ACLS are the main purpose of Access Control List to provide traditional owner,group,others read,write , specific permission settings other than Execute permissions,ACLs can be r,w,x for a single user, a single file, or a directory to control permissions, This is useful for use situations that require special permissions. For example, a file that does not allow a single user to access it.
ACLS use two commands to control them
Getfacl: Get ACL settings for a file/directory Project setfacl: Set ACL settings for a file/directory Project
setfacl Parameters -m: Set subsequent ACL parameters -x: Remove subsequent ACL parameters -B: Remove all ACL parameters -k: Delete default ACL parameters - R: Recursively set ACLs, including subdirectories -D: Set default ACL
Example: Create a file test, modify its permissions to 777, and view its default ACL permissions Configuration
[[email protected] ~]# touch/test [[email protected]-study ~]# chmod777/test [[email protected]-study ~]# Getfacl/test//get ACL permissions for a filegetfacl:removing Leading'/' fromabsolute path names # File:test//file name# Owner:root//who owns the file# Group:root//Group to which the file belongsuser::rwx//File Owner Permissionsgroup::rwx//same group User rightsother::rwx//Other Privileges[[Email protected]-study ~]#
You can see that other people's permissions are also readable writable executable, you can test themselves, now we modify its ACL policy, using the user code only Read permission
[[email protected] ~]# setfacl-m u:code:r/test[[email protected]-study ~]# ll/test11
:/test // you can see a "+" number at the end of the permission [e-mail Protected]
Now look again at the ACL properties for this file
[Email protected] ~]# Getfacl/testgetfacl:removing leading '/' from absolute path names# file:test# Owner:roo t# group:rootuser::rwxuser:code:r-- //You can see code separate permissions for r--group::rwxmask::rwxother::rwx
Note: Code permissions are not determined only by the ACL configuration, it is the "and" with the ACL permissions configured by the code User's basic permissions operation, i.e. other:rwx and code:r--= code:r--
Now use code user to test if writable
When you write a file, it appears--INSERT--W10:Warning:Changing a readonly file hint.
In addition to setting up a single user, you can set up user groups, effective permissions (Masks) , such as for user groups : g:[ user group ]:[rwx]
Note: The effective permission (mask) is the permission set by the user or group that must exist within the scope of the mask's permission setting to take effect
As the above /test file, already has the readable permission, if we change its effective permission to only write permission, then the ACL permission set is not within the valid permission, then the user code It's impossible to see the contents of the /test file again.
[[email protected] ~]# setfacl-m m:w/test// Set effective permissions to write-only
Can view /test ACL Properties
[Email protected] ~]# getfacl/'/' from absolute path names# file: test# owner:root# group:rootuser::rwxuser:code:r--#effective:---group::rwx #effective:-w-Mask:: -w- // you can see that effective permissions have been modified successfully Other::rwx[[email protected]
Using the code user to view the contents of the file, first using the root user to write some content, will make the test more intuitive
"">/test[[email protected]-study ~]$ vim/test "/test [Permission Denied] // you can see at the bottom of the tip that is not allowed to access, and do not see any content
Remove ACL permissions
[Email protected] ~]# setfacl-x u:code/test//cancel/test permissions on user code[[Email protected]-study ~]# setfacl-x M/test//Restore Effective Permissions[[Email protected]-study ~]# Getfacl/Test getfacl:removing Leading'/' fromabsolute path names # file:test # owner:root # group:root user::rwx group::rwx other::rwx [[ Email protected]-study ~]# LL/Test-rwxrwxrwx1Root root -Apr One ,: on/test//It's ready to work.[[Email protected]-study ~]#
As for the other parameters, try it yourself!!
Linux ACL rights planning: GETFACL,SETFACL Use