Through the previous two blog we introduced the Linux system user management, Linux users and user group management of the relevant configuration file to explain the user management of the relevant configuration files, including user information file/etc/passwd, user password file/etc/shadow And then introduced the user group information file/etc/group, user group password file/etc/gshadow. The user's home directory, as well as the user's template directory, user management commands for Linux User and user group management explain the commands for managing users and user groups, including new, modified, viewed, and many more switch user commands su. Then after the end of user management, we will enter the Linux Rights Management introduction, this blog describes the Linux rights Management ACL permissions.
1. What is ACL permissions?
For example, there are the following scenarios:
A Daniel in QQ group live to explain Linux system Rights management, after explaining, he in a public Linux system to create a/project directory, which is stored in the after-school reference. Then/project directory for Daniel is the owner, with read and write executable (rwx) permissions, for all users in the QQ group they are assigned to a group inside, also have read and write executable (rwx) permissions, and for other people outside the QQ group, then we do not give him access/project Directory, then the owner of the/project directory and the owning group permission are (RWX), others have no permissions.
The problem came, when the people who live in the audience (not in the QQ group), after listening, we allow him to visit the/project directory to view resources, but can not be modified, that is, the permission to have (r-x), what should we do? We know that a file can only have a group, we assign him to the QQ group is located in the group, then he has the permission to write, which is not allowed, if the person who is an observer to the directory/project other people, and the/project directory of other people to change the permissions (r-x), It is also clear that not the observers can visit our/project directory, which is obviously not allowed. How to solve it?
Let's think of a way to assign permissions to a file in a Windows system:
For example, if we want a user who does not have a certain permission, simply do not assign the appropriate permissions to the directory. The corresponding to the Linux system is also the case, we assign the specified user to the specified directory assignment permissions, that is, ACL permission assignment.
2. Check if the partition ACL permission is on: DUMP2FS
We look at a file (the directory in the Linux system is also a file, everything is a file) whether to support ACL permissions, first of all to see whether the partition of the file supports ACL permissions.
①, see which partitions are present on the system: Df-h
②, viewing the specified partition detail file information: Dumpe2fs-h partition path
Here is the detailed file information for viewing the root partition/
3, open the partition ACL permissions ①, temporarily open the partition ACL permissions
Mount-o Remount,acl/
Re-mount the root partition and mount the Add ACL permission. Note that this command is turned on, and if the system restarts, the root partition permissions are restored to their original state.
②, permanently turn on partition ACL permissions
First, modify the configuration file/etc/fstab
Above is to modify the root partition to have ACL permissions
Uuid=490ed737-f8cf-46a6-ac4b-b7735b79fc63/ ext4 defaults,acl 1 1
Second, re-mount the file system or restart the system, so that the changes take effect
Mount-o remount/
4. Set ACL permissions: Setfacl option file name
①, set ACL permissions to the User: setfacl-m u: User name: Permissions to specify the file name ②, to set ACL permissions for the user group: setfacl-m g: Group name: Permission to specify the file name
Note: We set ACL permissions to users or groups of users is not really the permissions we set, is the right to mask and after the permission is the user's true permissions, the general default mask permissions are RWX, and we set the rights and we set the right. Mask permission below we will explain in detail
Example: The owner root user creates a file directory under the root directory/project, and then creates a group of QQ groups that belong to the group that creates two users Zhangsan and Lisi. The owner and owning group permissions and other people permissions are 770.
Then create an audit user pt to set the ACL for the/project directory to r-x.
The owner of the directory/project and the other people who belong to the group have permission set to 770. Next we create an audit user pt and give ACL permission rx
In order to verify that the PT user does not have write access to the/project directory, we use the SU command to switch to the PT user and then enter the/project directory to create the file in this directory to see if it succeeds:
The above prompt permission is insufficient, stating that ACL permissions are given success, note that if a directory or file has a + flag, it has ACL permissions.
5. View ACL Permissions: Getfacl file name
6. Maximum Effective permission mask
Before the 4th we talked about, we give the user or user group ACL permission is actually not really we set the permission, is with the mask of the right "phase" after the permission is the user's true permissions, the general default mask permissions are RWX, and we set the rights and we set the permissions.
We can also view the mask's permissions by getfacl the file name, so how do we set it?
Setfacl-m m: Permission file name
7. Remove ACL Permissions
①, removing ACL permissions for a specified user
Setfacl-x u: User name File name
②, removing ACL permissions for the specified user group
Setfacl-x g: Group name File name
③, delete all ACL permissions for files
Setfacl-b file name
8. Recursive ACL Permissions
By adding the option-R to recursively set ACL permissions for a file, all subdirectories and sub-files will also have the same ACL permissions.
setfacl-m u: User name: Permissions-r file name
9. Default ACL Permissions
If the default ACL permissions are set for the parent directory, all new child files in the parent directory inherit the ACL permissions of the parent directory.
Setfacl-m d:u: User name: Permission file name
10. Summary
This blog we introduce the Rights Management ACL permissions, by setting ACL permissions, we assign a user to a certain file specific permissions, in the actual rights management is still used more.
Linux Series Tutorials (16) ACL permissions for--linux Rights Management