Linux Learning-acl

ACL--The normal permission setting method can only modify the file owner, the group and other people's permissions, if you want to set the file permissions more complex, more detailed words, such as to make each user have different permissions, the traditional method of modifying permissions is not enough, then we need to use Access Control List (ACL) .

Directory

• What is an ACL

• Turn on ACL method

• Usage and function of ACLs

• Priority order

• Mask detailed

• Backup and Restore ACLs

First, what is an ACL

That is, to achieve a flexible control list, more detailed permissions to the settings, in addition to the owner of the file, the group and other people, you can set permissions on more users.

Linux under the user's operation rights to the file has R-read, W-write, X-executable three, and for Linux under the file, the user identity is divided into: The owner, the group, other people, and the owner of the file, the group can only be one, so in the file allocation users of the use of limited time, You can only assign RWX permissions to these three identities.

Linux is used primarily as a server system with many users. So in the actual usage scenario, these three identities are not very good to implement the resource rights allocation problem, so there is ACL permissions. ACL permission is to solve the problem that the three kinds of identities in Linux cannot meet the requirements of resource rights allocation.

Second, open the ACL method

CentOS 6 requires the ACL to be manually opened on the new partition:

① Creating partitions

Fdisk/dev/sda

N

Enter

+2g

W

② Synchronization Partition Table

Partx-a/DEV/SDA

③ Creating a file system

Mkfs.ext4/dev/sda6

④ Enable ACL support

Tune2fs-o Acl/dev/sda6

⑤ Viewing ACLs

tune2fs-l/dev/sda6 |grep option

CentOS 7 is turned on by default

Iii. usage and role of ACLs

usage format for ACLs:

Getfacl file|directory viewing ACL permissions for a file

setfacl-m u:wang:rwx file|directory settings file ACL permissions for user Wang

setfacl-rm g:sales:rwx directory recursive settings ACL permissions for all files in directory

setfacl-m File.acl file|directory to set ACL permissions for files in bulk according to File.acl content

Example: Editing the contents of a file.acl

Vim File.acl

U:lisi:rwx

U:wang:r-x

G:shuguo:---

: Wq

Setfacl-m file.acl test to set multiple ACL permissions for the test file at once

setfacl-m G:SALESGROUP:RW file| directory settings file ACL permissions for group Salesgroup

setfacl-d-M U:wang:rx Directory settings default ACL permissions when creating files and directories in this directory

setfacl-k file|directory cancel default settings

setfacl-x U:wang file|directory canceling ACL permissions

setfacl-x File.acl directory is bulk canceled According to file File.acl

setfacl–b file Delete all ACL permissions

********************************************************************************************************

Combining cases to analyze the role of ACLs:

① into the/app directory to create the TestDir directory, to view the permissions of the directory is 755, others can only enter the directory, cannot create files in this directory

② Add user Lisi

③ login Lisi User, go to/app/testdir/, try to create a file,

Results show: Permission denied

④setfacl-m u:lisi:rwx testdir/, and then check the Go permission, found a more +

⑤ try to create the file again, this success

Iv. Order of Precedence

we went on to do this little experiment:

Chown Lisi testdir chmod 555 TestDir setfacl-m u:lisi:rwx TestDir

In this way, the file owner's permission bit r-x,acl set the file owner's permissions are rwx, which creates a conflict, but in fact Lisi the user under the TestDir directory under the creation of a file failure. Indicates that permissions are in order of precedence.

When ACLs are not set, permissions are prioritized in the following order:owner > Group > Other

after the ACL has been added, it is divided into owner,acl user,group,acl Group,other five categories, their order of precedence is:

owner > ACL user> Group and ACL group who have more privileges, who precedence > other

Summary: When setting the ACL, we often set the file group to root, only need to use ACL permissions.

Five, Mask detailed

definition: Affects only the maximum permissions for people and groups other than the owner and other , that is, ACL user,group , ACL group three classes

Format:

setfacl-m m:rw-testdir/ Modify the directory testdir/The Mask value is rw-

Once ACL permissions are set, the permissions of the original group become immutable and the permission bits of the group do not show the permissions of the group, but the mask's permissions, even if the mask value is modified using chmod g=***, not the permissions of the original group.

mask is updated in real-time, each time the use of setfacl,mask updates, the user's permissions need to be with mask Logic and operation, the user or group's settings must exist within the Mask permission setting to be effective. So after all the ACLs have been set, the mask is finally modified to restrict ACL permissions.

Case:

The original permission bit r-x

Getfacl/testdir

setfacl-m u:liubei:r--TestDir, then mask is the value of R-x

setfacl-m G:guanyu:-w-testdir, then mask has a value of rwx

setfacl-m m:---testdir, then mask has a value of---, and the ACL effective permissions you just set are changed to---

setfacl-m u:zhangfei:--x TestDir, then mask is the value of rwx

Vi. Backup and Restore ACLs

The main file Operations Command CP and MV both support ACLs, but the CP command needs to be prefixed with the-p parameter. However, common backup tools, such as tar, do not preserve ACL information for directories and files. We need to back up the ACL so that we can restore the ACL.

getfacl file|directory > Acl.txt backup

setfacl--restore acl.txt Recovery

Linux Learning-acl