Linux advanced Rights Management-ACLs

Disadvantages of the traditional permissions model:

The traditional UGO permissions model cannot respond to responsible permission setting requirements, such as the ability to set only one group for a file and permission control for that group, but the traditional Ugo model cannot meet the requirements if multiple combinations of the file are accessed and require permission restrictions.

ACL permissions are used to manage the

ACL (Access Control List) is an advanced permission mechanism that allows us to set flexible and complex permissions on a file or folder

The ACL needs to open the ACL function when it hangs on the file:

Mount -o acl/dev/sda5/mnt

ACL allows permission settings for a target file and folder for different users and groups, not restricted by the UGO model

View ACL settings for a file, folder

Getfacl linuxcast.net

To set ACLs on a file for one user:

Setfacl-m u:nash_su:rwx linuxcast.net

M is modify meaning, U is User,nash_su is username, rwx is giving Nash_su permission to linuxcast.net file

ACL settings for a group of files

Setfacl-m G:TRAINING:RW linuxcast.net

M is group,training is the name of group, RW is the training group's permission to Linuxcast.net

To remove an ACL setting:

Setfacl-x U:nash_su linuxcast.net

At this time the user name does not need to have permission, directly delete the OK

The first step is to create a new unified folder

mkdir linuxcast.net

Then create a new three sub-folder underneath it, with the folder names: training, market, manage

mkdir Training mkdir  Market mkdir Manage

The default permission at this time is

2 4096  A   managedrwxr: 24096   MARKETDRWXR24096: Wu Training

At this point, use the following command to modify the group where the training folder is located, similar to the other two groups

CHGRP Training Training

At this point the permissions are:

2 Root manage   4096:  managedrwxr2 Root Market   4096:  marketdrwxr24096  from: Training

After the file is built, because users of other groups cannot access the files of users in this group, use

chmod o-rwx Training

Each group's other permissions are subtracted from rwx, and other groups are no longer able to access the group's permissions.

The new user directory group should inherit the group of its department, so use the

chmod G+s Training

G is the meaning of the group, S is the meaning of inheritance, that is, training the following groups are all trining groups, modified information as follows

2 Root manage   4096:  managedrwxr2 Root Market   4096:  marketdrwxr24096  £ training

The permissions for the new user are:

2 4096  A Note:  bobdrwxr24096: Nash_su

Then use separately

chmod Nash_su nash_su

Change the file's default user name root to that user name

2 Bob     4096:  bobdrwxr2 4096  nash_su:

Now is the last, the traditional Ugo permissions at this time can not be given to the boss to view and execute the permissions, this time, it is possible to use the setfacl , use the command

Setfacl-m G:BOSS:RX Training

M is the meaning of Modify, G is group meaning, G followed by group name, group name and then access permissions, so that the implementation of training department, boss has to view and execute all the permissions under the file

Use Getfacl training to view permissions information under this file

File-s-user::rwxgroup::r-xgroup:boss:r-xmask::r-xother::---

This time the group has the boss Group to view and execute permissions.

Linux advanced Rights Management-ACLs