Details of ACL permission control under CentOS

Time:2020-2-26

ACL permission control

Set ACL permission: setfacl

View ACL permission: getfacl

The main purpose of ACL permission control is to provide specific permission settings beyond the read, wirte and execute permissions of traditional owner, group and other. Specific permissions can be set for a single user or group

For example: the permission of a directory is

drwx—— 2 root root 4096 03-10 13:51./acldir

User user does not have any permission to this directory, so it cannot enter this directory. ACL can set the permission of this directory for user user to operate this directory

ACL boot

To use ACL, you must have file system support. At present, most file systems will support it. Ext3 file system starts ACL by default

Check whether the file system supports ACL

[[email protected] tmp]#

dumpe2fs -h /dev/sda2 dumpe2fs 1.39 (29-May-2006)

……

sparse_super large_file

Default mount options: user_xattr acl

Load ACL function

If UNIX like supports ACL but the file system does not load this function by default, you can add it yourself

[[email protected] tmp]# mount -o remount,acl /

[[email protected] tmp]# mount

/dev/sda2 on / type ext3 (rw,acl)

You can also modify the disk hanging in the configuration file to set the default boot load

[[email protected] tmp]# vi /etc/fstab

LABEL=/ / ext3 defaults,acl 1 1

View ACL permissions

Syntax:getfacl filename

Set ACL permissions

Syntax:Setfacl [- bkrd] [m| – x ACL parameter] target filename

Options and parameters:

-m: Set subsequent ACL parameters, not used with – x

-x: Delete subsequent ACL parameters, not used with – M

-b: Delete all ACL parameters

-k: Delete default ACL parameters

-R: Recursively setting ACL parameters

-d: Set default ACL parameter, only valid for directory

For special users

Format:u: User account list: permissions

Jurisdiction:The combined form of RWX

If the user list is empty, it means to set the current file owner permission

Give an example:

[[email protected] tmp]# mkdir -m 700 ./acldir; ll -d ./acldir

drwx—— 2 root root 4096 03-10 13:51 ./acldir

[[email protected] tmp]# su tkf

[[email protected] tmp]$ cd ./acldir/

Bash: CD:. / acldir /: insufficient permissions = > user does not have X permissions

[[email protected] tmp]$ exit

exit

[[email protected] tmp]# setfacl -m u:tkf:x ./acldir/

=>Set acldir directory permission to X for user TKF

[[email protected] tmp]# ll -d ./acldir/

drwx–x—+ 2 root root 4096 03-10 13:51 ./acldir/

=>Adding permissions through ACL will add multiple “+” at the end of permissions, and the original permissions of files will also change.

=>You can view the permissions of the original directory through getfacl

[[email protected] tmp]# getfacl ./acldir/

# file: acldir

# owner: root

# group: root

user::rwx

User: TKF: — X = > record TKF user has ACL permission for this directory

group::—

mask::–x

other::—

=>Special instructions are needed here. Only TKF has x permission, and other users have no permission

[[email protected] tmp]# su tkf

[[email protected] tmp]$ cd ./acldir/

[[email protected] acldir]$

=>User TKF can have X permission to enter directory

For specific user groups

Format: G: user group list: permissions

Permissions: the combined form of RWX

If the user group list is empty, it means to set the user group permission of the current file

Give an example:

[[email protected] tmp]# setfa

setfacl setfattr

[[email protected] tmp]# setfacl -m g:users:rx ./acldir/

[[email protected] tmp]# getfacl ./acldir/

# file: acldir

# owner: root

# group: root

user::rwx

user:tkf:–x

Group:: — = > permissions of other user groups (not ACL settings)

Group: users: R-X = > record users user group has ACL permission for this directory

mask::r-x

other::—

Set for valid permissions

Effective permission (mask) is the limit value of ACL permission setting, that is to say, the ACL permission you set must be a subset of the mask. If you exceed the mask range, you will remove the exceeded permission

Format: M: permissions

Permissions: the combined form of RWX

Give an example:

[[email protected] tmp]# setfacl -m m:x ./acldir/

[[email protected] tmp]# getfacl ./acldir/

# file: acldir

# owner: root

# group: root

user::rwx

user:tkf:–x

group::r-x #effective:–x

group:users:r-x #effective:–x

mask::–x

other::—

For default permission settings

We have previously set specific permissions for a user (Group) in a directory, but if the newly created file in this directory does not have these specific permissions for this user. To solve this problem, you need to set the default ACL permission so that the newly created files in this directory have the same ACL specific permission as the directory

Format:d: [u| g]: user (Group) list: permissions

Give an example

[[email protected]t tmp]# mkdir -m 711 ./defdir

[[email protected] tmp]# setfacl -m u:tkf:rxw ./defdir

[[email protected] tmp]# ll -d ./defdir/

drwxrwx–x+ 2 root root 4096 03-10 15:23 ./defdir/

=>Directory permissions have ACL specific permissions (followed by +)

[[email protected] tmp]# touch ./defdir/a.file;ll ./defdir/

-rw-r–r– 1 root root 0 03-10 15:25 a.file

=>The newly created file does not have ACL specific permissions (no +)

[[email protected] tmp]# setfacl -m d:u:tkf:rxw ./defdir

=>Set default permissions

[[email protected] tmp]

# getfacl ./defdir/

# file: defdir

# owner: root

# group: root

user::rwx

user:tkf:rwx

group::–x

mask::rwx

other::–x

default:user::rwx

default:user:tkf:rwx

default:group::–x

default:mask::rwx

default:other::–x

[[email protected] tmp]# touch ./defdir/b.file;ll ./defdir/

-rw-r–r– 1 root root 0 03-10 15:25 a.file

-rw-rw—-+ 1 root root 0 03-10 15:26 b.file

=>Newly created files have ACL specific permissions by default

[[email protected] tmp]

# getfacl ./defdir/b.file

# file: defdir/b.file

# owner: root

# group: root

user::rw- user:tkf:rwx #effective:rw-

group::–x #effective:—

mask::rw-

other::—

=>Now I have a question. Why is the mask value RW? I guess it’s related to the maximum permission of the file,

=>When a file comes, the default maximum permission is 666, that is, umask is 0000

=>Without x, do you still need to use Chmod settings? Doubt!!