1.ACL权限简介与开启
一.ACL权限是为了解决所有者/所属组/其他人三种身份不足的问题
二.查看分区ACL权限是否开启
dumpe2fs命令是查询指定分区详细文件系统信息的命令
dumpe2fs -h /dev/sda3
-h 仅显示超级块中信息,而不显示磁盘块组的详细信息
[root@izm5e2q95pbpe1hh0kkwoiz ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/vda1 40G 14G 25G 36% / devtmpfs 911M 0 911M 0% /dev tmpfs 920M 0 920M 0% /dev/shm tmpfs 920M 548K 920M 1% /run tmpfs 920M 0 920M 0% /sys/fs/cgroup tmpfs 184M 0 184M 0% /run/user/0 tmpfs 184M 0 184M 0% /run/user/1002 [root@izm5e2q95pbpe1hh0kkwoiz ~]# dumpe2fs -h /dev/vda1 dumpe2fs 1.42.9 (28-Dec-2013) Filesystem volume name: <none> Last mounted on: / Filesystem UUID: eb448abb-3012-4d8d-bcde-94434d586a31 Filesystem magic number: 0xEF53 Filesystem revision #: 1 (dynamic) Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize Filesystem flags: signed_directory_hash Default mount options: user_xattr acl Filesystem state: clean Errors behavior: Continue Filesystem OS type: Linux Inode count: 2621440 Block count: 10485248 Reserved block count: 524262 Free blocks: 8958387 Free inodes: 2519237 First block: 0 Block size: 4096 Fragment size: 4096 Reserved GDT blocks: 1021 Blocks per group: 32768 Fragments per group: 32768 Inodes per group: 8192 Inode blocks per group: 512 RAID stride: 32639 Flex block group size: 16 Filesystem created: Sun Oct 15 23:18:59 2017 Last mount time: Tue Aug 14 10:15:43 2018 Last write time: Tue Aug 14 18:15:42 2018 Mount count: 6 Maximum mount count: -1 Last checked: Wed Jun 27 22:35:57 2018 Check interval: 0 (<none>) Lifetime writes: 30 GB Reserved blocks uid: 0 (user root) Reserved blocks gid: 0 (group root) First inode: 11 Inode size: 256 Required extra isize: 28 Desired extra isize: 28 Journal inode: 8 First orphan inode: 1050280 Default directory hash: half_md4 Directory Hash Seed: 2579899c-6862-4625-a8e6-425550384200 Journal backup: inode blocks Journal features: journal_incompat_revoke Journal size: 128M Journal length: 32768 Journal sequence: 0x006beeea Journal start: 22131
Default mount options: user_xattr acl显示支持acl
三.临时开启分区ACL权限
重新挂载根分区,并挂载加入acl权限
mount -o remount,acl /
四.永久开启分区ACL权限(一定要谨慎)
# 加入acl vim /etc/fstab UUID=eb448abb-3012-4d8d-bcde-94434d586a31 / ext4 defaults 1 1 修改为 UUID=eb448abb-3012-4d8d-bcde-94434d586a31 / ext4 defaults,acl 1 1 # 重新挂载文件系统或重新启动系统,使修改生效 mount -o remount /
2.查看和设定ACL权限
一.查看ACL命令
查看acl权限
getfacle 文件名
二.设定ACL权限的命令
setfacl 选项 文件名
选项 | 作用 |
---|---|
-m | 设定ACL权限 |
-x | 删除指定的ACL权限 |
-b | 删除所有的ACL全新啊 |
-d | 设定默认ACL权限 |
-k | 删除默认ACL权限 |
-R | 递归设定ACL权限 |
三.给用户设定ACL权限和给组设定ACL权限
# 进入tmp目录 [root@izm5e2q95pbpe1hh0kkwoiz /]# cd /tmp # 创建project目录 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# mkdir project # 查看是否创建 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# ls Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)> eternityz hsperfdata_root issue.soft Japan mysql.sock php-cgi.sock project systemd-private-9255c5ee9ec84f5987c1d9ba485e177e-ntpd.service-eKcnmD test.txt # 添加用户zhangsan [root@izm5e2q95pbpe1hh0kkwoiz tmp]# useradd zhangsan # 添加用户lisi [root@izm5e2q95pbpe1hh0kkwoiz tmp]# useradd lisi # 添加组tgroup [root@izm5e2q95pbpe1hh0kkwoiz tmp]# groupadd tgroup # 将zhangsan添加到组tgroup中 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# gpasswd -a zhangsan tgroup Adding user zhangsan to group tgroup # 将lisi添加到组tgroup中 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# gpasswd -a lisi tgroup Adding user lisi to group tgroup # 查看组内的用户(最后一行) [root@izm5e2q95pbpe1hh0kkwoiz tmp]# cat /etc/group root:x:0:eternity bin:x:1: daemon:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mem:x:8: kmem:x:9: wheel:x:10: cdrom:x:11: mail:x:12:postfix man:x:15: dialout:x:18: floppy:x:19: games:x:20: tape:x:30: video:x:39: ftp:x:50: lock:x:54: audio:x:63: nobody:x:99: users:x:100: utmp:x:22: utempter:x:35: ssh_keys:x:999: input:x:998: systemd-journal:x:190: systemd-network:x:192: dbus:x:81: polkitd:x:997: postdrop:x:90: postfix:x:89: chrony:x:996: sshd:x:74: ntp:x:38: tcpdump:x:72: nscd:x:28: screen:x:84: mysql:x:1000: www:x:1001: rabbitmq:x:995: eternity:x:1002: eternityz:x:1003: slocate:x:21: saslauth:x:76: mailnull:x:47: smmsp:x:51: zhangsan:x:1004: lisi:x:1005: tgroup:x:1006:zhangsan,lisi # 将project目录的所属组更改为tgroup [root@izm5e2q95pbpe1hh0kkwoiz tmp]# chown root:tgroup project # 将project目录的权限更改为770 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# chmod 770 project # 查看更改权限的project目录 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# ll -d project drwxrwx--- 2 root tgroup 4096 Dec 10 17:00 project # 增加试听学员st [root@izm5e2q95pbpe1hh0kkwoiz tmp]# useradd st # 修改试听学员st的密码 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# passwd st Changing password for user st. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. # 给试听学员st设定ACL权限rx [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -m u:st:rx project # 查看ACL权限 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project # file: project # owner: root # group: tgroup user::rwx user:st:r-x #st用户拥有rx权限 group::rwx mask::rwx other::--- # 切换到st用户 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# su - st # 进入/tmp/project目录 [st@izm5e2q95pbpe1hh0kkwoiz ~]$ cd /tmp/project # 创建文件test.txt,提示没有权限 [st@izm5e2q95pbpe1hh0kkwoiz project]$ touch test.txt touch: cannot touch ‘test.txt’: Permission denied # 退出st用户 [st@izm5e2q95pbpe1hh0kkwoiz project]$ exit logout # 增加组tgroup2 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# groupadd tgroup2 # 给组tgroup2设定ACL权限rwx [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -m g:tgroup2:rwx project # 查看ACL权限 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project # file: project # owner: root # group: tgroup user::rwx user:st:r-x # 用户st拥有ACL权限rx group::rwx group:tgroup2:rwx # 组tgroup2拥有ACL权限rwx mask::rwx other::---
有ACL权限和没ACL权限的文件夹
# 没有ACL权限的后面没有+号 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# ll -d project drwxrwx--- 2 root tgroup 4096 Dec 10 17:00 project [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -m u:st:rx project # 有ACL权限的后面带着+号 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# ll -d project drwxrwx---+ 2 root tgroup 4096 Dec 10 17:00 project
3.最大有效权限和删除ACL权限
一.最大有效权限mask
[root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project # file: project # owner: root # group: tgroup user::rwx user:st:r-x group::rwx group:st:rwx group:tgroup2:rwx mask::rwx other::---
mask是用来指定最大有效权限的.如果我给用户赋予了ACL权限,是需要和mask的权限"相与"才能得到用户的真正权限
A | B | and |
---|---|---|
r | r | r |
r | - | - |
- | r | - |
- | - | - |
修改mask的值
setfacl -m m:rx project
# 更改mask的值 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -m m:rx project # 查询ACL权限 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project # file: project # owner: root # group: tgroup user::rwx user:st:r-x group::rwx #effective:r-x group:st:rwx #effective:r-x group:tgroup2:rwx #effective:r-x mask::r-x other::--- mask的值只影响具有ACL权限的,不影响用户的权限 用户st的权限为rx 组st的ACL权限是rwx,但是实际生效的只是rx权限 组tgroup2的ACL权限是rwx,但是实际生效的是rx权限
二.删除ACL权限
删除指定用户的ACL权限
setfacl -x u:用户名 文件/文件夹
删除指定用户组的ACL权限
setfacl -x g:组名 文件/文件夹
# 之前的有组tgroup2的ACL权限 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project # file: project # owner: root # group: tgroup user::rwx user:st:r-x group::rwx #effective:r-x group:st:rwx #effective:r-x group:tgroup2:rwx #effective:r-x mask::r-x other::--- # 移除组tgroup2的ACL权限 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -x g:tgroup2 project # 再次查询,tgroup2的ACL权限没有了 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project # file: project # owner: root # group: tgroup user::rwx user:st:r-x group::rwx group:st:rwx mask::rwx other::---
删除文件或文件假的所有的ACL权限
sefacl -b 文件/文件夹
# 之前project目录的ACL权限 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project # file: project # owner: root # group: tgroup user::rwx user:st:r-x group::rwx group:st:rwx mask::rwx other::--- # 移除所有的ACL权限 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -b project # 再次查询,ACL权限和mask都没有了 [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project # file: project # owner: root # group: tgroup user::rwx group::rwx other::---
4.默认ACL权限和递归ACL权限
一.递归ACL权限
递归是父目录在设定ACL权限时,所有的子文件和子目录也会拥有相同的ACL权限
setfacl -m u:用户名:权限 -R 文件夹
# -R必须在后面,否则报错 # 给文件夹及下面的所有文件及文件夹设置ACL权限,运行此命令后,新建的文件不具备ACL权限
二.默认ACL权限
默认ACL权限的作用是如果给父目录设定了默认ACL权限,那么父目录中所有新建的子文件都会继承父目录的ACL权限
setfacl -m d:u:用户名:权限 文件夹
# 运行上面的命令之后,以后此文件夹下新建文件或文件夹都具备ACL权限
来源:https://www.cnblogs.com/eternityz/p/12386423.html