一、ACLs对文件的访问权限进行精细化控制
ACL可以对特定用户和组进行权限设置;
getfacl查看文件的ACL
setfacl修改用户对文件的访问权限:
[root@clz tmp]# setfacl -m u:redhat:r-x a1 [root@clz tmp]# getfacl a1 # file: a1 # owner: root # group: root user::-wx user:redhat:r-x group::-w- mask::rwx other::--x
取消用户的访问权限:
[root@clz tmp]# setfacl -x u:redhat a1
setfacl如果不指明用户,则默认为对用户设权限,不针对任何用户:
设置mask值,可以屏蔽所有已经设置ACL的用户的权限,只需要重新给用户设置ACL,mask权限即可取消:
[tom@clz tmp]$ setfacl -m m::r a1 setfacl: a1: Operation not permitted [root@clz tmp]# setfacl -m m::r a1 [root@clz tmp]# getfacl a1 # file: a1 # owner: root # group: root user::-wx group::-w-#effective:--- mask::r-- other::--x
[root@clz tmp]# getfacl passwd # file: passwd # owner: root # group: root user::rwx user:tom:rwx#effective:r-x group::r-- mask::r-x other::r-x [root@clz tmp]# setfacl -m u:tom:rwx passwd [root@clz tmp]# getfacl Usage: getfacl [-aceEsRLPtpndvh] file ... Try `getfacl --help' for more information. [root@clz tmp]# getfacl passwd # file: passwd # owner: root # group: root user::rwx user:tom:rwx group::r-- mask::rwx other::r-x
给组设置ACL:
[root@clz tmp]# setfacl -m g:redhat:rwx passwd [root@clz tmp]# getfacl passwd # file: passwd # owner: root # group: root user::rw- group::r-- group:redhat:rwx mask::rwx other::r--
给other设置ACL:
[root@clz tmp]# setfacl -m o::r-x passwd [root@clz tmp]# getfacl passwd # file: passwd # owner: root # group: root user::rw- group::r-- group:redhat:rwx mask::rwx other::r-x
让用户在目录中新创建的文件都有默认的权限:
[root@clz tmp]# setfacl -m d:u:redhat:rwx xx/ [root@clz tmp]# cd xx [root@clz xx]# touch cc [root@clz xx]# getfacl cc # file: cc # owner: root # group: root user::rw- user:redhat:rwx#effective:rw- group::r-x#effective:r-- mask::rw- other::r--
取消目录默认的权限:
[root@clz tmp]# setfacl -x d:u:redhat xx/ [root@clz tmp]# getfacl xx/ # file: xx/ # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:mask::r-x default:other::r-x
将某个文件ACL的权限复制给其他文件:
[root@clz tmp]# getfacl passwd | setfacl --set-file=- ens38 [root@clz tmp]# getfacl ens38 # file: ens38 # owner: root # group: root user::rw- group::r-- group:redhat:rwx mask::rwx other::r-x [root@clz tmp]# getfacl passwd # file: passwd # owner: root # group: root user::rw- group::r-- group:redhat:rwx mask::rwx other::r-x
[root@clz tmp]# getfacl setuid.txt # file: setuid.txt # owner: root # group: root user::rw- group::r-- other::r--
-M 选项可以接受标准输入,但是选项后面要加上- [root@clz tmp]# getfacl passwd | setfacl -M- setuid.txt [root@clz tmp]# getfacl setuid.txt # file: setuid.txt # owner: root # group: root user::rwx user:tom:rwx group::r-- mask::rwx other::r-x
-
-b选项可删除文件所有扩展的ACL权限:
[root@clz tmp]# setfacl -b passwd
EXAMPLES Granting an additional user read access setfacl -m u:lisa:r file Revoking write access from all groups and all named users (using the effective rights mask) setfacl -m m::rx file Removing a named group entry from a file's ACL setfacl -x g:staff file Copying the ACL of one file to another getfacl file1 | setfacl --set-file=- file2 Copying the access ACL into the Default ACL getfacl --access dir | setfacl -d -M- dir