ACL允许向文件分配细化的权限。除标准的文件所有者、组所有者、和其他文件权限之外,还可以指定用户或组,以及uid或guid确定的用户和组授予权限。
命令:
·setfacl 设置acl策略
·getfacl 查看acl策略
[root@server ~]# setfacl --help setfacl 2.2.51 -- set file access control lists Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ... -m, --modify=acl modify the current ACL(s) of file(s) #设置文件或目录ACL规则 -M, --modify-file=file read ACL entries to modify from file #从文件读取ACL规则 -x, --remove=acl remove entries from the ACL(s) of file(s) #删除ACL规则 -X, --remove-file=file read ACL entries to remove from file #从文件读取ACL规则,并且进行删除 -b, --remove-all remove all extended ACL entries #删除所有扩展ACL规则,基本ACL规则保留 -k, --remove-default remove the default ACL #删除默认ACL规则,如果没有默认ACL规则,不提示 --set=acl set the ACL of file(s), replacing the current ACL # --set-file=file read ACL entries to set from file --mask do recalculate the effective rights mask #重新计算有效权限,即使ACL Mask被明确指定 -n, --no-mask don't recalculate the effective rights mask #不要重新计算有效权限 -d, --default operations apply to the default ACL #设置默认ACL规则,只是针对目录而言 -R, --recursive recurse into subdirectories #递归设置ACL规则 -L, --logical logical walk, follow symbolic links -P, --physical physical walk, do not follow symbolic links --restore=file restore ACLs (inverse of `getfacl -R') --test test mode (ACLs are not modified) -v, --version print version and exit -h, --help this help text
[root@server ~]# mkdir /sharedata [root@server ~]# cp /etc/passwd /sharedata/ [root@server ~]# useradd usera [root@server ~]# useradd userb [root@server ~]# useradd userc [root@server ~]# echo 'userabc' |passwd --stdin usera Changing password for user usera. passwd: all authentication tokens updated successfully. [root@server ~]# echo 'userabc' |passwd --stdin userb Changing password for user userb. passwd: all authentication tokens updated successfully. [root@server ~]# echo 'userabc' |passwd --stdin userc Changing password for user userc. passwd: all authentication tokens updated successfully. [root@server ~]# cd /sharedata/ [root@server sharedata]# ll total 4 -rw-r--r-- 1 root root 2044 Oct 8 22:26 passwd [root@server sharedata]# setfacl -m u:usera:r passwd [root@server sharedata]# setfacl -m u:userb:rw passwd [root@server sharedata]# setfacl -m u:userc:rwx passwd [root@server sharedata]# getfacl passwd # file: passwd # owner: root # group: root user::rw- user:usera:r-- user:userb:rw- user:userc:rwx group::r-- mask::rwx other::r--
如果想让ACL在目录下的数据都有继承功能,通常会对这个目录设置默认权限
文件所有者可以在单个文件或目录上设置ACL。新文件和子目录可以自动从父目录默认ACL中继承ACL设置。 与常规文件的访问规则类似,父目录层次结构需要至少设置其它执行权限,以便启用指定用户和指定组的访问权限。
[root@server ~]# mkdir /sharedata [root@server sharedata]# setfacl -m d:u:usera:rwx /sharedata/ [root@server sharedata]# su - usera Last login: Thu Oct 8 22:33:57 CST 2015 on pts/0 [usera@server ~]$ cd /sharedata/ [usera@server sharedata]$ touche usera bash: touche: command not found... Similar command is: 'touch' [usera@server sharedata]$ touch usera touch: cannot touch ‘usera’: Permission denied [usera@server sharedata]$ exit logout [root@server sharedata]# mkdir -p /sharedata/pub [root@server sharedata]# su - usera Last login: Thu Oct 8 22:44:04 CST 2015 on pts/0 [usera@server ~]$ cd /sharedata/pub/ [usera@server pub]$ touch usera [usera@server pub]$ cd .. [usera@server sharedata]$ touch usera touch: cannot touch ‘usera’: Permission denied
ACL掩码
掩码定义可授予指定用户组、组所有者和指定组的最大权限。不限制文件所有者或其它用户的权限
如果设置了mask,和mask比较,最终取得是二者中最小权限
[root@server /]# cd sharedata/ [root@server sharedata]# cp /etc/passwd . [root@server sharedata]# setfacl -m u:usera:r passwd [root@server sharedata]# setfacl -m u:userb:rw passwd [root@server sharedata]# setfacl -m u:userc:rwx passwd [root@server sharedata]# getfacl passwd # file: passwd # owner: root # group: root user::rw- user:usera:r-- user:userb:rw- user:userc:rwx group::r-- mask::rwx other::r-- [root@server sharedata]# setfacl -m m:r passwd [root@server sharedata]# getfacl passwd # file: passwd # owner: root # group: root user::rw- user:usera:r-- user:userb:rw- #effective:r-- user:userc:rwx #effective:r-- group::r-- mask::r-- other::r-- [root@server sharedata]# setfacl -m m:rwx passwd [root@server sharedata]# getfacl passwd # file: passwd # owner: root # group: root user::rw- user:usera:r-- user:userb:rw- user:userc:rwx group::r-- mask::rwx other::r--