Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to configure the ACL permissions of Linux". In the daily operation, I believe that many people have doubts about how to configure the ACL permissions of Linux. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to configure the ACL permissions of Linux". Next, please follow the editor to study!

"A lot of people who are new to Linux will have such doubts, what is the use of permissions? Why do I need to configure and modify permissions? Because the vast majority of beginners use personal computers, personal computers mainly log in as administrators, and there will not be multiple users at the same time. But on the server, it is necessary for root and ordinary users to exist at the same time and log in to the management server at the same time, so reasonable authority allocation is the premise to ensure the security and stability of the server. "

In general permissions, the user has only three identities to the file, namely, the owner, the group, and others; each user identity has three permissions: read, write, and execute. But in practical work, these three identities are really not enough. Let's take an example.

There is a / item directory in the root directory, which is the project directory of the class. Every student in the class can access and modify the directory, and the teacher also needs to have access to and modify the directory. Of course, students in other classes cannot access the directory. How do you plan the permissions for this directory? It should be like this: the teacher uses the root user as the master of this directory, and all the students in the rwx; class join the group group, making the group group a member of the / item directory, and the permissions of rwx; others are set to 0. In this way, the permissions of this directory can meet the requirements of our project development.

One day, an audition student, st, came to the class. She must be able to access the / item directory, so she must have r and x permissions to this directory; but she has not studied the previous courses, so she can not give her w permission, for fear that she has changed the contents of the directory wrong, so the student user st's permission is RFLIX. But how to assign her identity? Become a master? Of course not. Where else should I put the root? Join the group group? No, because the permission of the group group is rwx, and we require that the permission of the student st is Rmerx. What if the permissions of others are changed to rmurx? In this way, all students in other classes can access the / item directory.

When this happens, the three identities in the normal permissions are not enough. ACL permissions are designed to solve this problem. When using ACL permission to grant permissions to user st, st is neither the owner nor the group of the / item directory, but only gives the user st the RMurx permission for this directory. This is similar to the way permissions are assigned in Windows systems, where users are assigned separately and permissions are assigned separately, which solves the problem of insufficient user identity.

Enable ACL permissions

In CentOS 6.x systems, ACL permissions are enabled by default and do not need to be turned on manually. However, if your operating system is not CentOS 6.x, how do you check to see if ACL permissions are enabled? You can view it like this:

# mount (view mounted partitions)

/ dev/sda1 on / boottype xfs

# dumpe2fs-h / dev/sda3 (query the file system details of the specified partition)

-h: displays only the information in the super block, not the details of the disk block group

The mount command allows you to see the mounted partitions on the system, while the dumpe2fs command allows you to see the details of the partition file system. As you can see, our ACL permission is the default mount option for the / dev/sda3 partition, so there is no need to mount it manually.

But if my Linux system is not mounted by default, can I mount it manually? Of course, execute the following command:

# mount-o remount,acl / (remount the root partition and add ACL permission)

Use the mount command to remount and add ACL permissions. However, the use of this command is temporary. To take effect permanently, you need to modify the / etc/fstab file with the following command:

# vi / etc/fstab

UUID=c2ca6f57-b15c-43ea-bca0-f239083d8bd2/ext4 defaults,acl 1 1 (join ACL permissions)

# mount-o remount (remount the file system or restart the system to make it effective)

On the partition line where you need to enable the ACL permission (that is, the ACL permission is for the partition), manually add ", acl" after the defaults to permanently enable the ACL permission in this partition.

1:ACL permission Settings

1:ACL Rights Management Command

Now that we know what ACL permissions do and how to turn on ACL permissions, let's learn how to read and set ACL permissions. The command is as follows:

# getfacle filename (View ACL permissions)

# setfacl option filename (set ACL permissions)

Options:

M: set ACL permissions. If the user is given ACL permission, the format "u: user name: permission" is used; if the group ACL permission is given, the format "g: group name: permissions" is used.

-x: removes the specified ACL permission

-b: remove all ACL permissions

-d: set default ACL permissions. Takes effect only for directories, which means that newly created files in the directory have this default permission

-k: delete the default ACL permission

-R: recursively set ACL permissions. Means that the set ACL permissions will take effect on all child files in the directory

2: add ACL permissions to users and user groups

For example, take a look at how the permissions in figure 1 are assigned. We require that root is the owner of the / item directory, the permission is that rwx;tgroup is the subordinate group of this directory, the tgroup group has class students zhangsan and lisi, and the permission of rwx; others is 0. At this time, the audition student st came, and her permission was RMIX. Let's take a look at the specific allocation orders.

# useradd zhangsan

# useradd lisi

# useradd st

# groupadd tgroup

# mkdir / item

# chown root:tgroup / item/

# chmod 770 / item/

# ll-d / item/

# setfacl-m u:st:rx / item/

# cd /

# ll-d item/

Drwxrwx---+ 3 root tgroup 4096 January 19 05:20 item/

# getfacl item

As you can see, the st user is neither the owner, the group, nor anyone else in the / item directory, and we have assigned the st user RMUX permissions separately. It is so convenient to assign permissions that there is no need to laboriously plan the user identity first.

I want to give ACL permission to the user group, okay? Of course, the order is as follows:

# groupadd tgroup2

# setfacl-m g:tgroup2:rwx item/

# ll-d item/

# getfacl item/

3: maximum effective permission mask

Mask is used to specify the maximum valid permissions. The default permission of mask is rwx. If I give st users the ACL permission of RMX, mj needs to match the rwx permission of mask to get the real permission of st, that is, the value of rwxtj is RMUX, so st users have RMIX permission.

If the permission of mask is changed to RMurray, which is the same as that of the st user, that is, the value obtained by Rmurx is that the permission of the RMurray user will become read-only. It can be understood that the permissions set by users and user groups must be within the scope set by mask permissions to take effect, and mask permissions are the most effective permissions.

However, we generally do not change the mask permission, as long as the maximum permission rwx is given to mask, then any permission is the same as the mask permission, and the resulting value is the permission itself. In other words, it is more intuitive that we can take effect by directly granting permissions to users and user groups.

Add: the operator of logic and operation is "and". It can be understood as the "and" in life. That is, if both corresponding values are true, the result will be true; if one value is false, the result of and will be false. For example, phase An and B, the results are shown in Table 2.

ABandtruetruetruetruefalsefalsefalsetruefalsefalsefalsefalse

Sheet2 Logic and Operation

So the two permissions are similar to the results above. Let's take the read (r) permission as an example, and the result is shown in Table 3.

ABAndrrrr---r

Therefore, the result is "rwx" and "rmurx", the result is "rmurx", and the result is "rmurx".

The commands to modify the maximum valid permissions are as follows:

# setfacl-m m:rx item/

# getfacl item/

4: default ACL permissions and recursive ACL permissions

We have set the ACL permission to the / item directory, so create some new child files and subdirectories in this directory. Will these files inherit the ACL permissions of the parent directory? Let's go!

# cd / item/

# touch abc

# mkdir d1

# ll

The child files abc and subdirectory D1 are not inherited from the ACL permissions of the parent directory because they are created later. Of course, we can manually assign ACL permissions to these two files, but it would be too troublesome to create new files in the directory and specify both manually. You need to use the default ACL permission at this point.

The default ACL permission is that if the default ACL permission is set for the parent directory, all new child files in the parent directory will inherit the ACL permission of the parent directory. The default ACL permission takes effect only for directories. The command is as follows:

Setfacl-m d:u:st:rx / item/

# getfacl item/

# cd item/

# touch bcd

# mkdir d2

# ll

The original abc and D1 still do not have ACL permissions because the default ACL permissions take effect for newly created files.

Let's talk about recursive ACL permissions. Recursion means that when the parent directory sets ACL permissions, all child files and subdirectories will have the same ACL permissions.

# setfacl-m u:st:rx-R/item/

-R: recursive

# ll

The default ACL permission means that the newly created files and directories in the parent directory will inherit the ACL permissions of the parent directory in the format "setfacl-m ACL u: user name: permissions file name"; recursive ACL permission refers to inheriting the ACL permissions of the parent directory for all child files and subdirectories that already exist in the parent directory in the format "setfacl-m u: user name: permission-R file name".

5: delete ACL permission

Let's take a look at how to delete ACL permissions. The command is as follows:

Delete the specified ACL permission:

# setfacl-x u:st / item/ removes ACL permissions for specified users and user groups

# getfacl item/

Remove all ACL permissions

# setfacl-b item/ (removes all ACL permissions from the file)

# getfacl item/ (all ACL permissions have been deleted)

At this point, the study on "how to configure the ACL permissions of Linux" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.