Transferred from: http://linuxguest.blog.51cto.com/195664/124107
1. Why ACLs are used
Let's start by simply reviewing the Linux file permission.
Under Linux, objects that can operate on a file (or resource) are divided into three categories: File owner (the owner of the document), group (which is not necessarily the group where the file owner resides), and other (others)
Read, write and Execute/search permission are defined separately for each category (Suid, sgid, and sticky bit settings are not discussed here)
With the Ls-l command, we can list the permission of a file.
Code:
# ls-l [[email protected] ~]$ ls-l-RW-RW----1 Leonard admin 0 Jul 3 20:12 test.txt
The
explains here that for Test.txt this file Leonard the user (because it is the files owner) has read & Write permission. All users who belong to the admin group have read & Write permission. Any other user (other) does not have any permission for the file
if we now want John to be able to read and write to the Test.txt file. I'll probably think of some of the following options (assuming John is not part of the admin group)
1. Add read and Write permission to the other category of the file. This way, because John will be classified as other, he will also have permission to read and write
2. Add John to the admin group. Then John will be classified as group, then he will have read and write permissions
3. Set sudo so that John can manipulate test.txt as Leonard to gain read and write permissions
The problem with the first approach is that all users will have read and write operations to Test.txt, which is obviously undesirable
the problem with the second approach is that John is given too many permissions. All files that belong to the Admin group, John can have their equivalent permissions
A third approach can be achieved by restricting only John users to one person having read and write access to the Test.txt file. However, strict format control of the Sudoers file is required. And when the number of files and users are many, this method is quite inflexible
It doesn't seem like there's a good solution. In fact, the problem is in the Linux file permission, the definition of other is too extensive, so that it is difficult to limit permission to a user who does not belong to file owner and group. Then the access Control List (ACL) is used to help us solve this problem. The
simply means that ACLs can be used to set permissions on a file for a particular user or group of users. There are only three commands to be mastered: Getfacl, Setfacl, Chacl
Before the discussion, you can install the ACL's RPM package
Code:
# RPM-IVH libacl-2.2.39-1.1 acl-2.2.39-1.1.i386.rpm
2. The noun definition of the ACL
First look at the definition of each noun in the ACL. Most of these nouns I take off from the man page is a bit tedious, but it's helpful to understand the following
ACLs are a series of access Composed of entry. Each access entry defines the operations permissions that a particular category can have on a file. Access Entry has three components: Entry tag type, qualifier (optional), permission
Let's first look at the most important Entry tag type, which has the following types
Acl_user _obj: Equivalent to the permission
Acl_user in Linux file_owner: Defines the permission
Acl_group_obj that additional users can have for this file: Equivalent to the permission
Acl_group of the group in Linux: Defines the permission that additional groups can have for this file
Acl_mask: Defines Acl_user, Acl_group_obj, and Acl_ The group's maximum permissions (which I'll discuss below)
Acl_other: Permission equivalent to other in Linux
Let's take a look at an example. Let's use the GETFACL command to see a defined ACL file.
Code:
[[email protected] ~]$ getfacl./test.txt # file:test.txt # owner:leonard # group:admin User::rw-user: john:rw-group::rw-group:dev:r--mask::rw-other::r--
The preceding three defines the file name, file owner and group, beginning with #. This information does not have much effect, then we can use--omit-header to omit
user::rw-defines the acl_user_obj, stating that file owner has read and write permission
user:john:rw-defines acl_user so that user John has read and write access to the file, which is what we started to achieve.
group::rw-defines acl_group_obj, stating that the GROUP of files has read and write permission
group:dev:r--defines the acl_group so that the dev group has Read permission to the file
mask::rw-defines the permissions for Acl_mask for Read and write
other::r--defines the permissions for the Acl_other as read
From here we can see that ACLs provide functionality that we can define for specific users and groups of users. So let's take a look at how to set the ACL for a file
3. How to set ACL files
First, let's talk about the format of the ACL file. From the example above we can see that each access entry consists of three fields separated by: number. The first one is entry tag type
The user corresponds to Acl_user_obj and Acl_user
Group corresponds to Acl_group_obj and Acl_group.
Mask corresponds to the Acl_mask
Other corresponds to the Acl_other
The second field is called qualifier. This is the John and Dev group in the example above. It defines permissions for files for specific users and advocacy groups. Here we can also find that only the user and group have qualifier, the others are empty
The third field is the one we are familiar with permission. It's as defined as Linux's permission, and there's not much to say.
Let's take a look at how to set the ACL for this file to test.txt it to meet our requirements above
The first file has no extra attributes for the ACL
Code:
[[email protected] ~]$ ls-l-rw-rw-r--1 Leonard admin 0 Jul 3 22:06 test.txt
[Email protected] ~]$ getfacl--omit-header./test.txt
user::rw-
group::rw-
other::r--
Let's get the user John to have read and write access to the Test.txt file first.
Code:
[Email protected] ~]$ setfacl-m user:john:rw-./test.txt
[Email protected] ~]$ getfacl--omit-header./test.txt
user::rw-
user:john:rw-
group::rw-
mask::rw-
other::r--
At this point we can see that John's user has read and write access to the file in the ACL. This time, if we look at the Linux permission, we'll find a different place.
Code:
[Email protected] ~]$ ls-l./test.txt-rw-rw-r--+ 1 Leonard Admin 0 Jul 3 22:06./test.txt
At the end of the file permission, there is a + sign. When any file has a value of acl_user or acl_group, we can call it an ACL file. This is the + number that's used to remind us.
We can also find that Acl_mask is also defined when a file has a value of Acl_user or Acl_group
Next we set up the dev group to have Read permission
Code:
[Email protected] ~]$ setfacl-m group:dev:r--./test.txt
[Email protected] ~]$ getfacl--omit-header./test.txt
user::rw-
user:john:rw-
group::rw-
group:dev:r--
mask::rw-
other::r--
Here we have completed the above requirements. Isn't it simple?
4. Acl_mask and effective permission
Here we need to focus on acl_mask, because this is another key to mastering the ACL
In Linux file permission everyone knows that for example, for rw-rw-r--, the rw-is the permission of the filegroup. But in the ACL, this is only true if the acl_mask does not exist. If the file has a Acl_mask value, then the rw-represents the mask value and is no longer a group permission.
Let's take a look at the following example
Code:
[[email protected] ~]$ ls-l-rwxrw-r--1 Leonard admin 0 Jul 3 23:10 test.sh
Here is a description of test.sh files only file Owner:leonard has read, write, Execute/search permission. Admin group only read and write permission
Now we want the user John to have the same permission as Leonard for Test.sh.
Code:
[Email protected] ~]$ setfacl-m user:john:rwx./test.sh
[Email protected] ~]$ getfacl--omit-header./test.sh
User::rwx
User:john:rwx
group::rw-
Mask::rwx
other::r--
Here we see that John has a rwx permission. The mask value is also set to rwx. That's because it sets the maximum value of Acl_user, Acl_group and Acl_group_obj.
Now let's look at Test.sh's Linux permission, which has become
Code:
[[email protected] ~]$ ls-l-rwxrwxr--+ 1 Leonard admin 0 Jul 3 23:10 test.sh
So what happens if the user of the admin group wants to execute the TEST.SH program now? It will be permission deny. The reason is that the user of the Admin group is actually only read and write permission. The rwx shown here are acl_mask values instead of group permission
So from here we can know that if a file is followed by a + tag, we need to use GETFACL to confirm its permission, so as not to confuse
Let's go on to see an example.
If now we set test.sh mask to read only, then the user of the Admin group will also have write permission?
Code:
[Email protected] ~]$ setfacl-m mask::r--./test.sh
[Email protected] ~]$ getfacl--omit-header./test.sh
User::rwx
USER:JOHN:RWX #effective: r--
group::rw-#effective: r--
mask::r--
other::r--
At this time we can see Acl_user and acl_group_obj next to a #effective:r--, what does that mean?
Let's go back to the definition of acl_mask. It specifies the maximum permissions for Acl_user, Acl_group_obj, and acl_group. So in our case, their maximum permissions are read only. Although we have set other permissions for Acl_user and Acl_group_obj here, But they really have the effect of only Read permission.
When we look at Test.sh's Linux file permission, its group permission also shows the value of its mask (i.e. r--)
Code:
[[email protected] ~]$ ls-l-rwxr--r--+ 1 Leonard admin 0 Jul 3 23:10 test.sh
5. Default ACL
All we're talking about is the access ACL, which is the file. Let me briefly explain the default ACL. The default ACL is the default ACL setting for a directory, and the files established in this directory inherit the ACL for this directory
Let's also do a test note.
For example, now Leonard user has created a dir directory
Code:
[Email protected] ~]$ mkdir dir
He wants all files created in this directory to be accessed by John's users. Then we should set the default ACL on the dir directory
Code:
[Email protected] ~]$ setfacl-d-M user:john:rw./dir
[Email protected] ~]$ getfacl--omit-header./dir
User::rwx
Group::rwx
Other::r-x
Default:user::rwx
Default:user:john:rwx
Default:group::rwx
Default:mask::rwx
Default:other::r-x
Here we can see that the ACL defines the default option, and the John user has the default read, write, excute/search permission. All undefined default will be from the file Copy it in permission.
Now Leonard users to create a test.txt file under Dir
Code:
[[email protected] ~]$ touch./dir/test.txt
[Email protected] ~]$ ls-l/dir/test.txt-rw-rw-r--+ 1 Leonard Leonard 0 Jul 3 23:46./dir/test.txt
[Email protected] ~]$ getfacl--omit-header./dir/test.txt
user::rw-
user:john:rw-
GROUP::RWX #effective: rw-
mask::rw-
other::r--
Here we see the file created under Dir John user automatically has read and write permission
6. ACL-related commands
In the previous example we have noticed that the GETFACL command is the ACL used to read the file, and Setfacl is the acess ACL used to set the file. There is also a chacl that is used to change the file and directory of the access ACL and the Default ACL. Its specific parameters you can go to see the man page. I just want to mention chacl-b. It can completely delete the ACL properties of a file or directory (including the default ACL). For example, if you use Setfacl-x to delete all of the file's ACL attributes, the + sign will still appear at the end of the file. So the correct way to delete is to use Chacl-b
When using CP to copy files we can now add the-P option. This will also copy the file's ACL attributes when copying the file. Warning for ACL properties that cannot be copied
The MV command will move the file's ACL properties by default. Also give a warning if the operation is not allowed
7. Points to note
If your filesystem does not support ACLs, you may need to re-mount your file system
Mount-o remount, ACL [Mount Point]
If you change the Linux file permission with the chmod command, the corresponding ACL value will change. Conversely, if you change the value of the ACL, the corresponding file permission will change
Linux ACL Management detailed