ACL访问控制列表可以对具体的用户或组设置权限。
[root@localhost ~]# useradd tony tom
[root@localhost ~]# passwd tony
[root@localhost ~]# passwd tom
[root@localhost ~]# mkdir /ff
[root@localhost ~]# cd /ff
[root@localhost ff]# touch test1
[root@localhost ff]# getfacl test1
# file: test1
# owner: root
# group: root
user::rw-
group::r--
other::r--
[tom@localhost ~]$ cd /ff/
[tom@localhost ff]$ vi test1
~
~
~
~
"test1" [readonly] 0L, 0C ```
[tony@localhost ~]$ cd /ff/
[tony@localhost ff]$ vi test1
~
~
~
"test1" [readonly] 0L, 0C```
现在用户tom和tony都是只读权限
[root@localhost ff]# setfacl -m u:tom:rw- test1
[root@localhost ff]# getfacl test1
# file: test1
# owner: root
# group: root
user::rw-
user:tom:rw-
group::r--
mask::rw-
other::r--
[tom@localhost ff]$ vi test1
~
~
~
"test1" 0L, 0C
对用户tom设置了rw权限
[root@localhost ff]# setfacl -x u:tom test1
[root@localhost ff]# getfacl test1
# file: test1
# owner: root
# group: root
user::rw-
group::r--
mask::r--
other::r--
[tom@localhost ff]$ vi test1
~
~
"test1" [readonly] 0L, 0C
取消了tom的ACL设置
[root@localhost ff]# setfacl -m u:tom:--- test1
[root@localhost ff]# getfacl test1
# file: test1
# owner: root
# group: root
user::rw-
user:tom:---
group::r--
mask::r--
other::r--
[tom@localhost ff]$ vi test1
~
~
"test1" [Permission Denied]
tom属于other用户,当tom设置的ACL与other冲突,会按照设置的ACL来
[root@localhost ff]# setfacl -m g:tony:rw- test1
[root@localhost ff]# getfacl test1
# file: test1
# owner: root
# group: root
user::rw-
user:tom:---
group::r--
group:tony:rw-
mask::rw-
other::r--
对tony组设置了rw-权限
[root@localhost ~]# cd /
[root@localhost /]# mkdir aa
[root@localhost /]# setfacl -m u:tom:rw- aa/
[root@localhost /]# getfacl aa/
# file: aa/
# owner: root
# group: root
user::rwx
user:tom:rw-
group::r-x
mask::rwx
other::r-x
[tom@localhost /]$ cd aa
-bash: cd: aa: Permission denied
tom用户设置了对目录aa的ACL
[root@localhost /]# setfacl -x u:tom aa/
[root@localhost /]# getfacl aa/
# file: aa/
# owner: root
# group: root
user::rwx
group::r-x
mask::r-x
other::r-x
取消了ACL权限
[root@localhost /]# setfacl -m d:u:tom:rw- aa/
[root@localhost /]# getfacl aa/
# file: aa/
# owner: root
# group: root
user::rwx
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:tom:rw-
default:group::r-x
default:mask::rwx
default:other::r-x
d的意思是default,不管哪个用户在aa目录里创建文件或目录,新创建的文件或目录对tom用户都用rw-权限
[root@localhost /]# setfacl -x d:u:tom aa/
[root@localhost /]# getfacl aa/
# file: aa/
# owner: root
# group: root
user::rwx
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:group::r-x
default:mask::r-x
default:other::r-x
对已经设置权限了的不会取消ACL,对取消后新创建的才会起作用
[root@localhost ff]# touch test2
[root@localhost ff]# getfacl test2
# file: test2
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@localhost ff]# chown tom.tom test2
[root@localhost ff]# getfacl test2
# file: test2
# owner: tom
# group: tom
user::rw-
group::r--
other::r--
[root@localhost ff]# setfacl -m u:tom:--- test2
[root@localhost ff]# getfacl test2
# file: test2
# owner: tom
# group: tom
user::rw-
user:tom:---
group::r--
mask::r--
other::r--
[tom@localhost ff]$ vi test2~
~
"test2" 0L, 0C
对文件的拥有者ACL不起作用。
当对一个组设置了ACL,后加入此组的用户会跟随此组的权限。