Other: r --
  42. [Root @ rhel6 data] # su-user1
  43. [User1 @ rhel6 ~] $ Echo "access test">/data/acl_file
  44. -Bash:/data/acl_file: Permission denied // user1 the user does not have the write Permission on the acl_file file.
  46. [Root @ rhel6 data] # setfacl-m u: user1: rw acl_file // grant user1 the read and write permissions on the acl_file file.
  47. [Root @ rhel6 data] # getfacl -- all-valid tive acl_file
  48. # File: acl_file
  49. # Owner: root
  50. # Group: root
  51. User: rw-
  52. User: user1: rw-# valid tive: rw-
  53. Group: r -- # valid tive: r --
  54. Mask: rw-
  55. Other: r --
  57. [Root @ rhel6 data] # su-user1
  58. [User1 @ rhel6 ~] $ Echo "access test">/data/acl_file // The acl_file file can be successfully written.
  59. [User1 @ rhel6 data] $ cat acl_file
  60. Access test
  62. [User1 @ rhel6 ~] $ Ll/data/
  63. Total 16
  64. Drwxrwxr-x + 2 root 1024 Mar 24 10:33 acl_dir
  65. -Rw-r -- + 1 root 12 Mar 24 10:39 acl_file
  66. Drwx ------. 2 root 12288 Mar 24 10:24 lost + found
  68. Mask:
  69. [Root @ rhel6 data] # setfacl-m: r acl_dir/
  70. [Root @ rhel6 data] # getfacl acl_dir/
  71. # File: acl_dir
  72. # Owner: root
  73. # Group: root
  74. User: rwx
  75. User: user1: rwx # valid tive: r --
  76. Group: r-x
  77. Mask: r --
  78. Other: r-x
  80. [Root @ rhel6 data] # su-user1
  81. [User1 @ rhel6 data] $ cd acl_dir/
  82. -Bash: cd: acl_dir/: Permission denied
  84. Because the user1 user does not have the x permission on this directory, this directory cannot be accessed even though we have granted the ACL settings of user1 user rwx.
  85. The final permission is controlled by the mask and must be within the mask. Otherwise, the permissions assigned to the mask are invalid.
 
  1. [Root @ rhel6 data] # mkdir dir
  2. [Root @ rhel6 data] # setfacl-d-m u: user1: rwx dir // make all files and directories under the dir/directory inherit the ACL settings of the dir/directory
  3. [Root @ rhel6 data] # getfacl dir/
  4. # File: dir/
  5. # Owner: root
  6. # Group: root
  7. User: rwx
  8. Group: r-x
  9. Other: r-x
  10. Default: user: rwx
  11. Default: user: user1: rwx
  12. Default: group: r-x
  13. Default: mask: rwx
  14. Default: other: r-x
  16. [Root @ rhel6 data] # touch dir/test
  17. [Root @ rhel6 data] # The user1 file created in the getfacl dir/test // dir directory also has the rwx permission.
  18. # File: dir/test
  19. # Owner: root
  20. # Group: root
  21. User: rw-
  22. User: user1: rwx # valid tive: rw-
  23. Group: r-x # valid tive: r --
  24. Mask: rw-
  25. Other: r --
  27. [Root @ rhel6 data] # setfacl-x u: user1 acl_file // remove the ACL settings of user1 in acl_file
  28. [Root @ rhel6 data] # getfacl acl_file
  29. # File: acl_file
  30. # Owner: root
  31. # Group: root
  32. User: rw-
  33. Group: r --
  34. Mask: r --
  35. Other: r --
  36. [Root @ rhel6 data] # ll acl_file
  37. -Rw-r -- + 1 root 12 Mar 24 acl_file // The "+" of the file attribute still exists.
  40. [Root @ rhel6 data] # setfacl-B acl_file // remove all ACL settings in acl_file
  41. [Root @ rhel6 data] # getfacl acl_file
  42. # File: acl_file
  43. # Owner: root
  44. # Group: root
  45. User: rw-
  46. Group: r --
  47. Other: r --
  48. [Root @ rhel6 data] # ll acl_file
  49. -Rw-r --. 1 root 12 Mar 24 acl_file // The "+" of the file attribute has been restored "."
  51. [Root @ rhel6 data] # getfacl dir/> acl. bak // export the ACL settings of the dir directory
  52. [Root @ rhel6 data] # setfacl -- set-file = acl. bak acl_dir // import ACL settings to the acl_dir directory
  53. [Root @ rhel6 data] # getfacl acl_dir/
  54. # File: acl_dir/
  55. # Owner: root
  56. # Group: root
  57. User: rwx
  58. Group: r-x
  59. Other: r-x
  60. Default: user: rwx
  61. Default: user: user1: rwx
  62. Default: group: r-x
  63. Default: mask: rwx
  64. Default: other: r-x

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
ftp file permissions linux linux file permissions chmod linux get file permissions change permissions file linux edit file permissions linux display file permissions linux file permissions linux 777
Related Article
Linux Kernel Coding Style
Linux error--->export ' = ' not a valid identifier for gen...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More