Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to achieve ACL access control under CentOS". In the daily operation, I believe that many people have doubts about how to achieve ACL access control under CentOS. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "how to achieve ACL access control under CentOS". Next, please follow the editor to study!

ACL privilege control

Set ACL permissions: setfacl

View ACL permissions: getfacl

The main purpose of ACL permission control is to provide specific permission settings in addition to the read,wirte,execute permissions of traditional owner,group,other. Specific permissions can be set for a single user or group.

For example, the permission of a directory is

Drwx- 2 root root 4096 03-10 13:51./acldir

User user does not have any permission to this directory, so it cannot enter this directory. ACL can set the permissions of this directory for user user alone, so that it can operate this directory.

ACL start

To use ACL, you must have file system support. At present, most file systems support it. EXT3 file system starts ACL by default.

Check to see if the file system supports ACL

[root@localhost tmp] #

Dumpe2fs-h / dev/sda2 dumpe2fs 1.39 (29-May-2006)

……

Sparse_super large_file

Default mount options: user_xattr acl

Load ACL function

If UNIX LIKE supports ACL but the file system does not load this feature by default, you can add it yourself.

[root@localhost tmp] # mount-o remount,acl /

[root@localhost tmp] # mount

/ dev/sda2 on / type ext3 (rw,acl)

You can also modify the disk hanging in the configuration file to set the default boot load

[root@localhost tmp] # vi / etc/fstab

LABEL=/ / ext3 defaults,acl 1 1

View ACL permissions

Syntax: getfacl filename

Set ACL permissions

Syntax: setfacl [- bkRd] [- m |-x acl parameter] destination file name

Options and parameters:

-m: set subsequent acl parameters, which cannot be used with-x

-x: delete subsequent acl parameters and cannot be used with-m

-b: delete all acl parameters

-k: delete the default acl parameter

-R: recursively set the acl parameter

-d: set the default acl parameter, which is valid only for directories

For special users

Format: U: user account list: permissions

Permissions: a combined form of rwx

If the user list is empty, it means to set the owner permission of the current file.

For example:

[root@localhost tmp] # mkdir-m 700. / acldir; ll-d. / acldir

Drwx- 2 root root 4096 03-10 13:51. / acldir

[root@localhost tmp] # su tkf

[tkf@localhost tmp] $cd. / acldir/

Bash: cd:. / acldir/: permission is not enough = > user does not have X permission

[tkf@localhost tmp] $exit

Exit

[root@localhost tmp] # setfacl-m u:tkf:x. / acldir/

= > set the permissions of the acldir directory to x for user tkf

[root@localhost tmp] # ll-d. / acldir/

Drwx--x---+ 2 root root 4096 03-10 13:51. / acldir/

= > adding permissions through ACL will add more than one "+" at the end of the permissions and the original permissions of the file will also be changed.

= > you can view the original directory permissions through getfacl

[root@localhost tmp] # getfacl. / acldir/

# file: acldir

# owner: root

# group: root

User::rwx

User:tkf:--x = > record that the tkf user has acl permissions for this directory

Group::

Mask::--x

Other::

Special instructions are required here, except that tkf user has X permission, while other users do not have permission.

[root@localhost tmp] # su tkf

[tkf@localhost tmp] $cd. / acldir/

[tkf@localhost acldir] $

= > user tkf can have x permission to enter the directory

For specific user group

Format: G: list of user groups: permissions

Permissions: a combined form of rwx

If the list of user groups is empty, it means to set the permissions of the user group to which the current file belongs

For example:

[root@localhost tmp] # setfa

Setfacl setfattr

[root@localhost tmp] # setfacl-m g:users:rx. / acldir/

[root@localhost tmp] # getfacl. / acldir/

# file: acldir

# owner: root

# group: root

User::rwx

User:tkf:--x

Group::--- = > permissions for other user groups (non-acl settings)

Group:users:r-x = > record that the users user group has acl permissions for this directory

Mask::r-x

Other::

Set for valid permissions

Effective permission (mask) is the limit of acl permission setting, that is, the acl permission you set must be a subset of mask. If it is beyond the scope of mask, the excess permission will be removed.

Set format: M: permission

Permissions: a combined form of rwx

For example:

[root@localhost tmp] # setfacl-m mvv x. / acldir/

[root@localhost tmp] # getfacl. / acldir/

# file: acldir

# owner: root

# group: root

User::rwx

User:tkf:--x

Group::r-x # effective:--x

Group:users:r-x # effective:--x

Mask::--x

Other::

For default permission settings

We all set specific permissions for a user (group) for a directory, but if the newly created files in this directory do not have these specific permissions for that user. To solve this problem, you need to set the default acl permissions so that the newly created files in this directory have the same ACL-specific permissions as the directory

Format: d: [u | g]: user (group) list: permissions

Give an example

[root@localhost tmp] # mkdir-m 711. / defdir

[root@localhost tmp] # setfacl-m u:tkf:rxw. / defdir

[root@localhost tmp] # ll-d. / defdir/

Drwxrwx--x+ 2 root root 4096 03-10 15:23. / defdir/

= > Directory permissions have acl-specific permissions (followed by +)

[root@localhost tmp] # touch. / defdir/a.file;ll. / defdir/

-rw-r--r-- 1 root root 0 03-10 15:25 a.file

= > the newly created file does not have acl-specific permissions (no + later)

[root@localhost tmp] # setfacl-m d:u:tkf:rxw. / defdir

= > set default permissions

[root@localhost tmp]

# getfacl. / defdir/

# file: defdir

# owner: root

# group: root

User::rwx

User:tkf:rwx

Group::--x

Mask::rwx

Other::--x

Default:user::rwx

Default:user:tkf:rwx

Default:group::--x

Default:mask::rwx

Default:other::--x

[root@localhost tmp] # touch. / defdir/b.file;ll. / defdir/

-rw-r--r-- 1 root root 0 03-10 15:25 a.file

-rw-rw----+ 1 root root 0 03-10 15:26 b.file

= > newly created files have acl-specific permissions by default

[root@localhost tmp]

# getfacl. / defdir/b.file

# file: defdir/b.file

# owner: root

# group: root

User::rw- user:tkf:rwx # effective:rw-

Group::--x # effective:

Mask::rw-

Other::

At this point, the study on "how to achieve ACL access control under CentOS" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.