定义默认ACL控制策略
问题
- 为目录 /public/ 设置ACL策略,使用户gelin01具有rwx权限
- 在 /public/ 下创建子目录gdir1、文件gfile1,分别查看其ACL策略
- 为目录 /public/ 设置可继承权限为“用户ht02具有rwx权限”
- 在 /public/ 下创建子目录gdir2、文件gfile2,分别查看其ACL策略
- 以用户ht02登入,做以下测试:
- 对/public/目录是否有写入权限
- 对/public/下的gdir2和gfile2是否有写入权限
- 对/public/下的gdir1和gfile1是否有写入权限
方案
ACL默认策略,是一个可以继承的ACL策略。但需注意的是默认策略对目录本身是没有生效的,对于子目录子文件才开始生效。
步骤
实现此案例需要按照如下步骤进行。
步骤一:为目录 /public/ 设置ACL策略,使用户gelin01具有rwx权限
命令操作如下所示:
[root@localhost ~]# id gelin01 //测试是否有gelin01用户
uid=501(gelin01) gid=501(gelin01) 组=501(gelin01),502(tarena)
[root@localhost ~]# mkdir /public //创建目录
[root@localhost ~]# getfacl /public //查看ACL策略
getfacl: Removing leading ‘/’ from absolute path names
file: public/
owner: root
group: root
user::rwx
group::r-x
other::r-x
[root@localhost ~]# setfacl -m u:gelin01:rwx /public //设置ACL策略
[root@localhost ~]# getfacl /public //查看ACL策略
getfacl: Removing leading ‘/’ from absolute path names
file: public/
owner: root
group: root
user::rwx
user:gelin01:rwx
group::r-x
mask::rwx
other::r-x
步骤二:在 /public/ 下创建子目录gdir1、文件gfile1,分别查看其ACL策略
命令操作如下所示:
[root@localhost ~]# mkdir /public/gdir1
[root@localhost ~]# touch /public/gfile1
[root@localhost ~]# getfacl /public/gdir1/
getfacl: Removing leading ‘/’ from absolute path names
file: public/gdir1/
owner: root
group: root
user::rwx
group::r-x
other::r-x
[root@localhost ~]# getfacl /public/gfile1
getfacl: Removing leading ‘/’ from absolute path names
file: public/gfile1
owner: root
group: root
user::rw-
group::r–
other::r–
[root@localhost ~]#
步骤三:为目录 /public/ 设置可继承权限为“用户ht02具有rwx权限”
命令操作如下所示:
[root@localhost ~]# id ht02 //查看ht02用户是否存在
id: ht02:无此用户
[root@localhost ~]# useradd ht02 //创建ht02用户
[root@localhost ~]# getfacl /public/
getfacl: Removing leading ‘/’ from absolute path names
file: public/
owner: root
group: root
user::rwx
user:gelin01:rwx
group::r-x
mask::rwx
other::r-x
[root@localhost ~]# setfacl -dm u:ht02:rwx /public //设置默认可继承ACL权限
[root@localhost ~]# getfacl /public/
getfacl: Removing leading ‘/’ from absolute path names
file: public/
owner: root
group: root
user::rwx
user:gelin01:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ht02:rwx
default:group::r-x
default?:rwx
default:other::r-x
[root@localhost ~]#
步骤四:在 /public/ 下创建子目录gdir2、文件gfile2,分别查看其ACL策略
命令操作如下所示:
[root@localhost ~]# mkdir /public/gdir2
[root@localhost ~]# touch /public/gfile2
[root@localhost ~]# getfacl /public/gdir2
getfacl: Removing leading ‘/’ from absolute path names
file: public/gdir2
owner: root
group: root
user::rwx
user:ht02:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ht02:rwx
default:group::r-x
default?:rwx
default:other::r-x
[root@localhost ~]# getfacl /public/gfile2
getfacl: Removing leading ‘/’ from absolute path names
file: public/gfile2
owner: root
group: root
user::rw-
user:ht02:rwx #effective:rw-
group::r-x #effective:r–
mask::rw-
other::r–
步骤五:以用户ht02登入,测试
切换目录身份,命令操作如下所示:
[root@localhost ~]# su - ht02
[ht02@localhost ~]$
对/public/目录是否有写入权限,命令操作如下所示:
[ht02@localhost ~]$ mkdir /public/htdir
mkdir: 无法创建目录"/public/htdir": 权限不够
[ht02@localhost ~]$ getfacl /public/
getfacl: Removing leading ‘/’ from absolute path names
file: public/
owner: root
group: root
user::rwx
user:gelin01:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ht02:rwx
default:group::r-x
default?:rwx
default:other::r-x
[ht02@localhost ~]$
分析: 从这可以看出默认权限对目录本身没有生效,对子目录才开始继承生效。
对/public/下的gdir2和gfile2是否有写入权限,命令操作如下所示:
[ht02@localhost ~]$ mkdir /public/gdir2/htdir
[ht02@localhost ~]$ getfacl /public/gdir2/
getfacl: Removing leading ‘/’ from absolute path names
file: public/gdir2/
owner: root
group: root
user::rwx
user:ht02:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ht02:rwx
default:group::r-x
default?:rwx
default:other::r-x
[ht02@localhost ~]$ ls -ld /public/gdir2/htdir/ //创建成功
drwxrwxr-x+ 2 ht02 ht02 4096 2月 27 16:53 /public/gdir2/htdir/
[ht02@localhost ~]$ getfacl /public/gfile2
getfacl: Removing leading ‘/’ from absolute path names
file: public/gfile2
owner: root
group: root
user::rw-
user:ht02:rwx #effective:rw-
group::r-x #effective:r–
mask::rw-
other::r–
[ht02@localhost ~]$
[ht02@localhost ~]$ echo 123456 > /public/gfile2 //测试写入
[ht02@localhost ~]$ cat /public/gfile2
123456
对/public/下的gdir1和gfile1是否有写入权限,命令操作如下所示:
[ht02@localhost ~]$ getfacl /public/gdir1 //可以看到ht02没有呢ACL权限
getfacl: Removing leading ‘/’ from absolute path names
file: public/gdir1
owner: root
group: root
user::rwx
group::r-x
other::r-x
[ht02@localhost ~]$ mkdir /public/gdir1/htdir
mkdir: 无法创建目录"/public/gdir1/htdir": 权限不够
[ht02@localhost ~]$ getfacl /public/gfile1 //可以看到ht02没有呢ACL权限
getfacl: Removing leading ‘/’ from absolute path names
file: public/gfile1
owner: root
group: root
user::rw-
group::r–
other::r–
[ht02@localhost ~]$ echo 123456 > /public/gfile1
-bash: /public/gfile1: 权限不够
[ht02@localhost ~]$