Source: cnlinux.net
ACL (Access Control Lists)
Traditional UNIX Like Archives can only set permissions to file / group / other (cannot be set for each other users, groups), and ACL can set up for each other user / group. Dependent.
Step 0: Check if your core has functions that support ACL
Not every version of the core has the function of supporting ACL, the easiest way is to check if the core is supported.
#cat / boot / config-kernel-version | GREP -I EXT3
Config_ext3_fs = m
Config_ext3_idEx = y
Config_ext3_fs_xattr_sharing = Y
Config_ext3_fs_xattr_user = Y
Config_ext3_fs_xattr_trusted = Y
Config_ext3_fs_acl = y
At this time, if you can see the above-described function has been compiled into the core, then your EXT3 archive system already supports the ability to support ACLs.
If you don't compile a module containing the above function !! These features can be found under the File Systems in the compilation core option.
If you can't find the module of the upper sick function while compiling the core, please install Kernel Patch until the official website of ACL
Step 1: Mounting Demon
You can use the following way to mount a sector
#mount -t ext3 -O ACL / DEV / SDA1 / FS1
You can also write directly in the / etc / fstab file, so you can support ACL functionality after booting.
#VI / ETC / FSTAB
-------------------------------------------------- ---------------------
..........slightly...................
Label = / fs1 / fs1 EXT3 ACL 1 2
-------------------------------------------------- ---------------------
Step 2: Set the permissions of ACL
ACL can be set for the following four permissions
Individual user
2. Individual group
3. Permissions for Effective Mask.
4. Other users
Here are some instructions
Individual user
Suppose the user of the USER1 USER2 User3 is established, or established in the following manner
ROOT login system
[root @ unsvr root] #adduser user1
[root @ unsvr root] #adduser user2
[root @ unsvr root] #adduser user3
[root @ unsvr root] #passwd user1
[root @ unsvr root] #passwd user2
[root @ unsvr root] #passwd user3
MOUNT an EXT3 archive system to directory / FS1
[root @ unsvr root] #mount -t ext3 -o acl / dev / sda1 / fs1
EX: User1 created file read-written permission to USER2
[root @ unsvr root] #CHMOD -R 777 / FS1
Let all users can add files to enter the directory
User1 login system
[USER1 @ unsVR User1] # CD / FS1
[USER1 @ unsVR fs1] # echo "create by user1"> user1.txt
[USER1 @ unsVR fs1] # chmod go-r user1.txt
[USER1 @ unsVR fs1] # l ler1.txt
-rw ------- 1 USER1 USER1 17 JUL 14 22:11 User1.txt This time does not have other people with read and write user1.txt except for the permissions of read and write permissions (except ROOT)
User2 login system
[USER2 @ unsVR User2] # CD / FS1
[USER2 @ unsVR fs1] # Cat User1.txt
Cat: user1.txt permission denied
User1 login system
[USER1 @ unsVR fs1] # setfacl -m u: user2: rw user1.txt
Modify the permissions to let USER2 have read and write permissions for this file
Look at his file attribute change
[USER1 @ unsVR fs1] # l l
-rw-rw-r - 1 User1 USER1 10 Feb 16 13:52 USER1.TXT
You will see a " " behind it indicate that this file has an attribute setting using the ACL.
Use the command GetFacl to see why the ACL file properties settings
[user1 @ unsVR fs1] # getfacl user1.txt
# file: user1.txt
# Owner: User1
# group: user1
User :: rw-
User: User2: RW-
Group :: rw-
Mask :: rw-
Other :: r -
You can see that USER2 has permission to read and write this file.
User2 login system
[USER2 @ unsVR User2] # CD / FS1
[USER2 @ unsVR fs1] # Cat User1.txt
Create by User1
User2 can read the USER1.TXT file.
[USER2 @ unsVR fs1] # echo "modify by user2" >> user1.txt
[USER2 @ unsVR fs1] # Cat User1.txt
Create by User1
Modify by user2
User2 can also modify the USER1.TXT file.
User3 login system
[USER3 @ unsVR user3] # CD / fs1
[USER3 @ unsVR fs1] # Cat User1.txt
Cat: user1.txt permission denied
In addition to USER1, there are no other people with read and write user1.txt without other people (outside root)
2. Individual group
The individual group permission settings of the ACL are like previously individual user methods, but the group's permissions must first set the / etc / group, so we must do some of the following exercises.
Suppose User1 User2 User3 users, and Group1 Group2 groups have been established, or build them below
ROOT login system
[root @ unsvr root] #adduser user1
[root @ unsvr root] #adduser user2
[root @ unsvr root] #adduser user3
[root @ unsvr root] #passwd user1
[root @ unsvr root] #passwd user2
[root @ unsvr root] #passwd user3
Set group
[root @ unsvr root] #groupadd group1
[root @ unsvr root] #groupadd group2
[root @ unsvr root] #vi / etc / group
-------------------------------------------------- ---------------------
..................
Group1: X: 503: User1, User2
Group2: x: 504: User3 --------------------------------------------- ----------------------------
User1 User2 belongs to Group1 group
User3 belongs to Group2 group
MOUNT an EXT3 archive system to directory / FS1
[root @ unsvr root] #mount -t ext3 -o acl / dev / sda1 / fs1
EX: USER1 wants to share his files to Group1's permissions.
User1 login system
[USER1 @ unsVR User1] # CD / FS1
[user1 @ unsVR fs1] # echo "create by group1's user1"> group1.txt
[USER1 @ unsVR fs1] # chmod go-r user1.txt
[USER1 @ unsVR fs1] # l ler1.txt
-rw ------- 1 USER1 USER1 17 JUL 14 22:11 Group1.txt
At this time, there is no other person with the permission of the read and write permissions (except root)
User2 login system
[USER2 @ unsVR User2] # CD / FS1
[user2 @ unsVR fs1] # cat group1.txt
Cat: group1.txt permission denied
User1 login system
[USER1 @ unsVR fs1] # setfacl -m g: group1: rw user1.txt
Set the group1 has permission to read and write this file.
Note:
Look at his file attribute change
[USER1 @ unsVR fs1] # l l
-rw-rw-r - 1 USER1 USER1 10 Feb 16 13:52 group1.txt
You will see a " " behind it indicate that this file has an attribute setting using the ACL.
Use the command GetFacl to see why the ACL file properties settings
[User1 @ unsVR fs1] # getfacl group1.txt
# file: group1.txt
# Owner: User1
# group: user1
User :: rw-
Group :: rw-
Group1: Group1: RW-
Mask :: rw-
Other :: ---
You can see the Group1 group has permission to read this file.
User2 login system
[USER2 @ unsVR User2] # CD / FS1
[user2 @ unsVR fs1] # cat group1.txt
Create by Group1's User1
User2 (people of Group1 group including user1 user2) can read the group1.txt file.
[user2 @ unsVR fs1] # echo "modify by group1's user2" >> group1.txt
[user2 @ unsVR fs1] # cat group1.txt
Create by Group1's User1
Modify by group1's usr2
User2 (people of Group1) can also modify the group1.txt file.
User3 login system
[USER3 @ unsVR user3] # CD / fs1
[USER3 @ unsVR fs1] # cat group1.txt
Cat: group1.txt permission denied
In addition to USER1, USER2 (People including User1 User2), no other people have permission to read and write group1.txt (except for root) 3. Permissions for Effective Mask.
At this time, USER1 wants to temporarily remove the permissions just now, you can set the following way
[USER1 @ unsVR fs1] # setfacl -m M: --- User1.txt
[user1 @ unsVR fs1] # getfacl user1.txt
# file: user1.txt
# Owner: User1
# group: user1
User :: rw-
User: User2: rw- #effective: ---
Group :: rw- #effective: ---
Mask :: ---
Other :: ---
[User1 @ unsVR fs1] # setfacl -m M: --- Group1.txt
[User1 @ unsVR fs1] # getfacl group1.txt
# file: group1.txt
# Owner: User1
# group: user1
User :: rw-
Group :: rw- #effective: ---
Group1: Group1: RW- #effective: ---
Mask :: rw-
Other :: ---
The setting of this Effective Mask affects individual users, groups, and user groups.
4. Other user permission settings
[USER1 @ unsVR fs1] #setfacl -m o: rw user1.txt
His setting is like the following general permissions
[user1 @ unsVR fs1] # chmod o rw user1.txt
Setting of directory permissions
For the catalog:
Readable (R): There is no such authority for the directory, and there is a permission to read at the same time. You can have the contents of the LS read directory.
You can write (W): There is no such authority for the directory, and there is a permission of X. You can have a file in the CP, Move, Touch directory.
Executive (X): Permissions with CD (Change Directory)
So we have to use RW for X 's permissions.
ROOT login system
[root @ unsvr root] #adduser user1
[root @ unsvr root] #adduser user2
[root @ unsvr root] #passwd user1
[root @ unsvr root] #passwd user2
MOUNT an EXT3 archive system to directory / FS1
[root @ unsvr root] #mkdir / fs1
[root @ unsvr root] #mount -t ext3 -o acl / dev / sda1 / fs1
[root @ unsVR root] #CHMOD O-RWX / FS1
Do not want all users to enter the directory, new files, etc.
EX: / fs1 directory open access to permission to read and write to USER1
ROOT login system
[root @ unsvr root] #setfacl -m u: user1: rwx / fs1
[root @ unsvr root] #getfacl / fs1
# file: fs1
# Owner: root
# group: root
User :: rwx
User: User1: RWX
GROUP :: ---
Mask :: - X
Other :: ---
User1 login system
[USER1 @ unsVR User1] # CD / FS1
[USER1 @ unsVR fs1] # echo "create by user1"> user1.txt
[USER1 @ unsVR fs1] # l ler1.txt
-rw ------- 1 User1 User1 17 Jul 14 22:11 User1.txt At this time, in addition to the user1 enters the directory, there is no other person to enter the directory and read and write the file.
User2 login system
[USER2 @ unsVR User2] # CD / FS1
-bash: CD / FS1: Permission Denied
Only User1 has access to the directory read and write files
Step3: Preset ACLS Permissions
Usually, the preset permissions are determined in umask (umask definition in / etc / bashrc), and umask can only depend on privileged users (Root's umask is 022,) or non-privileged use One 002) is limited to set it according to the directory. And the ACL can set the preset permissions for the directory.
EX: Set the preset permissions of the directory / FS1 into only the user itself can read and write execution (RWX).
[root @ unsvr fs1] #setfacl -d -m u :: rwx / fs1
[root @ unsvr fs1] #setfacl -d -m g :: 0 / fs1
[root @ unsVR fs1] #setfacl -d -m o :: 0 / fs1
[root @ unsvr fs1] #getfacl / fs1
# file: fs1
# Owner: root
# group: root
User :: rwx
Group :: R-X
Other :: r-x
Default: User :: RWX
Default: Group :: ----
DEFAULT: Other :: ----
You can see that the permissions of Default have changed, and now create a file.
[root @ unsvr fs1] #echo "default perms"> default.txt
[root @ unsVR fs1] #LL
-rw --------- 1 root root 15 jul 27 10:53 root.default
It can be seen that only the user itself has RW permissions, that X why, that is because root.default is not an execut file.
STEP4: Permissions to ACL Removal
If you want to remove the ACL permissions just exercised, you can use the following instruction to remove
[user1 @ unsVR fs1] # getfacl user1.txt
# file: user1.txt
# Owner: User1
# group: user1
User :: rw-
User: User2: RW-
Group :: rw-
Mask :: rw-
Other :: r -
You can see that USER2 has permission to read and write this file.
[USER1 @ unsVR fs1] #setfacl -x u: user2 user1.txt
[user1 @ unsVR fs1] # getfacl user1.txt
# file: user1.txt
# Owner: User1
# group: user1
User :: rw-
Group :: rw-
Mask :: rw-
Other :: r -
You can see that USER2's permissions have been removed.
Step5: Other examples
1.copying the acl of one file to another
#getfacl file1 | setfacl --set-file = - file2
2.Copying The Access ACL INTO THE DEFAULT ACL
#getfacl -a dir | setfacl -d -m -dir
Step6: parameter usage of setfacl
#setfacl [-bkndrlp] {-M | -m | -x | -x ...} file ...
{-M | -m | -x | -x ...}
#setfacl -m (rules) (files)
-m representative is to set the modify permission setting
#setfacl-xi (files) -X representative to REMOVE permission setting
Rules can be used to divide into several formats
u: (uid): (perms)
Set the privileges according to the user
G: (GID): (Perms)
Set to set permissions according to groups
M: (Perms)
Set the Effective Mask to set the permissions
o: (perms)
Set the right to set the permissions
Set permissions for Other Group
[-bkndrlp ..] Parameter usage
-b, --remove-all
Remove All Extended ACL ENTRIES
-k, --Remove-Default
Remove The Default ACL.
-n, --NO-MASK
Do Not Recalculate the Effective Rights Mask
--Mask
Do Recalculate the Effective Rights Mask
-d, - DEFAULT
All Operations Apply to the Default ACL.
--RESTORE = File
Restore a permission backup created by 'getfacl -r' or similar.
--Test
Test Mode
-R, - genecursive
Apply Operations to All Files and Directories Recursively.
-L, --Logical
Logical Walk, FOLLOW SYMBOLIC LINKS
-P, --Physical
Physical Walk, Skip All Symbolic Links.
