Linux ACL and linuxacl

Linux ACL and linuxacl
What is an ACL?

The full name of ACL is Access Control List, an Access Control List for files/directories. It provides an additional and more flexible permission management mechanism for the file system based on UGO permission management. It is designed as a supplement to UNIX File Permission management. ACL allows you to set access permissions for any file/directory for any user or user group.

What is the use of ACL?

As a supplement to UGO permission management, ACL is naturally unable to be implemented by UGO or is difficult to do. For example:

Check whether ACL is supported

The ACL can only work with the Linux kernel and the file system. Most of the Linux releases we can see currently support the ACL by default. But it is better to check first:

sudo tune2fs -l /dev/sda1 |grep “Default mount options:”Default mount options:                 user_xattr    acl

We can see that (Default mount options :) has been added to acl support by Default.

How to Set ACL

You can use the setfacl and getfacl commands to set or observe the acl permissions of the file/directory.

Setfacl

There are not many parameters, which are listed directly:

Setfacl [-bkRd] [{-m |-x} acl parameter] File/directory name-m: configure the following acl parameters for the file/directory, and cannot be used with-x; -x: Delete the subsequent acl parameters, which cannot be used with-m;-B: Remove all ACL configuration parameters;-k: remove the default ACL parameters;-R: recursively configure the acl;-d: configure the "Default acl parameter", which is only valid for the directory. The default value is referenced in the data created in this directory;

Getfacl

Getfacl file/directory name

The instance sets permissions for users.

First create a test file and view its default permissions:

touch testll test-rw-r--r--  1 root root        0 May 28 09:04 testgetfacl test# file: test# owner: root# group: rootuser::rw-group::r--other::r—

Set the permission to read and write the test file for apache users:

setfacl –m u:apache:rwx test

View the property changes of the test file:

ll test-rw-rwxr--+ 1 root root 0 May 28 09:04 test

The permission has multiple "+" and is different from the original (644.

View changes in ACL permissions:

getfacl test...user:apache:rwx...mask::rwx...

Compared with user: apache: rwx and mask: rwx, apache has the permission to read and write the test file.

Set permissions for user groups

The settings are almost the same as those for users. You just need to replace the lower-case u with the lower-case g.

Sub-files/directories inherit the permissions of parent Directories

This is a great example. It allows the created sub-file or sub-folder to inherit the permission settings of the parent folder!

mkdir mydirll -d mydirdrwxr-xr-x 2 root root 4096 May 28 09:35 mydirsetfacl –m d:u:apache:rwx mydir

Note that parameter d plays a decisive role here.

View the attribute changes:

getfacl mydir...default:user::rwxdefault:user:apache:rwxdefault:group::r-xdefault:mask::rwxdefault:other::r-x

If you have more items starting with "default", create a new file under "mydir:

touch mydir/abcgetfacl mydir/abc...user:apache:rwx                 #effective:rw-group::r-x                      #effective:r--mask::rw-...

OK. It looks pretty good. By default, apache users can perform read and write operations on this file.

 

Here we will only introduce the concept of ACL and some typical usage. For more usage instructions, see the help documentation.