Shulou(Shulou.com)06/01 Report--

Editor to share with you what is the use of the setfacl command in Linux, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

The Linux common command setfacl command is used to set up ACL (access control list) on the command line. On the command line, a series of commands are followed by a series of file names

Setfacl Settings File access Control list

The option-bmam acl removeall: remove all extended acl rules, and the basic LRV rules (owner, group, others) will be retained. -kmam acl removeFay default: delete the default RTV rule. If there is no default rule, it will not be prompted. Don't recalculate valid permissions. Setfacl recalculates ACL mask by default, unless mask is explicitly specified. -- mask: recalculates valid permissions, even if ACL mask is explicitly specified. -dmam acl default: set the default rule. -- restore=file: acl rules for restoring backups from files (these files can be generated by getfacl-R). Through this mechanism, the acl rules of the entire directory tree can be restored. This parameter cannot be executed with any parameter other than-- test. -- test: test mode, the acl rules of any files will not be changed, and the acl specifications will be listed after operation. Recursive: recursive operation on all files and directories. -LfurowMuthlogical: tracks symbolic links. By default, only symbolic link files are tracked, skipping the symbolic link directory. All symbolic links are skipped, including symbolic link files. -- version: output the version number of the setfacl and exit. -- help: outputs help. --: identifies the end of the command line argument, and all subsequent arguments are considered to be file names -: if the file name is -, setfacl will read the file name from standard input. The options-m and-x are followed by acl rules. Multiple acl rules are separated by commas (,). The options-M and-X are used to read acl rules from a file or standard input.

The options-- set and-- set-file are used to set the acl rules of the file or directory, and the previous settings will be overwritten.

The options-m (--modify) and-M (--modify-file) modify the acl rules of a file or directory.

The-x (--remove) and-X (--remove-file) options delete the acl rule.

Setfacl accepts the format of the output from the getfacl command when the rules are read from the file using the-M _ m _ mai _ X option. There is at least one rule per line, and lines starting with # will be treated as comments.

When you use the setfacl command on a file system that does not support ACLs, setfacl modifies the file permission bits. If the acl rule does not exactly match the file permission bit, setfacl will modify the file permission bit to reflect the acl rule as much as possible, and will send an error message to standard error and return with a status greater than 0.

Authority

The owner of the file and the user process with CAP_FOWNER can set the acl of a file. (on current linux systems, root users are the only users with CAP_FOWNER capabilities.)

ACL rule

The setfacl command recognizes the following rule formats:

[Default]:] [u [ser]:] uid [: perms] specifies the permissions of the user and the owner of the file (if uid does not specify it). [d [Eefault]:] g [roup]: gid [: perms] specifies group permissions, file permissions for all groups (if gid is not specified) [d [Eefault]:] m [ask] [:] [: perms] effective permission mask [d [Eefault]:] o [ther] [: perms] other appropriate acl rules are used in modification and setting operations, for uid and gid You can specify a number or a name. The perms field is a combination of letters that represent various permissions: read-r-write-w execution-x, execution only for directories and some executable files. The pers field can also be set to octal format.

Automatically created rules

Initially, the file directory contains only three basic acl rules. In order for the rules to be executed properly, the following rules need to be met.

Three basic rules cannot be deleted.

Any rule that contains the specified user name or group name must contain a valid permission combination.

Any rule that contains a default rule must exist when used.

The noun definition of ACL

Let's first take a look at the definition of each noun in ACL. Although most of these nouns I have taken from man page are a bit boring, they are very helpful for understanding the following.

An ACL is made up of a series of Access Entry, each of which defines the permissions that a particular category can have on a file. Access Entry has three components: Entry tag type, qualifier (optional), and permission.

Let's first take a look at the most important Entry tag type, which has the following types:

ACL_USER_OBJ: permission ACL_USER equivalent to file _ owner in Linux: defines the permission ACL_GROUP_OBJ that additional users can have for this file: equivalent to the permission ACL_GROUP of group in Linux: defines the permission ACL_MASK that additional groups can own for this file: defines ACL_USER Maximum permissions for ACL_GROUP_OBJ and ACL_GROUP (which I will discuss in detail below) ACL_OTHER: equivalent to the permission of other in Linux, let's give an example. Let's use the getfacl command to view a defined ACL file:

[root@localhost ~] # getfacl. / test.txt # file: test.txt # owner: root # group: admin user::rw- user:john:rw- group::rw- group:dev:r-- mask::rw- other::r-- the first three that begin with # define the file name, file owner and group. This information is not very useful, and then we can omit it with-- omit-header.

User::rw- defines ACL_USER_OBJ, which means that file owner has read and write permission user:john:rw- and defines ACL_USER, so that user john has read and write access to the file, realizing what we want to achieve at the beginning. Group::rw- defines ACL_GROUP_OBJ, and the group of the file has read and write permission group:dev:r-- and defines ACL_GROUP. Make the dev group have the permission to read permission mask::rw- the file, define the ACL_MASK, define the permission for the read and write other::r--, define the permission for the ACL_OTHER, and the read, we can see from here that ACL provides the function that we can define specific users and user groups. So let's take a look at how to set the ACL of a file:

How to set up an ACL file

First of all, let's talk about formatting the ACL file. From the above example, we can see that each Access Entry is made up of three fields separated by: sign, the first of which is Entry tag type.

User corresponds to ACL_USER_OBJ and ACL_USER group corresponds to ACL_GROUP_OBJ and ACL_GROUP mask corresponds to ACL_MASK other corresponds to ACL_OTHER the second field is called qualifier, which is the john and dev group in the above example, which defines the permissions of specific users and support groups to the file. Here we can also find that only user and group have qualifier, and the rest are empty. The third field is the familiar permission. It has the same definition as Linux's permission, so I won't say much about it here.

Let's take a look at how to set the ACL of the test.txt file to meet our above requirements.

Initially, the file does not have the additional attributes of ACL:

[root@localhost ~] # ls-l-rw-rw-r-- 1 root admin 0 Jul 3 22:06 test.txt [root@localhost ~] # getfacl-- omit-header. / test.txt user::rw- group::rw- other::r-- Let's first give user john read and write permissions to the test.txt file:

[root@localhost ~] # setfacl-m user:john:rw-. / test.txt [root@localhost ~] # getfacl-- omit-header. / test.txt user::rw- user:john:rw- group::rw- mask::rw- other::r-- then we can see that john users already have the right to read and write files in ACL. At this point, if we look at linux's permission, we will find a different place.

[root@localhost] # ls-l. / test.txt-rw-rw-r--+ 1 root admin 0 Jul 3 22:06. / test.txt adds a + sign at the end of the file permission. When any file has the value of ACL_USER or ACL_GROUP, we can call it an ACL file. This + sign is used to prompt us. We can also find that ACL_MASK is also defined when a file has a value of ACL_USER or ACL_GROUP.

Next, let's set the dev group to own read permission:

[root@localhost] # setfacl-m group:dev:r--. / test.txt [root@localhost ~] # getfacl-- omit-header. / test.txt user::rw- user:john:rw- group::rw- group:dev:r-- mask::rw- other::r-- completes the requirements we mentioned above, isn't it very simple?

ACL_MASK and Effective permission

Here we need to focus on ACL_MASK, because this is another key to mastering ACL. In Linux file permission, we all know that for example, for rw-rw-r--, the rw- refers to the permission of the filegroup. But in ACL, this is only true if ACL_MASK does not exist. If the file has an ACL_ mask value, then that rw- represents the mask value instead of group permission.

Let's look at the following example:

[root@localhost] # ls-l-rwxrw-r-- 1 root admin 0 Jul 3 23:10 test.sh says here that only file owner is in the test.sh file: root owns read, write, execute/search permission. There is only read and write permission in the admin group, and now we want the user john to have the same permission for test.sh as root.

[root@localhost] # setfacl-m user:john:rwx. / test.sh [root@localhost ~] # getfacl-- omit-header. / test.sh user::rwx user:john:rwx group::rw- mask::rwx other::r-- here we see that john already has the permission,mask value of rwx and is set to rwx, because it specifies the maximum values of ACL_USER,ACL_GROUP and ACL_GROUP_OBJ. Now let's take a look at test.sh 's Linux permission. It has become:

[root@localhost ~] # ls-l-rwxrwxr--+ 1 root admin 0 Jul 3 23:10 test.sh so what happens if users in the admin group want to execute test.sh 's program now? It will be permission deny. The reason is that in fact, the only user in the admin group is read and write permission, and the rwx shown here is the value of ACL_MASK rather than the permission of group.

So we can know from here that if a file is followed by a + tag, we all need to use getfacl to confirm its permission to avoid confusion.

Let's move on to an example. If we set the mask of test.sh to read only now, will the users of the admin group still have write permission?

[root@localhost ~] # setfacl-m mask::r--. / test.sh [root@localhost ~] # getfacl-- omit-header. / test.sh user::rwx user:john:rwx # effective:r-- group::rw- # effective:r-- mask::r-- other::r-- at this time we can see that there is a # effective:r-, next to ACL_USER and ACL_GROUP_OBJ. What does it mean? Let's review the definition of ACL_MASK again. It specifies the maximum permissions for ACL_USER,ACL_GROUP_OBJ and ACL_GROUP. So in our case, their maximum authority is read only. Although we have set other permissions for ACL_USER and ACL_GROUP_OBJ here, the only thing that really works is the read permission.

When we look at the Linux file permission of test.sh, its group permission will also show the value of its mask (i.e. R -).

[root@localhost] # ls-l-rwxr--r--+ 1 root admin 0 Jul 3 23:10 test.shDefault ACL

All of the above we are talking about Access ACL, that is, for files. Let me briefly talk about Default ACL. Default ACL means that Default ACL is set for a directory, and all files created in that directory will inherit the ACL of that directory.

Similarly, let's do an experiment. For example, root users have set up a dir directory:

[root@localhost ~] # mkdir dir he wants all the files created in this directory to be accessible to john users, so we should set Default ACL to the dir directory.

[root@localhost ~] # setfacl-d-m user:john:rw. / dir [root@localhost ~] # getfacl-- omit-header. / dir user::rwx group::rwx other::r-x default:user::rwx default:user:john:rwx default:group::rwx default:mask::rwx default: other::r-x here we can see that ACL defines the default option, and john users have default read, write, excute/search permission. All undefined default will be copy from file permission, and now root users create a test.txt file under dir.

[root@localhost ~] # touch. / dir/test.txt [root@localhost ~] # ls-l. / dir/test.txt-rw-rw-r--+ 1 root root 0 Jul 3 23:46. / dir/test.txt [root@localhost ~] # getfacl-- omit-header. / dir/test.txt user::rw- user:john:rw- group::rwx # effective:rw- mask::rw- other::r-- here we see the establishment under dir The file john users automatically have read and write permission

ACL related commands

In the previous example, we all noticed that the getfacl command is used to read the file's ACL,setfacl is used to set the file's Acess ACL. There is also a chacl is used to change files and directories of the Access ACL and Default ACL, its specific parameters you can see man page. I just want to mention chacl-B. It can completely delete the ACL attribute of a file or directory (including Default ACL), for example, you use setfacl-x to delete the ACL attribute of all files, and the + sign will still appear at the end of the file, so the correct deletion method should be to use chacl-B to copy files with cp when we can now add the-p option. In this way, the ACL attribute of the file will also be copied when copying the file, and a warning will be given to the ACL attribute that cannot be copied.

The mv command will move the ACL property of the file by default, and will also give a warning if the operation is not allowed.

A few points to pay attention to

If your file system does not support ACL, you may need to re-mount your file system:

Mount-o remount, acl [mount point] if you use the chmod command to change the Linux file permission, the corresponding ACL value will also change, otherwise, if you change the ACL value, the corresponding ACL will also change.

The above is all the content of the article "what is the use of setfacl commands in Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.