Shulou(Shulou.com)06/01 Report--

This article introduces how to set user access to the specified file / directory in ACL, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Linux has the following default permissions for files and directories.

File-> 644->-rw-r-r- (the owner has read-write permission, group members have read-only permission, and others only have read permission)

Directory-> 755-> drwxr-xr-x (owner has read, write and execute permissions, group members have read and execute permissions, others also have read and execute permissions)

For example, by default, owners can access and edit files in their own home directory, or they can access files related to the same group, but they cannot modify these files because group members do not have write permission. it is also unwise to give group members write permission. For the same reason, he or she cannot modify other people's files. However, in some cases, what if multiple users want to modify the same file?

Suppose there is a user named magi who wants to modify the httpd.conf file. This file is owned by root users, so how to authorize it? In order to solve this situation, the access control list Access Control List (ACL) was born.

What is ACL?

ACL stands for access control list Access Control List (ACL), which provides an additional, more flexible permission mechanism for the file system. It is designed to supplement the UNIX file permissions mechanism. ACL allows you to give any user / group access to a resource. The setfacl and getfacl commands will help you manage ACL without any hassle.

What is setfacl?

Setfacl is used to set the ACL of files and directories.

What getfacl?

Getfacl-gets the ACL of the file. For each file, getfacl displays the file name, file owner, group, and ACL. If the directory has a default ACL, getfacl will also display this default ACL.

How do I confirm that ACL is enabled?

Run the tune2fs command to check if ACL is enabled.

# tune2fs-l / dev/sdb1 | grep optionsDefault mount options: (none)

The above output clearly states that the / dev/sdb1 partition does not have ACL enabled.

If acl is not listed in the result, you need to add acl to the mount option. For it to take effect, modify the line / app in / etc/fstab to look like this:

# more / etc/fstab UUID=f304277d-1063-40a2-b9dc-8bcf30466a03 / ext4 defaults 1 1/dev/sdb1 / app ext4 defaults,acl 1 1

Alternatively, you can add it to the super block of the file system using the following command:

# tune2fs-o + acl / dev/sdb1

Now, dynamically modify the options by running the following command:

# mount-o remount,acl / app

Run the tune2fs command again to see if there is acl in the options:

# tune2fs-l / dev/sdb1 | grep optionsDefault mount options: acl

Well, now there is an ACL option in the / dev/sdb1 partition.

How to view the default ACL value

To see the default ACL values for files and directories, you can use the getfacl command followed by a file path or directory path. Note that when you run the getfacl command against a non-ACL file / directory, the additional user and mask parameter values are not displayed.

# getfacl / etc/apache2/apache2.conf# file: etc/apache2/apache2.conf# owner: root# group: rootuser::rw-group::r--other::r--

How to set up ACL for a file

Running the setfacl command in the following format sets the ACL for the specified file. In the following example, we will give the magi user permission to the / etc/apache2/apache2.conf file rwx.

# setfacl-m u:magi:rwx / etc/apache2/apache2.conf

Analyze it carefully:

Setfacl: command

-m: modify the current ACL of the file

U: indicates the user

Magi: user name

Rwx: permissions to set

/ etc/apache2/apache2.conf: file name

Check the new ACL value again:

# getfacl / etc/apache2/apache2.conf# file: etc/apache2/apache2.conf# owner: root# group: rootuser::rw-user:magi:rwxgroup::r--mask::rwxother::r--

# ls-lh / etc/apache2/apache2.conf-rw-rwxr--+ 1 root root 7.1K Sep 19 14:58 / etc/apache2/apache2.conf

How to set up ACL for a directory

Running the setfacl command in the following format recursively sets the ACL for the specified directory.

# setfacl-Rm u:magi:rwx / etc/apache2/sites-available/

Where:

-R: recursively to a subdirectory

Check the new ACL value again.

# getfacl / etc/apache2/sites-available/# file: etc/apache2/sites-available/# owner: root# group: rootuser::rwxuser:magi:rwxgroup::r-xmask::rwxother::r-x

Now the files and directories in / etc/apache2/sites-available/ are set to ACL.

# ls-lh / etc/apache2/sites-available/total 20K Sep RWXRML + 1 root root 1.4K Sep 19 14:56 000lh default.confession RWML RWXRML + 1 root root 6.2K RWXRML 19 14:56 default-ssl.conf-rw-rwxr--+ 1 root root 1.4K Dec 8 02:57 mywebpage.com.conf-rw-rwxr--+ 1 root root 1.4K Dec 7 19:07 testpage.com.conf

How to set up ACL for a group

Run the setfacl command for the specified file in the following format. In the following example, we will give the appdev group the rwx permission of the / etc/apache2/apache2.conf file.

# setfacl-m g:appdev:rwx / etc/apache2/apache2.conf

Where:

G: indicates a group

For multiple user and group authorizations, you only need to distinguish them with commas, as shown below.

# setfacl-mu _ magi _ RWX _ Magi _ RWX _

How to delete an ACL

Running the setfacl command in the following format removes the ACL for the specified user for the file pair. This only removes user rights and leaves the value of mask as read-only.

# setfacl-x u:magi / etc/apache2/apache2.conf

Where:

-x: delete from the ACL of the file

Check the ACL value again. In the following output, we can see that the value of mask is read.

# getfacl / etc/apache2/apache2.conf# file: etc/apache2/apache2.conf# owner: root# group: rootuser::rw-group::r--mask::r--other::r--

Use-b to delete all ACL in the file.

# setfacl-b / etc/apache2/apache2.conf

Where:

-b: delete all ACL entries

If you look at the deleted ACl value again, you will find that everything is missing, including the value of mask.

# getfacl / etc/apache2/apache2.conf# file: etc/apache2/apache2.conf# owner: root# group: rootuser::rw-group::r--other::r--

How to back up and restore ACL

The following command backs up and restores the value of ACL. To make a backup, you need to go to the corresponding directory and do so (suppose we want to back up the ACL value in the sites-available directory).

# cd / etc/apache2/sites-available/# getfacl-R * > acl_backup_for_folder

If you restore, run the following command:

# setfacl-this is the end of restore=/etc/apache2/sites-available/acl_backup_for_folder on how to set user access to a specified file / directory in ACL. I hope the above content can be of some help and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.