Introduction to ACL (access control list) in CentOS

We know that in Linux, the traditional permission management is divided into three identities (owner, owner? And others) with three permissions (readable, writable, and executable), and with three special permissions (SUID, SGID, SBIT), to achieve system security protection. However, with the development and expansion of business and needs, the only mode can no longer meet the permission control requirements in the current complex environment. For example

We know that in Linux, the traditional permission management is divided into three identities (owner, owner? And others) with three permissions (readable, writable, and executable), and with three special permissions (SUID, SGID, SBIT), to achieve system security protection. However, with the development and expansion of business and needs, the only mode can no longer meet the permission control requirements in the current complex environment.

For example, there is A/data directory, and now? Members can write, B? Read only, C? What should I do if the member is readable and writable and executable?

The preceding requirements cannot be achieved only by relying on the existing traditional permission management model. To solve this type of problem, Linux has developed a new file system permission management method called the Access Control list ACL (Access Control Lists ). By using ACL, you can perfectly solve the above type of requirements.

So what is the access control list?

 

What is ACL?

ACL is the abbreviation of Access Control List. it aims to provide more detailed local permission settings in addition to the traditional three identities and three permissions. In the official manual, it mainly controls permissions for users, user groups, and masks.
In simple terms, ACL can be used to control the permissions of a single user or a single user group.
In windows, without this ACL, ACL is an additional support item for Unix-like operating system permissions. Therefore, you must have file system support to use the ACL. It mainly includes ReiserFS, EXT2/EXT3/ext4, JFS, XFS and other file systems.

 

Does the file system support ACL?

Note that because ACL depends on the file system, not every file system supports ACL. For example, in the NTFS file system of win platform, the FAT32 file system does not support ACL. On the Linux platform, common ACL-Supported files love your system, such as EXT2/EXT3/ext4, JFS, and XFS.

So, how can we check whether your system supports ACL?

You can perform the following operations:

[Root @ lh ~] # Tune2fs-l/dev/vda1 | grep optionsDefault mount options: user_xattr acl [root @ lh ~] # Dumpe2fs/dev/vda1 | grep optionsdumpe2fs 1.41.12 (17-May-2010) Default mount options: user_xattr acl

Select either of the above two commands!

If the output information contains the acl identifier in the default mount option, it indicates that your file system supports this identifier.

Assume that your file system does not support or support this acl identity, but does not display it. what should I do? In this case, we can use tune2fs to add it or mount it.

[Root @ lh ~] # Tune2fs-o acl/dev/vda1tune2fs 1.41.12 (17-May-2010)

 

Detailed description of ACL commands

This section describes what ACL is and how to enable the file system to support ACL.

ACL-related operations include getface, setfacl, and chacl. getfacl and setfacl are commonly used.

Getfacl is used to view the ACL settings of a file/Directory. setfacl is used to set the ACL content of a file/Directory. chacl is used to view and change the ACL content of a file/Directory. because setfacl is commonly used, chacl is never used, this article does not introduce

Generally, getfacl is directly followed by the path of the file or directory you want to view. The procedure is as follows:

[Root @ lh ~] # Getfacl/tmpgetfacl: Removing leading '/' from absolute path names # file: tmp # owner: root # group: root # flags: -- tuser: rwxgroup: rwxother :: rwx [root @ lh ~] # Getfacl/etc/passwdgetfacl: Removing leading '/' from absolute path names # file: etc/passwd # owner: root # group: rootuser: rw-group :: r -- other: r --

 

Setfacl is the most commonly used, and is used for basic ACL operations. Therefore, it has many options. First, use the setfacl syntax:

Setfacl [-bkRd] [{-m |-x} acl parameter] file/directory path options:-B: delete all acl parameters-k: delete preset acl parameters-R: recursively set the following acl parameters-d: Set the preset acl parameters (only valid for directories, the default ACL value is also used for files created in this directory.-m: sets (modifies) the following acl parameters:-x: deletes the specified acl parameters.

 

The ACL parameter consists of three parts. The structure is as follows:

Three identities: corresponding identity names: three permissions [u | g | o]: [user name | user group name]: [rwx]

 

 

Instance exercises

Let's take a look at several instances to understand the learning ACL operation:

Now, in the/mnt Directory, there are files test and directory dir. their permissions are 600, owner and owner? All are root.

[Root @ lh mnt] # touch test [root @ lh mnt] # mkdir dir [root @ lh mnt] # chmod 600 test [root @ lh mnt] # chmod 600 dir [root @ lh mnt] # ll total 4drw -------. 2 root 4096 Jul 4 dir-rw -------. 1 root 0 Jul 4 :56 test

 

The following requirements must be met:

1. add acl permissions for file test so that sunsky users can read and write

[Root @ lh mnt] # setfacl-m u: sunsky: rw test [root @ lh mnt] # getfacl test # file: test # owner: root # group: rootuser :: rw-user: sunsky: rw-group: --- mask: rw-other: --- [root @ lh mnt] # su-sunsky # switch to the sunsky user, test Wellcome to Linux World [sunsky @ lh ~] $ Echo 1>/mnt/test # It is obvious that data can be written [sunsky @ lh ~] $ Cat/mnt/test1

 

2. add the acl permission for the file test to make sun? All users can read this file.

[Root @ lh mnt] # setfacl-m g: sun: r test [root @ lh mnt] # getfacl test # file: test # owner: root # group: rootuser :: rw-user: sunsky: rw-group: --- group: sun: r -- mask: rw-other :: --- [root @ lh mnt] # su-sunWellcome to Linux World [sun @ lh ~] $ Cat/mnt/test # It is obvious that you can view the content of the test file 1 [sun @ lh ~] $ Echo 2>/mnt/test # since we didn't give sun? The member cannot change-bash:/mnt/test: Permission denied

 

3. add the acl permission for the directory dir to make sun? All users can read, write, and execute the directory.

[Root @ lh mnt] # setfacl-m g: sun: rw dir [root @ lh mnt] # getfacl dir # file: dir # owner: root # group: rootuser :: rw-group: --- group: sun: rwxmask: rwxother: --- [root @ lh mnt] # su-sun # switch to the sun user, test [sun @ lh ~] $ Echo "date">/mnt/dir/date. sh [sun @ lh ~] $ Bash/mnt/dir/date. shFri Jul 4 18:01:48 CST 2014

 

4. delete the file test. what about sun? Acl permission

[Root @ lh mnt] # setfacl-x g: sun test [root @ lh mnt] # getfacl test # file: test # owner: root # group: rootuser :: rw-user: sunsky: rw-group: --- mask: rw-other ::---

 

5. delete all ACL permissions for the directory dir

[Root @ lh mnt] # setfacl-B dir [root @ lh mnt] # getfacl dir # file: dir # owner: root # group: rootuser: rw-group :: --- other ::---

 

6. add the default ACL permission to the directory dir so that all newly created files or directories under the dir directory can be read and writable by sunsky users by default.

[Root @ lh mnt] # setfacl-m d: u: sunsky: rwx dir [root @ lh mnt] # getfacl dir # file: dir # owner: root # group: rootuser:: rw-group: --- other: --- default: user: rw-default: user: sunsky: rwxdefault: group: --- default: mask: rwxdefault: other :: --- [root @ lh mnt] # touch/mnt/dir/sunsky [root @ lh mnt] # getfacl/mnt/dir/sunskygetfacl: removing leading '/' from absolute path names # file: mnt/dir/sunsky # owner: root # group: rootuser: rw-user: sunsky: rwx # valid tive: rw-group: --- mask: rw-other ::---

In the sixth question, we found that there is a # Additional tive: rw-after user: sunsky: rwx. why? Switch to the sunsky user to see if it has the permission to execute the file!

[Root @ lh mnt] # su-sunskyWellcome to Linux World [sunsky @ lh ~] $ Bash/mnt/dir/sunskybash:/mnt/dir/sunsky: Permission denied

Obviously, although setfacl is used to grant sunsky the permission to read, write, and execute new files in the dir directory by default, it still has no execution permission. Why?

We found that there is more output # Lead tive: rw-. Why does it come out?

The valid aspect is rw, which is affected by the mask in our output. But we found that we didn't set mask. Why does it change to rw by default. Here I will introduce mask!

Mask is used to restrict the permissions of all users or groups except the owner and others. mask permissions are the highest possible permissions for these users.
If the configured user permission conflicts with the mask permission, the user's permission is
# Valid permission
Once an object is configured with an ACL, the permissions of the original file group will be changed to the MASK permission, rather than the original group permission. If the file originally belongs? If the permission is blank, what is your owner after you set the mask permission? The permission is also changed to the corresponding permission of its mask.

Next, let's continue with the sixth lab!

[Root @ lh mnt] # setfacl-m: rwx/mnt/dir/[root @ lh mnt] # getfacl/mnt/dir/getfacl: removing leading '/' from absolute path names # file: mnt/dir/# owner: root # group: rootuser: rw-group: --- mask: rwxother :: --- default: user: rw-default: user: sunsky: rwxdefault: group: --- default: mask: rwxdefault: other :: --- [root @ lh mnt] # su-sunskyWellcome to Linux World [sunsky @ lh ~] $ Bash/mnt/dir/sunskybash:/mnt/dir/sunsky: Permission denied

 

It's strange, why have I changed mask to rwx, and the valid effect does not appear again? why does sunsky still fail to get the execution permission?

Now let's take a look at the ACL permission of the/mnt/dir/sunsky file.

[Root @ lh mnt] # getfacl/mnt/dir/sunskygetfacl: Removing leading '/' from absolute path names # file: mnt/dir/sunsky # owner: root # group: rootuser: rw-user: sunsky: rwx # valid tive: rw-group: --- mask: rw-other ::---

Through viewing, we found that in the/mnt/dir/sunsky file, the acl permission settings for sunsky are still # valid tive: rw-. why?

It turns out that the mask we modified/mnt/dir is only valid for the newly generated files under the/mnt/dir directory, affected by the umask value of the traditional permission, do you already have the owner? So the ACL's mask settings are invalid. Therefore, we can solve this problem by using the-R recursive option mentioned above to re-modify the mask permission of all files in the/mnt/dir directory!

[Root @ lh mnt] # su-sunskyWellcome to Linux World [sunsky @ lh ~] $ Echo date>/mnt/dir/sunsky [sunsky @ lh ~] $ Bash/mnt/dir/sunskyFri Jul 4 18:32:11 CST 2014

The above are all the operations for routine management of setfacl! I believe that as long as you master the above operations, you will not be embarrassed if you use the ACL in the future.