文件控制列表命令setfacl和getfacl的使用

一 需求

有以下需求,通过setfacl命令实现

一组用户可写可读可执行,一组用户可写可执行,另一组用户只可读

linux rwx

oracle wx

uplook r

 

二 解决

 

第一步 添加六个用户linux01、linux02、oracle01、oracle02、uplook01、uplook02

 

[root@serv01 learning]# useradd linux01

[root@serv01 learning]# useradd linux02

[root@serv01 learning]# useradd oracle01

[root@serv01 learning]# useradd oracle02

[root@serv01 learning]# useradd uplook01

[root@serv01 learning]# useradd uplook02

 


第二步 分别设置密码

 

[root@serv01 learning]# passwd linux01

[root@serv01 learning]# passwd linux02

[root@serv01 learning]# passwd oracle01

[root@serv01 learning]# passwd oracle02

[root@serv01 learning]# passwd uplook01

[root@serv01 learning]# passwd uplook02

 

 

第三步 添加三个组oracle、linux、uplook

 

[root@serv01 learning]# groupadd oracle

[root@serv01 learning]# groupadd linux

[root@serv01 learning]# groupadd uplook

 

 

第四步 查看data目录的权限

 

[root@serv01 learning]# ll data -d

drwxr-xr-x. 2 root root 4096 Sep 20 23:31data

 

 

第五步 实现功能‘

 

[root@serv01 learning]# setfacl -m u:linux01:rwx data/

[root@serv01 learning]# setfacl -m u:linux02:rwx data/

[root@serv01 learning]# setfacl -m u:oracle01:rwx data/

[root@serv01 learning]# setfacl -m u:oracle02:rwx data/

[root@serv01 learning]# setfacl -m u:oracle01:wx data/

[root@serv01 learning]# setfacl -m u:oracle02:wx data/

[root@serv01 learning]# setfacl -m u:uplook01:r data/

[root@serv01 learning]# setfacl -m u:uplook02:r data/



#查看data目录的权限

[root@serv01 learning]# getfacl data

# file: data

# owner: root

# group: root

user::rwx

user:linux01:rwx

user:linux02:rwx

user:oracle01:-wx

user:oracle02:-wx

user:uplook01:r--

user:uplook02:r--

group::r-x

mask::rwx

other::r-x



#再次查看data目录的权限

[root@serv01 learning]# ll data/ -d

drwxrwxr-x+ 2 root root 4096 Sep 20 23:31 data/

 

 

第六步 验证

 

#以linux01用户登录,发现对data目录可写、可读、可执行

[root@larrywen /]# ssh [email protected]

[email protected]'s password:

Welcome to zhink learn

 

[linux01@serv01 learning]$ cd data

[linux01@serv01 data]$ ll

total 0

[linux01@serv01 data]$ touch file

[linux01@serv01 data]$ ls

file

 

#以oracle01用户登录,发现对data目录可写、可执行,没有读的权限

[root@larrywen /]# [email protected]

[oracle01@serv01 ~]$ cd/home/learning/data/

[oracle01@serv01 data]$ ll

ls: cannot open directory .: Permissiondenied

[oracle01@serv01 data]$ touch file2

[oracle01@serv01 data]$ rm -f file2

 

#以uplook01用户登录,发现对data目录值具有读的权限

[root@larrywen /]# [email protected]

[email protected]'s password:

Welcome to zhink learn

[uplook01@serv01 ~]$ cd /home/learning/data

-bash: cd: /home/learning/data: Permissiondenied

[uplook01@serv01 ~]$ cat/home/learning/data/test.txt

cat: /home/learning/data/test.txt:Permission denied

[uplook01@serv01 ~]$ ls/home/learning/data/

ls: cannot access /home/learning/data/file:Permission denied

ls: cannot access /home/learning/data/test.txt:Permission denied

file test.txt

 


第七步 以组的形式进行权限分配

 

#修改创建的六个用户到对应的组,比如linux01、linux02到linux组,以此类推

[root@serv01 learning]# usermod -g linuxlinux01

[root@serv01 learning]# usermod -g linuxlinux02

[root@serv01 learning]# usermod -g oracleoracle01

[root@serv01 learning]# usermod -g oracleoracle02

[root@serv01 learning]# usermod -g uplookuplook01

[root@serv01 learning]# usermod -g uplookuplook02

 

#以组的形式进行权限分配

[root@serv01 learning]# setfacl -mg:linux:rwx data/

[root@serv01 learning]# setfacl -m g:oracle:wxdata/

[root@serv01 learning]# setfacl -mg:uplook:r data/

[root@serv01 learning]# getfacl data

# file: data

# owner: root

# group: root

user::rwx

user:linux01:rwx

user:linux02:rwx

user:oracle01:-wx

user:oracle02:-wx

user:uplook01:r--

user:uplook02:r--

group::r-x

group:oracle:-wx

group:linux:rwx

group:uplook:r--

mask::rwx

other::r-x

 

 

三 setfacl的其他使用方法

 

#获得文件权限控制

[root@serv01 learning]# getfacl data

# file: data

# owner: root

# group: root

user::rwx

user:linux01:rwx

user:linux02:rwx

user:oracle01:-wx

user:oracle02:-wx

user:uplook01:r--

user:uplook02:r--

group::r-x

group:oracle:-wx

group:linux:rwx

group:uplook:r--

mask::rwx

other::r-x

 

#修改mask m参数

[root@serv01 learning]# setfacl -m m:rdata/

[root@serv01 learning]# getfacl data

# file: data

# owner: root

# group: root

user::rwx

user:linux01:rwx        #effective:r--

user:linux02:rwx        #effective:r--

user:oracle01:-wx             #effective:---

user:oracle02:-wx             #effective:---

user:uplook01:r--

user:uplook02:r--

group::r-x                   #effective:r--

group:oracle:-wx        #effective:---

group:linux:rwx                 #effective:r--

group:uplook:r--

mask::r--

other::r-x

 

#设置mask的值 m参数

[root@serv01 learning]# setfacl -m m:rwxdata/

[root@serv01 learning]# getfacl data/

# file: data/

# owner: root

# group: root

user::rwx

user:linux01:rwx

user:linux02:rwx

user:oracle01:-wx

user:oracle02:-wx

user:uplook01:r--

user:uplook02:r--

group::r-x

group:oracle:-wx

group:linux:rwx

group:uplook:r--

mask::rwx

other::r-x

 

#取消权限 -x

[root@serv01 learning]# setfacl -x g:linuxdata/

[root@serv01 learning]# getfacl data/

# file: data/

# owner: root

# group: root

user::rwx

user:linux01:rwx

user:linux02:rwx

user:oracle01:-wx

user:oracle02:-wx

user:uplook01:r--

user:uplook02:r--

group::r-x

group:oracle:-wx

group:uplook:r--

mask::rwx

other::r-x

 

#移除所有的文件权限控制 -b

[root@serv01 learning]# setfacl -b data/

[root@serv01 learning]# getfacl data/

# file: data/

# owner: root

# group: root

user::rwx

group::r-x

other::r-x

 

setfacl -m ug:user group:rwx data/

setfacl -m m:rwx data/

setfacl -x ug:user group data/

setfacl -b data/

getfacl data/

 

#文件权限可以复制,通过getfacl和setfacl控制

[root@larrywen soft]# setfacl --help

setfacl 2.2.49 -- set file access controllists

Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ...} file ...

  -m,--modify=acl        modify the currentACL(s) of file(s)

  -M,--modify-file=file  read ACL entries tomodify from file

  -x,--remove=acl        remove entries fromthe ACL(s) of file(s)

  -X,--remove-file=file  read ACL entries toremove from file

  -b,--remove-all        remove all extendedACL entries

  -k,--remove-default    remove the defaultACL

     --set=acl           set the ACL offile(s), replacing the current ACL

     --set-file=file     read ACLentries to set from file

     --mask              do recalculatethe effective rights mask

  -n,--no-mask           don't recalculate theeffective rights mask

  -d,--default           operations apply tothe default ACL

  -R,--recursive         recurse intosubdirectories

  -L,--logical           logical walk, followsymbolic links

  -P,--physical          physical walk, do notfollow symbolic links

     --restore=file      restore ACLs(inverse of `getfacl -R')

     --test              test mode(ACLs are not modified)

  -v,--version           print version andexit

  -h,--help              this help text

 

[root@serv01 test]# touch aa01.txt

[root@serv01 test]# getfacl aa01.txt

# file: aa01.txt

# owner: root

# group: root

user::rw-

group::r--

other::r--

[root@serv01 test]# setfacl -m g:linux:rwxaa01.txt

[root@serv01 test]# getfacl aa01.txt

# file: aa01.txt

# owner: root

# group: root

user::rw-

group::r--

group:linux:rwx

mask::rwx

other::r--

 

[root@serv01 test]# touch bb01.txt

[root@serv01 test]# getfacl bb01.txt

# file: bb01.txt

# owner: root

# group: root

user::rw-

group::r--

other::r--

 

[root@serv01 test]# getfacl aa01.txt|setfacl --set-file=- bb01.txt

[root@serv01 test]# getfacl bb01.txt

# file: bb01.txt

# owner: root

# group: root

user::rw-

group::r--

group:linux:rwx

mask::rwx

other::r--

 


我的邮箱[email protected]  新浪微博@Wentasy27

  微信公众平台:JustOracle(微信号:justoracle)

  数据库技术交流群:336882565(加群时验证 From CSDN XXX)

  Oracle交流讨论组https://groups.google.com/d/forum/justoracle

  By Larry Wen


katoon Sina CSDN
@Wentasy 博文仅供参考,欢迎大家来访。如有错误之处,希望批评指正。原创博文如需转载请注明出处,谢谢 :) [CSDN博客]

你可能感兴趣的:(set)