The CentOS ACL permission control detailed

ACL permission control

Set ACL permissions: Setfacl

To view ACL permissions: Getfacl

The main purpose of ACL privilege control is to provide specific permission settings beyond the traditional Owner,group,other Read,wirte,execute permissions, and to set specific permissions for a single user or group

For example, a directory permission is

drwx------2 root root 4096 03-10 13:51./acldir

Users user user does not have any permissions on this directory so they cannot access this directory, and ACLs can set permissions on this directory individually for user users so that they can manipulate the directory

ACL boot

To use ACLs, you must have file system support to do so, and most file systems currently support the EXT3 file system default boot ACL

To see if the file system supports ACLs

[Root@localhost tmp]#

Dumpe2fs-h/dev/sda2 dumpe2fs 1.39 (29-may-2006)

......

Sparse_super Large_file

Default Mount Options:user_xattr ACL

Loading ACL features

If Unix like supports ACLs but file systems do not load this feature by default, you can add them yourself

[Root@localhost tmp]# mount-o Remount,acl/

[Root@localhost tmp]# Mount

/dev/sda2 on/type ext3 (RW,ACL)

Also can modify disk hangs in profile settings default boot load

[Root@localhost tmp]# Vi/etc/fstab

label=//ext3 defaults,acl 1 1

Viewing ACL permissions

Syntax: getfacl filename

Set ACL permissions

Syntax: Setfacl [-BKRD] [-m|-x ACL parameter] target filename

Options and Parameters:

-M: Set subsequent ACL parameters that cannot be used with-X

-x: Deletes subsequent ACL parameters and cannot be used with-m

-B: Remove all ACL parameters

-K: Delete default ACL parameters

-r: Recursively set ACL parameters

-D: Set default ACL parameter, only valid for directory

For special users

Format: U: User account List: Permissions

Permissions: rwx combination Form

If the user list is empty, the current file owner permission is set

Example:

[Root@localhost tmp]# mkdir-m/acldir; ll-d./acldir

drwx------2 root root 4096 03-10 13:51./acldir

[Root@localhost tmp]# su TKF

[Tkf@localhost tmp]$ CD./acldir/

BASH:CD:./acldir/: Insufficient permissions => user without x permission

[Tkf@localhost tmp]$ exit

Exit

[Root@localhost tmp]# setfacl-m u:tkf:x./acldir/

=> permissions for the Acldir directory for user tkf are X

[Root@localhost tmp]# ll-d./acldir/

Drwx--x---+ 2 root root 4096 03-10 13:51./acldir/

=> Adding permissions through ACLs adds more than one "+" at the end of the permission and the original permissions of the file change.

=> can view the original directory permissions through Getfacl

[Root@localhost tmp]# Getfacl./acldir/

# File:acldir

# Owner:root

# Group:root

User::rwx

User:tkf:--x => record TKF user has ACL permissions for this directory

Group::---

Mask::--x

Other::---

=> here need special instructions, just TKF This user has X permissions, other users still have no permissions

[Root@localhost tmp]# su TKF

[Tkf@localhost tmp]$ CD./acldir/

[Tkf@localhost acldir]$

=> user TKF can have x permission to enter the directory

For specific groups of users

Formatting: G: User Group list: permissions

Permissions: rwx combination Form

If the list of user groups is empty, represents the set of user group permissions for the current file

Example:

[Root@localhost tmp]# SETFA

Setfacl setfattr

[Root@localhost tmp]# setfacl-m G:users:rx./acldir/

[Root@localhost tmp]# Getfacl./acldir/

# File:acldir

# Owner:root

# Group:root

User::rwx

User:tkf:--x

Group::---=> permissions for other user groups (non-ACL settings)

Group:users:r-x => Records Users group has ACL permissions for this directory

Mask::r-x

Other::---

Set for effective permissions

Effective permission (mask) is the limit of ACL permission settings, which means that the ACL permissions you set must be a subset of the mask, which will be removed if exceeding the mask range

Formatting: M: Permissions

Permissions: rwx combination Form

Example:

[Root@localhost tmp]# setfacl-m m:x./acldir/

[Root@localhost tmp]# Getfacl./acldir/

# File:acldir

# Owner:root

# Group:root

User::rwx

User:tkf:--x

Group::r-x #effective:--x

Group:users:r-x #effective:--x

Mask::--x

Other::---

Set for default permissions

We have previously set specific permissions on a directory for a user (group), but if the newly created file in this directory does not have these specific permissions for that user. To solve this problem, you need to set the default ACL permissions so that the newly created files in this directory have the same ACL-specific permissions as the directory

Formatting: D:[u|g]: User (Group) List: Permissions

Example

[Root@localhost tmp]# mkdir-m 711./defdir

[Root@localhost tmp]# setfacl-m u:tkf:rxw./defdir

[Root@localhost tmp]# ll-d./defdir/

drwxrwx--x+ 2 root root 4096 03-10 15:23./defdir/

=> directory permissions have ACL-specific permissions (followed by +)

[Root@localhost tmp]# touch./defdir/a.file;ll/defdir/

-rw-r--r--1 root 0 03-10 15:25 a.file

=> the newly created file does not have ACL-specific permissions (no subsequent +)

[Root@localhost tmp]# setfacl-m d:u:tkf:rxw./defdir

=> Set default Permissions

[Root@localhost TMP]

# Getfacl/defdir/.

# File:defdir

# Owner:root

# Group:root

User::rwx

User:tkf:rwx

Group::--x

Mask::rwx

Other::--x

Default:user::rwx

Default:user:tkf:rwx

Default:group::--x

Default:mask::rwx

Default:other::--x

[Root@localhost tmp]# touch./defdir/b.file;ll/defdir/

-rw-r--r--1 root 0 03-10 15:25 a.file

-RW-RW----+ 1 root root 0 03-10 15:26 b.file

=> newly created file default with ACL-specific permissions

[Root@localhost TMP]

# Getfacl/defdir/b.file.

# File:defdir/b.file

# Owner:root

# Group:root

USER::RW-USER:TKF:RWX #effective: rw-

Group::--x #effective:---

mask::rw-

Other::---

=> This quick I have a question, why mask value is RW, I guess and file maximum permissions related,

=> the default maximum permission for a file is 666 or umask is 0000. That for an executable file,

=> don't have x, do you need to use chmod settings? Questions!!