Shulou(Shulou.com)06/01 Report--

How to understand ACL access control, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

In general permissions, Linux users have only three identities to the file, namely, owner, group, and others; each user identity has three permissions: read, write, and execute. However, in practical work, these three identities are really not enough. Let's give an example.

In figure 1, there is a / project directory in the root directory, which is the project directory of the class. Every student in the class can access and modify the directory, and the teacher also needs to have access to and modify the directory. Of course, students in other classes cannot access the directory. How do you plan the permissions for this directory? It should be like this: the teacher uses the root user as the owner of this directory, and the permission is for all students in the rwx; class to join the tgroup group, so that the tgroup group is a member of the / project directory, and the permission is set to 0 for rwx; others. In this way, the permissions of this directory can meet the requirements of our project development.

One day, an audition student, st, came to the class. She must be able to access the / project directory, so she must have r and x permissions to this directory. But she has not studied previous courses, so she cannot give her w permission, for fear that she has changed the contents of the directory wrong, so the permission of student st is RFLX. But how to assign her identity? Become a master? Of course not. Where else should I put the root? Join the tgroup group? No, because the permission of the tgroup group is rwx, and we require that the permission of the student st is Rmerx. What if the permissions of others are changed to rmurx? In this way, all students in other classes can access the / project directory.

When this happens, the three identities in the normal permissions are not enough. ACL permissions are designed to solve this problem. When using ACL permission to grant permissions to user st, st is neither the owner nor the group of the / project directory, but only gives the user st the RMux permission for this directory. This is similar to the way permissions are assigned in Windows systems, where users are assigned separately and permissions are assigned separately, which solves the problem of insufficient user identity.

ACL is an acronym for Access Control List (access Control list), but in Linux systems, ACL is used to set user permissions on files, rather than the function used in switching routers to control data access (similar to firewalls).

Enable ACL permissions

In CentOS 6.x systems, ACL permissions are enabled by default and do not need to be turned on manually. However, if your operating system is not CentOS 6.x, how do you check to see if ACL permissions are enabled? You can view it like this:

[root@localhost -] # mount

/ dev/sda1 on / boot type ext4 (rw)

/ dev/sda3 on I type ext4 (rw)

... Omit part of the output.

# using the mount command, you can see the partitions that have been mounted on the system, but do not see the setting of ACL permissions

[root@localhost -] # dumpe2fs-h / dev/sda3

# dumpe2fs is a command that queries the file system details of a specified partition

... Omit part of the output.

Default mount options: user_xattr acl

... Omit part of the output.

The optional options for the dumpe2fs command and their meanings are as follows:

-h: displays only the information in the super block, not the details of the disk block group

The mount command allows you to see the mounted partitions on the system, while the dumpe2fs command allows you to see the details of the partition file system. As you can see, our ACL permission is the default mount option for the / dev/sda3 partition, so there is no need to mount it manually.

But if my Linux system is not mounted by default, can I mount it manually? Of course, execute the following command:

[root@localhost -] # mount-o remount, acl /

# remount the root partition and add ACL permission

Use the mount command to remount and add ACL permissions. However, the use of this command is temporary. To take effect permanently, you need to modify the / etc/fstab file with the following command:

[root@localhost -] # vi / etc/fstab

UUID=c2ca6f57-b15c-43ea-bca0-f239083d8bd2 / ext4 defaults, acl 1 1

# add ACL permission

[root@localhost -] # mount-o remount /

# Mount the file system or restart the system to make the changes take effect

On the partition line where you need to enable the ACL permission (that is, the ACL permission is for the partition), manually add ", acl" after the defaults to permanently enable the ACL permission in this partition.

ACL permission Settings

(1) ACL rights management command

Now that we know what ACL permissions do and how to turn on ACL permissions, let's learn how to read and set ACL permissions. The command is as follows:

[root@localhost -] # getfacle file name

# View ACL permissions

[root@localhost -] # setfacl option file name

# set ACL permissions

Options:

-m: set ACL permissions. If the user is given ACL permission, the format "u: user name: permission" is used; if the group ACL permission is given, the format "g: group name: permissions" is used.

-x: removes the specified ACL permission

-b: remove all ACL permissions

-d: set default ACL permissions. Takes effect only for directories, which means that newly created files in the directory have this default permission

-k: delete the default ACL permission

-R: recursively set ACL permissions. Means that the set ACL permissions will take effect on all child files in the directory

(2) add ACL permissions to users and user groups

For example, take a look at how the permissions in figure 1 are assigned. We require that root is the owner of the / project directory, the permission is that rwx;tgroup is the subordinate group of this directory, the tgroup group has class students zhangsan and lisi, and the permission of rwx; others is 0. At this time, the audition student st came, and her permission was RMIX. Let's take a look at the specific allocation orders.

[root@localhost -] # useradd zhangsan

[root@localhost -] # useradd lisi

[root@localhost -] # useradd st

[root@localhost -] # groupadd tgroup

# add users and user groups that need to be tested, and omit the process of setting passwords

[root@localhost -] # mkdir / project # create a directory where permissions need to be assigned

[root@localhost -] # chown root:tgroup / project/

# change the owner and group of the / project directory

[root@localhost -] # chmod 770 / project/

# specify the permissions of the / project directory

[root@localhost -] # ll-d / project/

Drwxrwx--- 2 root tgroup 4096 January 19 04:21 / project/

# check the permissions, it already meets the requirements

# then the st student came to audition, how to assign permissions to her

[root@localhost -] # setfacl-m u:st:rx / project/

# give the user st permission to use the format "u: user name: permissions"

[root@localhost /] # cd /

[root@localhost /] # ll-d project/

Drwxrwx---+ 3 root tgroup 4096 January 19 05:20 project/

# when using ls-l query, you will find that a "+" is added after the permission bit, indicating that this directory has ACL permission

[root@localhost /] # getfacl project

# View the ACL permissions of the / prpject directory

# file: project

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.