目录
设置权限umask
设置默认权限
umask永久生效
访问控制列表(acl)
查看用户acl权限:getfacl 文件路径
设置用户alc权限:setfacl -m u:用户名:权限 文件路径
删除acl权限(文件上所有acl权限):setfacl -b 文件路径
删除acl权限(某一用户的acl权限):setfacl -x u:用户名 文件路径
删除现有acl的某个权限:setfacl -m
练习
精确匹配权限 find 路径 -perm 权限数值/-权限数值
[root@localhost bin]# umask
0022
//创建目录A 文件123
[root@localhost bin]# mkdir A
[root@localhost bin]# touch 123.txt
[root@localhost bin]# ll
total 7692
-rw-r--r--. 1 root root 0 Mar 29 10:32 123.txt
drwxr-xr-x. 2 root root 6 Mar 29 10:31 A
-rwxr-xr-x. 1 root root 7874985 Mar 24 11:39 strong
//临时设置umask的值为023 (重启就没了)
[root@localhost bin]# umask 023
[root@localhost bin]# umask
0023
//创建目录B 文件111
[root@localhost bin]# mkdir B
[root@localhost bin]# touch 111.txt
[root@localhost bin]# ll
total 7692
-rw-r--r--. 1 root root 0 Mar 29 10:35 111.txt
-rw-r--r--. 1 root root 0 Mar 29 10:32 123.txt
drwxr-xr-x. 2 root root 6 Mar 29 10:31 A
drwxr-xr--. 2 root root 6 Mar 29 10:35 B
-rwxr-xr-x. 1 root root 7874985 Mar 24 11:39 strong
//更改umask的值为021
[root@localhost bin]# umask 021
[root@localhost bin]# mkdir C
[root@localhost bin]# touch 122.txt
[root@localhost bin]# ll
total 7692
-rw-r--r--. 1 root root 0 Mar 29 10:35 111.txt
-rw-r--rw-. 1 root root 0 Mar 29 10:37 122.txt
-rw-r--r--. 1 root root 0 Mar 29 10:32 123.txt
drwxr-xr-x. 2 root root 6 Mar 29 10:31 A
drwxr-xr--. 2 root root 6 Mar 29 10:35 B
drwxr-xrw-. 2 root root 6 Mar 29 10:37 C
-rwxr-xr-x. 1 root root 7874985 Mar 24 11:39 strong
[root@localhost bin]# cat /etc/bashrc
…………………………(略)…………………………
if [ $UID -gt 199 ] && [ "`/usr/bin/id -gn`" = "`/usr/bin/id -un`" ]; then
umask 002
else
umask 022
fi
//umask权限数值默认为022
…………………………(略)…………………………
单独给具体某个用户/组来设置权限
[root@localhost bin]# getfacl strong
# file: strong
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
//切换目录
[root@localhost bin]# cd ~
//查看root权限
[root@localhost ~]# ls -ld /root
dr-xr-x-wx. 11 root root 4096 Mar 24 11:39 /root
//去除其他用户关于root的所有权限
[root@localhost ~]# chmod o=--- /root
//切换用户qq发现不能切换
//查看root权限 其他用户权限为---
[root@localhost ~]# ls -ld /root
dr-xr-x---. 11 root root 4096 Mar 24 11:39 /root
//增加qq用户关于root的权限
[root@localhost ~]# setfacl -m u:qq:rwx /root
//查看root权限 其他用户权限为--- 但是有+
[root@localhost ~]# ls -ld /root
dr-xrwx---+ 11 root root 4096 Mar 24 11:39 /root
//查看root目录现有权限
[root@localhost ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:qq:rwx
group::r-x
mask::rwx
other::---
//切换到qq 发现可以执行删除操作
[root@localhost ~]# su - qq
Last login: Tue Mar 22 11:35:20 CST 2022 on pts/0
[qq@localhost ~]$ cd /root
[qq@localhost root]$ rm -rf 1.txt
[qq@localhost root]$ exit
logout
//查看root目录现有权限
[root@localhost ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:qq:rwx
group::r-x
mask::rwx
other::---
//删除文件上所有acl权限的设置
//qq用户acl权限消失 mask权限消失
[root@localhost ~]# setfacl -b /root
[root@localhost ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
group::r-x
other::---
//设置用户qqalc权限为rwx
[root@localhost ~]# setfacl -m u:qq:rwx /root
//查看权限 qq用户acl权限出现 mask也出现
//(事实上这几步是恢复操作)
[root@localhost ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:qq:rwx
group::r-x
mask::rwx
other::---
//设置acl权限为r-x
//查看权限
[root@localhost ~]# setfacl -m m:r-x /root
[root@localhost ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:qq:rwx #effective:r-x
group::r-x
mask::r-x
other::---
//切换用户为qq
[root@localhost ~]# su - qq
Last login: Tue Mar 29 10:46:09 CST 2022 on pts/0
//删除111.txt
//这里删除不了的
[qq@localhost ~]$ rm -rf 111.txt
[qq@localhost ~]$ ll /root/111.txt
-rw-rw-r--. 1 qq qq 0 Mar 17 11:13 /root/111.txt
[qq@localhost ~]$ exit
logout
//重新设置m的权限为rwx 切换回用户再做删除操作
//这里应该可以删除 但是我删除不了XD
[root@localhost ~]# setfacl -m m:rwx /root
[root@localhost ~]# su - qq
Last login: Tue Mar 29 10:51:01 CST 2022 on pts/0
[qq@localhost ~]$ rm -rf 111.txt
[qq@localhost ~]$ ll /root/111.txt
-rw-rw-r--. 1 qq qq 0 Mar 17 11:13 /root/111.txt
//设置qq权限为rx- 查看权限
[root@localhost ~]# setfacl -m u:qq:rx- /root
[root@localhost ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:qq:r-x
group::r-x
mask::r-x
other::---
//设置用户tt的acl权限为rwx
[root@localhost ~]# setfacl -m u:tt:rwx /root
[root@localhost ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:qq:r-x
user:tt:rwx
group::r-x
mask::rwx
other::---
//删除用户qq的acl权限
[root@localhost ~]# setfacl -x u:qq /root
[root@localhost ~]# getfacl /root
getfacl: Removing leading '/' from absolute path names
# file: root
# owner: root
# group: root
user::r-x
user:tt:rwx
group::r-x
mask::rwx
other::---
[root@localhost ~]#
[root@localhost ~]# mkdir dirA
[root@localhost ~]# ls -ld dirA
drwxr-xrw-. 2 root root 6 Mar 29 11:18 dirA
//修改所属组为student1
[root@localhost ~]# chown :student1 dirA
[root@localhost ~]# ls -ld dirA
drwxr-xrw-. 2 root student1 6 Mar 29 11:18 dirA
//数值法修改权限 -s为可执行权限
[root@localhost ~]# chmod 2750 dirA
[root@localhost ~]# ls -ld dirA
drwxr-s---. 2 root student1 6 Mar 29 11:18 dirA
//在目录A中创建了1.txt 继承了student1(子目录继承文件所属组)
[root@localhost ~]# cd dirA/
[root@localhost dirA]# touch 1.txt
[root@localhost dirA]# ll
total 0
-rw-r--rw-. 1 root student1 0 Mar 29 11:21 1.txt
[root@localhost dirA]#
//建立用户student2
[root@localhost dirA]# cd ~
[root@localhost ~]# useradd student2
//查看dirA初始权限
[root@localhost ~]# getfacl dirA
# file: dirA
# owner: root
# group: student1
# flags: -s-
user::rwx
group::r-x
other::---
//修改student2的acl权限 使其他用户没有权限但是student2拥有rwx权限
[root@localhost ~]# setfacl -m u:student2:rwx dirA
[root@localhost ~]# getfacl dirA
# file: dirA
# owner: root
# group: student1
# flags: -s-
user::rwx
user:student2:rwx
group::r-x
mask::rwx
other::---
//精确匹配权限
[root@localhost ~]# ll
total 24016
-rw-rw-r--. 1 qq qq 0 Mar 17 11:13 111.txt
-rw-r--r--. 1 root tt 111 Mar 8 10:18 123
-rw-r--r--. 1 root root 7 Mar 8 10:35 3.txt
-rw-r--r--. 1 root root 0 Mar 8 10:17 4.txt
-rw-r--r--. 1 root root 21 Mar 1 11:30 6.txt
drwxr-xr-x. 4 root root 105 Mar 22 11:29 A
-rw-------. 1 root root 2793 Feb 24 12:13 anaconda-ks.cfg
-rw-r--r--. 1 root root 24544178 Mar 24 11:00 backup.tar.bz2
drwxr-xr-x. 3 root root 15 Mar 1 10:53 C
drwxr-x---. 2 root root 6 Mar 22 11:08 D
drwxrws---+ 2 root student1 19 Mar 29 11:21 dirA
drwxr-xr-x. 6 root root 107 Mar 17 11:16 E
-rw-r--r--. 1 root root 105 Mar 1 11:27 e.gzip
drwxr-xr-x. 4 root root 40 Mar 15 10:48 F
-rw-r--r--. 1 root root 131 Mar 1 11:26 f.bz2
-rw-r-----. 1 root root 376 Mar 24 11:08 findfiles
-rw-------. 1 root root 2057 Feb 24 12:13 original-ks.cfg
-rw-r--r--. 1 root root 2631 Mar 8 11:22 passwd
-rw-r--r--. 1 root root 77 Mar 16 11:47 root.txt
drwxr-xr-x. 3 root root 39 Mar 3 10:46 student
lrwxrwxrwx. 1 root root 5 Mar 8 11:25 test2.txt -> 1.txt
-rw-r--r--. 1 root root 697 Mar 3 11:41 test.txt
//查找权限755(rwx r-x r-x)
[root@localhost ~]# find /root -perm 755
/root/A
/root/A/B
/root/A/C
/root/C
/root/C/A
/root/C/A/B
/root/E
/root/E/A
/root/E/B
/root/E/C
/root/E/D
/root/F
/root/F/E
/root/F/dirA
/root/student
/root/student/8967
/root/student/8967/task
/root/student/8967/task/8967
/root/.vim
//-perm -数值 (后面几个0表示忽略匹配)
//只会匹配设置了数值的项
[root@localhost ~]# cd A
[root@localhost A]# ll
total 4
-rw-r--r--. 1 root root 697 Mar 3 11:42 11.txt
-rw-r--r--. 1 root root 0 Mar 22 11:25 1.txt
-rw-r--r--. 1 root root 0 Mar 22 11:28 2.txt
-rw-r--r--. 1 root root 0 Mar 22 11:29 3.txt
-rw-r--r--. 1 root root 0 Mar 1 10:44 444.txt
-rw-r--r--. 1 root root 0 Mar 1 10:42 5.txt
drwxr-xr-x. 2 root root 6 Mar 1 10:48 B
drwxr-xr-x. 2 root root 6 Mar 22 11:25 C
//查找权限为7777 没有查到
[root@localhost A]# find /root/A -perm -7777
//设置B权限
[root@localhost A]# chmod g+s B
[root@localhost A]# ll
total 4
-rw-r--r--. 1 root root 697 Mar 3 11:42 11.txt
-rw-r--r--. 1 root root 0 Mar 22 11:25 1.txt
-rw-r--r--. 1 root root 0 Mar 22 11:28 2.txt
-rw-r--r--. 1 root root 0 Mar 22 11:29 3.txt
-rw-r--r--. 1 root root 0 Mar 1 10:44 444.txt
-rw-r--r--. 1 root root 0 Mar 1 10:42 5.txt
drwxr-sr-x. 2 root root 6 Mar 1 10:48 B
drwxr-sr-x. 2 root root 6 Mar 22 11:25 C
//查找-2000
[root@localhost A]# find /root/A -perm -2000
/root/A/B
/root/A/C
[root@localhost A]# chmod u+s 1.txt
[root@localhost A]# ll
total 4
-rw-r--r--. 1 root root 697 Mar 3 11:42 11.txt
-rwSr--r--. 1 root root 0 Mar 22 11:25 1.txt
-rw-r--r--. 1 root root 0 Mar 22 11:28 2.txt
-rw-r--r--. 1 root root 0 Mar 22 11:29 3.txt
-rw-r--r--. 1 root root 0 Mar 1 10:44 444.txt
-rw-r--r--. 1 root root 0 Mar 1 10:42 5.txt
drwxr-sr-x. 2 root root 6 Mar 1 10:48 B
drwxr-sr-x. 2 root root 6 Mar 22 11:25 C
[root@localhost A]# find /root/A -perm -2000
/root/A/B
/root/A/C
[root@localhost A]# find /root/A -perm -4000
/root/A/1.txt
//匹配只需要读的 (r为4) 需要匹配哪一位在哪一位上写数字
[root@localhost A]# find /root/A -perm -0004
/root/A
/root/A/B
/root/A/2.txt
/root/A/5.txt
/root/A/444.txt
/root/A/11.txt
/root/A/1.txt
/root/A/C
/root/A/3.txt
[root@localhost A]#