Use of the file control list commands setfacl and getfacl
Last Update:2014-05-15
Source: Internet
Author: User
The following requirements apply to the use of the file control list commands setfacl and getfacl. the setfacl command can be used to enable a group of users to write, read, and execute, while a group of users to write and execute, another group of users can only read linuxrwxoraclewxuplookr. Step 2: Add six users... the following requirements apply to the use of the file control list commands setfacl and getfacl. the setfacl command can be used to enable a group of users to write, read, and execute, while a group of users to write and execute, another group of users can only read linux rwxoracle wxuplook r. Step 2: Add six users linux01, linux02, oracle01, oracle02, uplook01, uplook02 [plain] [root @ serv01 learning] # useradd linux01 [root @ serv01 learning] # useradd linux02 [root @ serv01 learning] # Useradd oracle01 [root @ serv01 learning] # useradd oracle02 [root @ serv01 learning] # useradd uplook01 [root @ serv01 learning] # useradd uplook02 step 2 set the password [plain] [root @ serv01 learning] # passwd linux01 [root @ serv01 learning] # passwd linux02 [root @ serv01 learning] # passwd oracle01 [root @ serv01 learning] # passwd oracle02 [root @ serv01 learning] # passwd uplook01 [root @ serv01 learning] # passwd uplook02 No. Three groups of oracle, linux, and uplook [plain] [root @ serv01 learning] # groupadd oracle [root @ serv01 learning] # groupadd linux [root @ serv01 learning] # groupadd uplook step 4 view the permissions of the data directory [plain] [root @ serv01 learning] # ll data-d drwxr-xr-x. 2 root 4096 Sep 20 23: 31 data step 5 implementation function '[plain] [root @ serv01 learning] # setfacl-m u: linux01: rwx data/[root @ serv01 learning] # setfacl-m u: linux02: rwx data/[root @ serv01 le Arning] # setfacl-m u: oracle01: rwx data/[root @ serv01 learning] # setfacl-m u: oracle02: rwx data/[root @ serv01 learning] # setfacl-m u: oracle01: wx data/[root @ serv01 learning] # setfacl-m u: oracle02: wx data/[root @ serv01 learning] # setfacl-m u: uplook01: r data/[root @ serv01 learning] # setfacl-m u: uplook02: r data/# View data directory permissions [root @ serv01 learning] # getfacl data # file: data # owner: root # group: Root user: rwx user: linux01: rwx user: linux02: rwx user: oracle01:-wx user: oracle02:-wx user: uplook01: r -- user: uplook02: r -- group: r-x mask: rwx other :: r-x # view the permissions of the data directory again [root @ serv01 learning] # ll data/-d drwxrwxr-x + 2 root 4096 Sep 20 data/Step 6 verification [plain] # log on as a linux01 user, found to be writable, readable, and executable to the data directory [root @ larrywen/] # ssh linux01@192.168.1.11 linux01@192.168.1.11's password: Welcome to zhink learn [Linux01 @ serv01 learning] $ cd data [linux01 @ serv01 data] $ ll total 0 [linux01 @ serv01 data] $ touch file [linux01 @ serv01 data] $ ls file # use oracle01 user logon, found that the data directory can be written, executable, no read permission [root @ larrywen/] # sshoracle01@192.168.1.11 [oracle01 @ serv01 ~] $ Cd/home/learning/data/[oracle01 @ serv01 data] $ ll ls: cannot open directory.: Permissiondenied [oracle01 @ serv01 data] $ touch file2 [oracle01 @ serv01 data] $ rm-f file2 # log on as an uplook01 user, found the permission to read the data directory value [root @ larrywen/] # sshuplook01@192.168.1.11 uplook01@192.168.1.11's password: Welcome to zhink learn [uplook01 @ serv01 ~] $ Cd/home/learning/data-bash: cd:/home/learning/data: Permissiondenied [uplook01 @ serv01 ~] $ Cat/home/learning/data/test.txt cat:/home/learning/data/test.txt: Permission denied [uplook01 @ serv01 ~] $ Ls/home/learning/data/ls: cannot access/home/learning/data/file: Permission denied ls: cannot access/home/learning/data/test.txt: permission denied file test.txt step 7 Assign permissions in group form [plain] # Modify the six users created to the corresponding group, such as linux01 and linux02 to the linux group, similarly, [root @ serv01 learning] # usermod-g linuxlinux01 [root @ serv01 learning] # usermod-g linuxlinux02 [root @ serv01 learning] # usermod-g oracleoracle01 [root @ serv01 learning] # usermod-g oracleoracle02 [root @ serv01 learning] # usermod-g uplookuplook01 [root @ serv01 learning] # usermod-g uplookuplookuplook02 # Assign permissions in groups [root @ serv01 learning] # setfacl-mg: linux: rwx data/[root @ serv01 learning] # setfacl-m g: oracle: wxdata/[root @ serv01 learning] # setfacl-mg: uplook: r data/[root @ serv01 learning] # getfacl data # file: data # owner: root # group: root user: rwx user: linux01: rwx user: linux02: rwx user: oracle01:-wx user: oracle02:-wx user: uplook01: r -- user: uplook02: r -- group: r-x group: oracle:-wx group: linux: rwx group: uplook: r -- mask: rwx other :: other use methods of r-x 3 setfacl [plain] # obtain file permission control [root @ serv01 learning] # getfacl data # file: data # owner: root # group: root user:: rwx user: linux01: rwx user: linux02: rwx user: oracle01:-wx user: oracle02:-wx user: uplook01: r -- user: uplook02: r -- group :: r-x group: oracle:-wx group: linux: rwx group: uplook: r -- mask: rwx other :: r-x # Modify the mask m parameter [root @ serv01 learning] # setfacl-m: rdata/[root @ serv01 learning] # getfacl data # file: data # owner: root # group: root user: rwx user: linux01: rwx # valid tive: r -- user: linux02: rwx # valid tive: r -- user: oracle01:-wx # valid tive: --- user: oracle02:-wx # valid tive: --- user: uplook01: r -- user: uplook02: r -- group: r-x # valid tive: r -- group: oracle: -wx # valid tive: --- group: linux: rwx # valid tive: r -- group: uplook: r -- mask: r -- other :: r-x # set the m parameter of the mask value [root @ serv01 learning] # setfacl-m: rwxdata/[root @ serv01 learning] # getfacl data/# file: data/# owner: root # group: root user: rwx user: linux01: rwx user: linux02: rwx user: oracle01:-wx user: oracle02:-wx user: uplook01: r -- user: uplook02: r -- group: r-x group: oracle:-wx group: linux: rwx group: uplook: r -- mask: rwx other :: r-x # revoke permissions-x [root @ serv01 learning] # setfacl-x g: linuxdata/[root @ serv01 learning] # getfacl data/# file: data/# owner: root # group: root user: rwx user: linux01: rwx user: linux02: rwx user: oracle01:-wx user: oracle02:-wx user: uplook01: r -- user: uplook02: r -- group: r-x group: oracle:-wx group: uplook: r -- mask: rwx other :: r-x # Remove all file permission control-B [root @ serv01 learning] # setfacl-B data/[root @ serv01 learning] # getfacl data/# file: data/# owner: root # group: root user: rwx group: r-x other: r-x setfacl-m ug: user group: rwx data/setfacl-m: rwx data/setfacl-x ug: user group data/setfacl-B data/getfacl data/# The file permission can be copied, use getfacl and setfacl to control [root @ larrywen soft] # setfacl -- help setfacl 2.2.49 -- set file access controllists Usage: setfacl [-bkndRLP] {-m |-M |-x |-X ...} file... -m, -- modify = acl modify the currentACL (s) of file (s)-M, -- modify-file = file read ACL entries tomodify from file-x, -- remove = acl remove entries fromthe ACL (s) of file (s)-X, -- remove-file = file read ACL entries toremove from file-B, -- remove-all remove all extendedACL entries-k, -- remove-default remove the defaultACL -- set = acl set the ACL offile (s ), replacing the current ACL -- set-file = file read ACLentries to set from file -- mask do recalculatethe valid tive rights mask-n, -- no-mask don't recalculate theeffective rights mask-d, -- default operations apply tothe default ACL-R, -- recursive recurse implements subdirectories-L, -- logical walk, followsymbolic links-P, -- physical walk, do notfollow symbolic links -- restore = file restore ACLs (inverse of 'getfacl-r') -- test mode (ACLs are not modified)-v, -- version print version andexit-h, -- help this help text [root @ serv01 test] # touch aa01.txt [root @ serv01 test] # getfacl aa01.txt # file: aa01.txt # owner: root # group: root user :: rw-group: r -- other: r -- [root @ serv01 test] # setfacl-m g: linux: rwxaa01.txt [root @ serv01 test] # getfacl aa01.txt # file: aa01.txt # owner: root # group: root user: rw-group: r -- group: linux: rwx mask: rwx other :: r -- [root @ serv01 test] # touch bb01.txt [root @ serv01 test] # getfacl bb01.txt # file: bb01.txt # owner: root # group: root user: rw-group :: r -- other: r -- [root @ serv01 test] # getfacl aa01.txt | setfacl -- set-file =-bb01.txt [root @ serv01 test] # getfacl bb01.txt # file: bb01.txt # owner: root # group: root user: rw-group: r -- group: linux: rwx mask: rwx other: r --