Linux ACL concepts and some typical usage

Source: Internet
Author: User

Linux ACL concepts and some typical usage
What is an ACL?

The full name of ACL is Access Control List, an Access Control List for files/directories. It provides an additional and more flexible permission management mechanism for the file system based on UGO permission management. It is designed as a supplement to UNIX File Permission management. ACL allows you to set access permissions for any file/directory for any user or user group.

What is the use of ACL?

As a supplement to UGO permission management, ACL is naturally unable to be implemented by UGO or is difficult to do. For example:

  1. You can set permissions for users.
  2. You can set permissions for user groups.
  3. Sub-files/directories inherit the permissions of parent Directories
Check whether ACL is supported

The ACL can only work with the Linux kernel and the file system. Most of the Linux releases we can see currently support the ACL by default. But it is better to check first:

sudo tune2fs -l /dev/sda1 |grep “Default mount options:”Default mount options:                 user_xattr    acl

We can see that (Default mount options :) has been added to acl support by Default.

How to Set ACL

You can use the setfacl and getfacl commands to set or observe the acl permissions of the file/directory.

Setfacl

There are not many parameters, which are listed directly:

Setfacl [-bkRd] [{-m |-x} acl parameter] File/directory name-m: configure the following acl parameters for the file/directory, and cannot be used with-x; -x: Delete the subsequent acl parameters, which cannot be used with-m;-B: Remove all ACL configuration parameters;-k: remove the default ACL parameters;-R: recursively configure the acl;-d: configure the "Default acl parameter", which is only valid for the directory. The default value is referenced in the data created in this directory;
Getfacl
Getfacl file/directory name
The instance sets permissions for users.

First create a test file and view its default permissions:

touch testll test-rw-r--r--  1 root root        0 May 28 09:04 testgetfacl test# file: test# owner: root# group: rootuser::rw-group::r--other::r—

Set the permission to read and write the test file for apache users:

setfacl –m u:apache:rwx test

View the property changes of the test file:

ll test-rw-rwxr--+ 1 root root 0 May 28 09:04 test

The permission has multiple "+" and is different from the original (644.

View changes in ACL permissions:

getfacl test...user:apache:rwx...mask::rwx...

Compared with user: apache: rwx and mask: rwx, apache has the permission to read and write the test file.

Set permissions for user groups

The settings are almost the same as those for users. You just need to replace the lower-case u with the lower-case g.

Sub-files/directories inherit the permissions of parent Directories

This is a great example. It allows the created sub-file or sub-folder to inherit the permission settings of the parent folder!

mkdir mydirll -d mydirdrwxr-xr-x 2 root root 4096 May 28 09:35 mydirsetfacl –m d:u:apache:rwx mydir

Note that parameter d plays a decisive role here.

View the attribute changes:

getfacl mydir...default:user::rwxdefault:user:apache:rwxdefault:group::r-xdefault:mask::rwxdefault:other::r-x

If you have more items starting with "default", create a new file under "mydir:

touch mydir/abcgetfacl mydir/abc...user:apache:rwx                 #effective:rw-group::r-x                      #effective:r--mask::rw-...

OK. It looks pretty good. By default, apache users can perform read and write operations on this file.

Here we will only introduce the concept of ACL and some typical usage. For more usage instructions, see the help documentation.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.