为什么要使用ACL?
原因在于使用标准的基于用户、用户组的文件和目录权限设置,无法为两个或多个以上用户指定不同的权限。
例如,设定某文件的用户、用户组权限,但同组不同用户的权限就无法单独设置了。
而启动ACL后,可以在定义文件或目录的许可控制方面大大地增强灵活性
--新建uplooking用户
[root@localhost temp]# useradd uplooking
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
--查看uplooking是否存在
[root@localhost temp]# id uplooking
uid=502(uplooking) gid=505(uplooking) groups=505(uplooking)
--设置uplooking密码
[root@localhost temp]# passwd uplooking
Changing password for user uplooking.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
--设置workfile文件夹的acl权限
[root@localhost temp]# setfacl -m u:uplooking:rwx workfile/
[root@localhost temp]# ll workfile/
total 0
--查看workfile文件夹的权限,发现权限后面多了‘+’
--设置acl之后不要从ugo角度看
[root@localhost temp]# ll -d workfile/
drwxrwxr-x+ 2 snow snow 4096 Mar 3 09:27 workfile/
[root@localhost temp]# getfacl workfile/
# file: workfile/
# owner: snow
# group: snow
user::rwx
user:uplooking:rwx
group::rwx
mask::rwx
other::r-x
--设置acl的mask权限,
[root@localhost temp]# setfacl -m m:rw workfile/
--发现uplooking用户及属组的有效权限均为mask的权限
[root@localhost temp]# getfacl workfile/
# file: workfile/
# owner: snow
# group: snow
user::rwx
user:uplooking:rwx #effective:rw-
group::rwx #effective:rw-
mask::rw-
other::r-x
--删除uplooking用户在workfile上的acl权限
[root@localhost temp]# setfacl -x u:uplooking workfile/
--查看workfile权限,发现‘+’还是存在
[root@localhost temp]# ll -d workfile/
drwxrwxr-x+ 2 snow snow 4096 Mar 3 09:27 workfile/
--删除workfile上的mask
[root@localhost temp]# setfacl -x m workfile/
--查看workfile权限
[root@localhost temp]# ll -d workfile/
drwxrwxr-x. 2 snow snow 4096 Mar 3 09:27 workfile/
--验证设置mask权限与修改用户权限的先后顺序
--修改workfile文件夹的mask权限为rw
[root@localhost temp]# setfacl -m m:rw workfile/
--修改uplooking的权限为rwx
[root@localhost temp]# setfacl -m u:uplooking:rwx workfile/
--查看workfile的权限,发现uplooking对workfile的acl权限扩充了mask权限
[root@localhost temp]# getfacl workfile/
# file: workfile/
# owner: snow
# group: snow
user::rwx
user:uplooking:rwx
group::rwx
mask::rwx
other::r-x
后记:
MASK: 定义了额外用户, 属组和额外组的最大权限
原因在于使用标准的基于用户、用户组的文件和目录权限设置,无法为两个或多个以上用户指定不同的权限。
例如,设定某文件的用户、用户组权限,但同组不同用户的权限就无法单独设置了。
而启动ACL后,可以在定义文件或目录的许可控制方面大大地增强灵活性
--新建uplooking用户
[root@localhost temp]# useradd uplooking
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
--查看uplooking是否存在
[root@localhost temp]# id uplooking
uid=502(uplooking) gid=505(uplooking) groups=505(uplooking)
--设置uplooking密码
[root@localhost temp]# passwd uplooking
Changing password for user uplooking.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
--设置workfile文件夹的acl权限
[root@localhost temp]# setfacl -m u:uplooking:rwx workfile/
[root@localhost temp]# ll workfile/
total 0
--查看workfile文件夹的权限,发现权限后面多了‘+’
--设置acl之后不要从ugo角度看
[root@localhost temp]# ll -d workfile/
drwxrwxr-x+ 2 snow snow 4096 Mar 3 09:27 workfile/
[root@localhost temp]# getfacl workfile/
# file: workfile/
# owner: snow
# group: snow
user::rwx
user:uplooking:rwx
group::rwx
mask::rwx
other::r-x
--设置acl的mask权限,
[root@localhost temp]# setfacl -m m:rw workfile/
--发现uplooking用户及属组的有效权限均为mask的权限
[root@localhost temp]# getfacl workfile/
# file: workfile/
# owner: snow
# group: snow
user::rwx
user:uplooking:rwx #effective:rw-
group::rwx #effective:rw-
mask::rw-
other::r-x
--删除uplooking用户在workfile上的acl权限
[root@localhost temp]# setfacl -x u:uplooking workfile/
--查看workfile权限,发现‘+’还是存在
[root@localhost temp]# ll -d workfile/
drwxrwxr-x+ 2 snow snow 4096 Mar 3 09:27 workfile/
--删除workfile上的mask
[root@localhost temp]# setfacl -x m workfile/
--查看workfile权限
[root@localhost temp]# ll -d workfile/
drwxrwxr-x. 2 snow snow 4096 Mar 3 09:27 workfile/
--验证设置mask权限与修改用户权限的先后顺序
--修改workfile文件夹的mask权限为rw
[root@localhost temp]# setfacl -m m:rw workfile/
--修改uplooking的权限为rwx
[root@localhost temp]# setfacl -m u:uplooking:rwx workfile/
--查看workfile的权限,发现uplooking对workfile的acl权限扩充了mask权限
[root@localhost temp]# getfacl workfile/
# file: workfile/
# owner: snow
# group: snow
user::rwx
user:uplooking:rwx
group::rwx
mask::rwx
other::r-x
后记:
MASK: 定义了额外用户, 属组和额外组的最大权限
4160
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
