有以下需求,通过setfacl命令实现
一组用户可写可读可执行,一组用户可写可执行,另一组用户只可读
linux rwx
oracle wx
uplook r
第一步 添加六个用户linux01、linux02、oracle01、oracle02、uplook01、uplook02
[root@serv01 learning]# useradd linux01 [root@serv01 learning]# useradd linux02 [root@serv01 learning]# useradd oracle01 [root@serv01 learning]# useradd oracle02 [root@serv01 learning]# useradd uplook01 [root@serv01 learning]# useradd uplook02
第二步 分别设置密码
[root@serv01 learning]# passwd linux01 [root@serv01 learning]# passwd linux02 [root@serv01 learning]# passwd oracle01 [root@serv01 learning]# passwd oracle02 [root@serv01 learning]# passwd uplook01 [root@serv01 learning]# passwd uplook02
第三步 添加三个组oracle、linux、uplook
[root@serv01 learning]# groupadd oracle [root@serv01 learning]# groupadd linux [root@serv01 learning]# groupadd uplook
第四步 查看data目录的权限
[root@serv01 learning]# ll data -d drwxr-xr-x. 2 root root 4096 Sep 20 23:31data
第五步 实现功能‘
[root@serv01 learning]# setfacl -m u:linux01:rwx data/ [root@serv01 learning]# setfacl -m u:linux02:rwx data/ [root@serv01 learning]# setfacl -m u:oracle01:rwx data/ [root@serv01 learning]# setfacl -m u:oracle02:rwx data/ [root@serv01 learning]# setfacl -m u:oracle01:wx data/ [root@serv01 learning]# setfacl -m u:oracle02:wx data/ [root@serv01 learning]# setfacl -m u:uplook01:r data/ [root@serv01 learning]# setfacl -m u:uplook02:r data/ #查看data目录的权限 [root@serv01 learning]# getfacl data # file: data # owner: root # group: root user::rwx user:linux01:rwx user:linux02:rwx user:oracle01:-wx user:oracle02:-wx user:uplook01:r-- user:uplook02:r-- group::r-x mask::rwx other::r-x #再次查看data目录的权限 [root@serv01 learning]# ll data/ -d drwxrwxr-x+ 2 root root 4096 Sep 20 23:31 data/
第六步 验证
#以linux01用户登录,发现对data目录可写、可读、可执行 [root@larrywen /]# ssh [email protected] [email protected]'s password: Welcome to zhink learn [linux01@serv01 learning]$ cd data [linux01@serv01 data]$ ll total 0 [linux01@serv01 data]$ touch file [linux01@serv01 data]$ ls file #以oracle01用户登录,发现对data目录可写、可执行,没有读的权限 [root@larrywen /]# [email protected] [oracle01@serv01 ~]$ cd/home/learning/data/ [oracle01@serv01 data]$ ll ls: cannot open directory .: Permissiondenied [oracle01@serv01 data]$ touch file2 [oracle01@serv01 data]$ rm -f file2 #以uplook01用户登录,发现对data目录值具有读的权限 [root@larrywen /]# [email protected] [email protected]'s password: Welcome to zhink learn [uplook01@serv01 ~]$ cd /home/learning/data -bash: cd: /home/learning/data: Permissiondenied [uplook01@serv01 ~]$ cat/home/learning/data/test.txt cat: /home/learning/data/test.txt:Permission denied [uplook01@serv01 ~]$ ls/home/learning/data/ ls: cannot access /home/learning/data/file:Permission denied ls: cannot access /home/learning/data/test.txt:Permission denied file test.txt
第七步 以组的形式进行权限分配
#修改创建的六个用户到对应的组,比如linux01、linux02到linux组,以此类推 [root@serv01 learning]# usermod -g linuxlinux01 [root@serv01 learning]# usermod -g linuxlinux02 [root@serv01 learning]# usermod -g oracleoracle01 [root@serv01 learning]# usermod -g oracleoracle02 [root@serv01 learning]# usermod -g uplookuplook01 [root@serv01 learning]# usermod -g uplookuplook02 #以组的形式进行权限分配 [root@serv01 learning]# setfacl -mg:linux:rwx data/ [root@serv01 learning]# setfacl -m g:oracle:wxdata/ [root@serv01 learning]# setfacl -mg:uplook:r data/ [root@serv01 learning]# getfacl data # file: data # owner: root # group: root user::rwx user:linux01:rwx user:linux02:rwx user:oracle01:-wx user:oracle02:-wx user:uplook01:r-- user:uplook02:r-- group::r-x group:oracle:-wx group:linux:rwx group:uplook:r-- mask::rwx other::r-x
#获得文件权限控制 [root@serv01 learning]# getfacl data # file: data # owner: root # group: root user::rwx user:linux01:rwx user:linux02:rwx user:oracle01:-wx user:oracle02:-wx user:uplook01:r-- user:uplook02:r-- group::r-x group:oracle:-wx group:linux:rwx group:uplook:r-- mask::rwx other::r-x #修改mask m参数 [root@serv01 learning]# setfacl -m m:rdata/ [root@serv01 learning]# getfacl data # file: data # owner: root # group: root user::rwx user:linux01:rwx #effective:r-- user:linux02:rwx #effective:r-- user:oracle01:-wx #effective:--- user:oracle02:-wx #effective:--- user:uplook01:r-- user:uplook02:r-- group::r-x #effective:r-- group:oracle:-wx #effective:--- group:linux:rwx #effective:r-- group:uplook:r-- mask::r-- other::r-x #设置mask的值 m参数 [root@serv01 learning]# setfacl -m m:rwxdata/ [root@serv01 learning]# getfacl data/ # file: data/ # owner: root # group: root user::rwx user:linux01:rwx user:linux02:rwx user:oracle01:-wx user:oracle02:-wx user:uplook01:r-- user:uplook02:r-- group::r-x group:oracle:-wx group:linux:rwx group:uplook:r-- mask::rwx other::r-x #取消权限 -x [root@serv01 learning]# setfacl -x g:linuxdata/ [root@serv01 learning]# getfacl data/ # file: data/ # owner: root # group: root user::rwx user:linux01:rwx user:linux02:rwx user:oracle01:-wx user:oracle02:-wx user:uplook01:r-- user:uplook02:r-- group::r-x group:oracle:-wx group:uplook:r-- mask::rwx other::r-x #移除所有的文件权限控制 -b [root@serv01 learning]# setfacl -b data/ [root@serv01 learning]# getfacl data/ # file: data/ # owner: root # group: root user::rwx group::r-x other::r-x setfacl -m ug:user group:rwx data/ setfacl -m m:rwx data/ setfacl -x ug:user group data/ setfacl -b data/ getfacl data/ #文件权限可以复制,通过getfacl和setfacl控制 [root@larrywen soft]# setfacl --help setfacl 2.2.49 -- set file access controllists Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ...} file ... -m,--modify=acl modify the currentACL(s) of file(s) -M,--modify-file=file read ACL entries tomodify from file -x,--remove=acl remove entries fromthe ACL(s) of file(s) -X,--remove-file=file read ACL entries toremove from file -b,--remove-all remove all extendedACL entries -k,--remove-default remove the defaultACL --set=acl set the ACL offile(s), replacing the current ACL --set-file=file read ACLentries to set from file --mask do recalculatethe effective rights mask -n,--no-mask don't recalculate theeffective rights mask -d,--default operations apply tothe default ACL -R,--recursive recurse intosubdirectories -L,--logical logical walk, followsymbolic links -P,--physical physical walk, do notfollow symbolic links --restore=file restore ACLs(inverse of `getfacl -R') --test test mode(ACLs are not modified) -v,--version print version andexit -h,--help this help text [root@serv01 test]# touch aa01.txt [root@serv01 test]# getfacl aa01.txt # file: aa01.txt # owner: root # group: root user::rw- group::r-- other::r-- [root@serv01 test]# setfacl -m g:linux:rwxaa01.txt [root@serv01 test]# getfacl aa01.txt # file: aa01.txt # owner: root # group: root user::rw- group::r-- group:linux:rwx mask::rwx other::r-- [root@serv01 test]# touch bb01.txt [root@serv01 test]# getfacl bb01.txt # file: bb01.txt # owner: root # group: root user::rw- group::r-- other::r-- [root@serv01 test]# getfacl aa01.txt|setfacl --set-file=- bb01.txt [root@serv01 test]# getfacl bb01.txt # file: bb01.txt # owner: root # group: root user::rw- group::r-- group:linux:rwx mask::rwx other::r--
我的邮箱:[email protected] 新浪微博:@Wentasy27 微信公众平台:JustOracle(微信号:justoracle) 数据库技术交流群:336882565(加群时验证 From CSDN XXX) Oracle交流讨论组:https://groups.google.com/d/forum/justoracle By Larry Wen
@Wentasy 博文仅供参考,欢迎大家来访。如有错误之处,希望批评指正。原创博文如需转载请注明出处,谢谢 :) [CSDN博客] |