Before you know the setFacl, this problem has been plagued with Linux file system.
Using Samba to build a Linux file system, it is a powerful function. Everyone who has a MS Windows network knows that the core of the MS Windows network is SMB / CIFS, and Samba is also a set of software based on UNIX-based systems, implementing the SMB / CIFS protocol. As a clone of Unix, Linux can also run this software. Compared with NT, Samba's file service function is not less than NT, the efficiency is high, with Linux itself, the user disk space limit function can be implemented, and the NT to 4.0 is still unable to implement this. But I have to know that Samba is not a day and two days. Samba is developed by the Samba Group (http; // samba.org), the update is very fast, the current highest version is 3.0.7, each updated version The function is enhanced, and the known bug has also been fixed. It is necessary to use Samba powerful features. It seems that it takes a period of time to explore, understand, to practice, can enjoy Samba.
Now I face the problem of building a file server, a more than 100 people, the management of the company's employees is very strict, in the sharing of the document, the use of employees, employee permission, etc. The same one. Document Server As long as it is a shared day-to-day documentation, some shared materials, some of the information confidential to some people, some of ordinary employees do not allow the documentation to see ... It can be seen that the subdivision of file server rights is much more important. In addition, the company needs to share the directory is too much. If Samba is used to configure a directory, it can be an engineering vast.
OK, now transfer to the topic. The system I use is Redhat Enterpise Linux 3.0 Up3, the price can be performance, no need to say that I think everyone knows. Before I do, I also considered using Samba to subdivide the permissions shared, but because of the time problem, I found a setFacl function.
Before using setFacl, first check if the system's kernel supports setFacl, and also edit the / etc / fstab file, and the functionality of ACL is activated to the partition that requires setFacl. ACL has two types: access ACL (Access ACLS) and the default ACL (Default Acls). Access ACL is a list of access controls for specified files or directories. The default ACL can only be related to the directory. If the file in the directory is not accessed acm, it will use the default ACL of this directory. The default ACL is optional.
ACL can be configured as follows:
Made a user configured by valid privileges per user for each group
In fact, when the user opens the access file server, he saw only two shared directories. The two shared directories are shared by Samba, allocated to all users (EVERYOEN group) have written permissions (RWX), due to the system Permission to Samba before the permission, so I set up all users in the system (Everyone group) only RX permissions, all users can write in this directory.
SetFACL Tools Set ACL for files and directories. Use -m to add or modify the ACL of the file or directory:
SetFacl -m
Rules (
Access ACL for users. The username or UID must be specified. The user can be any legal user on the system.
G:
Access the ACL for the group. The group name or GID must be specified. The group can be any legal group on the system.
M:
Set effective permission mask. This shield is a collection of group owners and all users and group projects.
o:
Access ACLs for users outside of group users.
Space is ignored. Permissions (
If a file or directory already has an ACL, the setFacl command is still used, and additional rules will be added to the existing ACL, or to modify the existing rules.
For example, to give user TFOX to read and write access:
SetFacl-M u: TFOX: RW / Project / Somefile
To delete all permissions of users, groups, or others, use the -x option, and do not specify any permissions:
SetFacl -x
For example, delete all the privileges for users with a UID 500:
SetFaCl -x u: 500 / project / somefile
The following is a segment of permission to permissions to each directory in the directory shared by Samba, such as two directories under shared directory Share1.
// Samba / Share1 / AAA,
// Samba / Share1 / BBB, where User1 and the Group (DOC) can read and write to the directory AAA, but only read BBB, USER2, and the homework (ENG) can only read BBB, and cannot read AAA.
The first is that all users are added to the Everyone group, and they can be implemented using the following command:
SetFacl -R -M g: Everyone: r-x Share1
SETFACL -R -M G: DOC: RWX, D: G: DOC: RWX, G: Everyone: --- / Share1 / AAA
SetFacl -R -M G: DOC: R-X, D: G: DOC: R-X / Share1 / BBB
In fact, there is a very demand that needs to be settled specifically. Some directories are too deep. It may be a bit difficult for the permissions, but it can be very fine to the directory.
For the usage of setFacl, refer to the following:
Name
SetFacl - Modify The Access Control List (ACL) for a File OR
Files
Synopsis
SetFacl [-r] -s acl_entries file
SetFacl [-r] -MD ACL_ENTRIES FILE
SetFacl [-r] -f ACL_FILEFILE
Description
For Each File Specified, SetFacl Will Either Replace ITS
Entire ACL, Including The Default ACL ON A DIRECTORY, OR IT
Will Add, Modify, or delete One or more acries, incruD-
ING DEFAULT Entries on Directories.
Setting an ACL ON A File Also Modifies The File's PermissionBits. The User Entry Modifies The File Owner Permission
Bits. if you don't specify a mask entry, The Group entry
Modifies The File Group Owner Permission Bits. if You
Specify A Mask Entry, The File Group Owner Permission Bits
Are Modified Based on the intertion (bitwise and) of the
Group and mask entries. The Other Entry Modifies THE OTHER
Permission bits.
If you use the chmod (1) Command to change the File Group
Owner Permissions ON A File with ACL Entries, Both the file
Group Owner Permissions and The ACL Mask Are Changed to The
New Permissions. Be aware That The New ACL Mask Permissions
May Change The Effective Permissions for Additional Uses
And Groups WHO Have Acl Entries on the file.
A Directory May Contain Default ACL Entries. If a file OR
Directory Is Created in a Directory That Contains Default
ACL ENTRIES, The Newly Created File Will Have Permissions
Generated to the interSecion of the Default ACL
Entries and the permissions Requested At Creation Time. The
Umask (1) WILL NOT BE Applied if The Directory Contains
Default acl entries. if a default acl isot
Specific User (or Users), The File Will Have A Regular ACL
Created; Otherwise, Only the Mode Bits Will Be Initialized
According to the interSecion described Above. The default
ACL SHOULD BE THOUGHT OF As The Maximum Discretion Access
Permissions That May Be granted.
ACL_ENTRIES SYNTAX
For the -m and -s options, ACL_ENTRIES ARE ONE or more
COMMA-SEPARATED ACL ENTRIES.
An ACL Entry Consists of The Following Fields Separated By
Colons:
Entry_type
TYPE OF ACL Entry On Which To Set File Permis-Sions. For Example, Entry_Type Can Be User (The
Owner of a file) Or Mask (The ACL Mask).
Uid Or GID
User name or user identification number. Or,
Group name or group identification number.
Perms represents the permissions That Are Set ON
Entry_Type. Perms can be indeicated by the SYM-
Bolic Characters rwx or a number (The Same Per-
Missions Numbers Used with the chmod command.
The Following Table Shows The Valid ACL ENTRIES (Default
Entries May Only Be Specified for Directories:
ACL Entry Description
U [Ser] :: Perms File Owner Permissions.
g [roup] :: Perms File Group Owner Permissions.
o [the]: perms permissions for users other than
The File Owner or Members of File
Group Owner.
m [ask]: perms the acl mask. The mask entry inde
Cates the maximum permissions
ALLOWED for Users (Other Than
And for groups. The mask is
A Quick Way to Change Permissions
ON All the Users and groups.
U [Ser]: Uid: Perms Permissions for a specific user.
For uid, you can specify each
User name or a numeric uid.
G [roup]: GID: Perms permissions for a specific group.
For GID, You CAN Specify Either A
Group name or a numeric GID.
D [EFAULT]: U [Ser] :: Perms Default File Owner Permissions.
D [efault]: g [roup] :: Perms Default File Group Owner Permis-
SIONS.
D [efault]: o [t]: perms default permissions for users other
Than The File Owner or Members of
The File Group Owner.
D [efault]: M [ASK]: Perms Default ACL Mask.
D [EFAULT]: U [Ser]: Uid: Perms Default Permissions for a Specific
User. for uid, you can specifyeither a user name or a numeric
UID.
D [efault]: g [roup]: GID: Perms default permissions for a specific
Group. for GID, You CAN Specify
Either a group name or numeric
GID.
For the -d Option, ACL_ENTRIES ARE ONE or more Comma-
Separated ACL Entries WITHOUT Permissions. Note That the
ENTRIES for File Owner, File Group Owner, ACL Mask, And OTH-
ERS May Not Be deleded.
Options
The Options Have The Following Meaning:
-S ACL_ENTRIES
Set a file's acl. All Old ACL Entries Are Removed and
Replaced with the newly specified acl. The entry
NEED NOTBE IN ANY Specific ORDER. They Will Be Sorted
By the command before being applied to the file.
Required entries:
o EXACTLY One User Entry Specified for the File
Owner.
o EXACTLY One Group entry for the File Group
Owner.
o Exactly One Other Entry Specified.
If There Are Additional User and Group Entries:
o EXACTLY One Mask entry specified for the ACL
Mask That Indicates the maximum permissions
Allowed for Users (Other Than There Owner)
Groups.
o Must not be duplicate User Entries with the same
UID.
o Must not be duplicate group entries with the
Same gid.
IF File Is A Directory, The Following Default ACL ENTRIES
May Be Specified:
o Exactly One Default User Entry for the File
Owner.
o Exactly One Default Group Entry for the File
Group Owner.
o Exactly One Default Mask Entry for the ACL MASK.
o EXACTLY ONE DEFAULT Other Entry.
There May Be Additional Default User Entries and Addi-
Tional Default Group Entries Specified, But There May
NOT BE DUPLICATE ADDITIONAL DEFAULT User Entries with
The Same Uid, or Duplicate Default Group Entries Withthe Same GID.
-M ACL_ENTRIES
Add One or More New Acl Entries To The File, And / OR
Modify One or More Existing ACL ENTRIES ON The File.
IF an entry already exissrs for a specified uid or gid,
The Specified Permissions Will Replace The Current
Permissions. if an entry does not exist for the speci-
Fied uid or gid, an entry will be created.
-D ACL_ENTRIES
Delete One or More Entries from The File. The Entries
For The File Owner, The File Group Owner, And Others
May Not Be deleted from the acl. Note That Deleting an
Entry Does Not Necessarily Have The Same Effect As
Removing all permissions from the entry.
-f ACL_FILE
Set a file's acl with the acl entries contained in the a
File named acl_file. The Same Constraints on specified
ENTRIES HOLD As with the --s Option. The Entries Are
NOT Required to be in any specificy in the file.
Also, if you specify a dash '-' for acl_file, standard
INPUT IS Used to set the file's acl.
The Character "#" in ACL_FILE MAY BE Used to indeicate
A Comment. All Characters, Starting with The "#" Until
The end of the line, will be ignored. Note That if The
ACL_FILE HAS Been Created As The Output of The Get
FACL (1) Command, Any Effective Permings, Which Will
FOLLOW A "#", Will BE Ignored.
-r recalculate the permissions for the acl mask entry.
The Permissions Specified in The ACL Mask Entry Are
Ignored and report by the maximum permissions neces
Sary to grant the access to all additional users, file
Group Owner, And Additional Group Entries in the ACL.
The permissions in the additional user, File Group
Owner, And Additional Group Entries Are Leftunchanged.
Examples
Example 1: adding read permission only
The Following Example Adds One ACL Entry To File Abc, Which
Gives User Shea Read Permission Only.
SetFacl -m User: Shea: R - ABC
EXAMPLE 2: Replacing a File's Entire ACL
The Following Example Replaces The Entire Acl for the file
ABC, Which Gives Shea Read Access, The File Owner All
Access, The File Group Owner Read Access ONLY, The ACL MASK
Read / Write Access, And Others No Access.
SETFACL -S User: Shea: RWX, User :: RWX, Group :: RW-, MASK: R -, Other: --- ABC
Note That After this Command, The File Permission Bits Are
RWXR -----. Even though the file group owner Was set with
Read / Write Permissions, The ACL Mask Entry Limits It To Have
Only Read Permissions. The mask entry also specifies the
Maximum Permissions Available To All Additional User and
Group ACL Entries. Once Again, Even Though The User Shea WAS
Set with all access, the mask limited it to have. Only Read, IT THE
Permissions. The ACL MASK Entry Is A Quick Way To Limit OR
Open access to all the user and group entries in an acl. for
Example, by changing the mask entry to read / write, both the
File Group Owner And User Shea Would Be Given Read / Write
Access.
Example 3: Setting The Same ACL on Two Files
The Following Example Sets The Same Acl on File Abc as The
File XYZ.
GetFacl XYZ | SetFacl -f - ABC
In fact, there are many features in the Linux system I haven't used it, because there is no such need, huh, huh.
