1.释义
getfacl命令查看文件访问控制列表信息,
2.系统帮助
2.1.getfacl命令
getfacl 2.2.51 -- get file access control lists
Usage: getfacl [-aceEsRLPtpndvh] file ...
-a, --access display the file access control list only
-d, --default 不显示默认的acl规则
-c, --omit-header do not display the comment header
-e, --all-effective print all effective rights
-E, --no-effective print no effective rights
-s, --skip-base skip files that only have the base entries
-R, --recursive recurse into subdirectories
-L, --logical logical walk, follow symbolic links
-P, --physical physical walk, do not follow symbolic links
-t, --tabular use tabular output format
-n, --numeric print numeric user/group identifiers
-p, --absolute-names don't strip leading '/' in pathnames
-v, --version print version and exit
-h, --help this help text
2.2.setfacl命令
setfacl 2.2.51 -- set file access control lists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
-m, --modify=acl 更改文件或目录的ACL规则
-M, --modify-file=file 从一个文件读入ACL设置信息并以此为模版修改当前文件或目录的ACL规则
-x, --remove=acl 删除文件或目录指定的ACL规则
-X, --remove-file=file 从一个文件读入ACL设置信息并以此为模版删除当前文件或目录的ACL规则
-b, --remove-all 删除所有扩展的acl规则,基本的acl规则(所有者,群组,其他)将被保留
-k, --remove-default 删除缺省的acl规则。如果没有缺省规则,将不提示
--set=acl 设置当前文件的ACL规则
--set-file=file 从文件读入ACL规则来设置当前文件或目录的ACL规则
--mask 重新计算有效权限,即使ACL mask被明确指定
-n, --no-mask 不要重新计算有效权限。setfacl默认会重新计算ACL mask,除非mask被明确的制定
-d, --default 设定默认的acl规则
-R, --recursive 递归权限
-L, --logical 跟踪符号链接,默认情况下只跟踪符号链接文件,跳过符号链接目录
-P, --physical 跳过所有符号链接,包括符号链接文件
--restore=file 从文件恢复备份的acl规则(这些文件可由getfacl -R产生)。通过这种机制可以
恢复整个目录树的acl规则。此参数不能和除--test以外的任何参数一同执行
--test 测试模式,不会改变任何文件的acl规则,操作后的acl规格将被列出
-v, --version 输出setfacl的版本号并退出
-h, --help this help text
3.示例
3.1.查看文件访问控制列表
[root@itbkz s]#getfacl mulu/test.txt
# file: mulu/test.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
3.2.修改用户权限
[root@itbkz s]#setfacl -m u:itbkz:rw mulu/test.txt
[root@itbkz s]#getfacl mulu/test.txt
# file: mulu/test.txt
# owner: root
# group: root
user::rw-
user:itbkz:rw-
group::r--
mask::rw-
other::r--
3.3.删除用户权限
[root@itbkz s]#setfacl -x u:itbkz mulu/test.txt
[root@itbkz s]#getfacl mulu/test.txt
# file: mulu/test.txt
# owner: root
# group: root
user::rw-
group::r--
mask::r--
other::r--
3.4.修改组权限
[root@itbkz s]#setfacl -m g:itbkz:rwx mulu/test.txt
[root@itbkz s]#getfacl mulu/test.txt
# file: mulu/test.txt
# owner: root
# group: root
user::rw-
group::r--
group:itbkz:rwx
mask::rwx
other::r--
3.5.修改其它权限
[root@itbkz s]#setfacl -m o::- mulu/test.txt
[root@itbkz s]#getfacl mulu/test.txt
# file: mulu/test.txt
# owner: root
# group: root
user::rw-
group::r--
other::---
3.6.权限递归
[root@itbkz s]#getfacl mulu mulu/test.txt
# file: mulu
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: mulu/test.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@itbkz s]#setfacl -R -m u:itbkz:rwX mulu
[root@itbkz s]#mkdir mulu/mulu1
[root@itbkz s]#touch mulu/test1.txt
[root@itbkz s]#getfacl mulu mulu/mulu1 mulu/test.txt mulu/test1.txt
# file: mulu
# owner: root
# group: root
user::rwx
user:itbkz:rwx
group::r-x
mask::rwx
other::r-x
# file: mulu/mulu1
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: mulu/test.txt
# owner: root
# group: root
user::rw-
user:itbkz:rw-
group::r--
mask::rw-
other::r--
# file: mulu/test1.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
对已创建的文件和目录修改文件访问控制列表权限,后来创建的文件或是目录将不会修改
3.7.设定默认的acl规则
[root@itbkz s]#getfacl mulu mulu/test.txt
# file: mulu
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: mulu/test.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@itbkz s]#setfacl -m d:u:itbkz:rwX mulu
[root@itbkz s]#mkdir mulu/mulu1
[root@itbkz s]#touch mulu/test1.txt
[root@itbkz s]#getfacl mulu mulu/mulu1 mulu/test.txt mulu/test1.txt
# file: mulu
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:itbkz:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
# file: mulu/mulu1
# owner: root
# group: root
user::rwx
user:itbkz:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:itbkz:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
# file: mulu/test.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: mulu/test1.txt
# owner: root
# group: root
user::rw-
user:itbkz:rwx#effective:rw-
group::r-x#effective:r--
mask::rw-
other::r--
对以后创建的文件和目录都会继成默认的文件访问控制列表权限
3.8.不查看默认的acl规则
[root@itbkz s]#getfacl -d mulu/mulu1/
# file: mulu/mulu1/
# owner: root
# group: root
user::rwx
user:itbkz:rwx
group::r-x
mask::rwx
other::r-x
3.9.清除所有acl规则
[root@itbkz s]#setfacl -b mulu/mulu1/
[root@itbkz s]#getfacl mulu/mulu1/
# file: mulu/mulu1/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
4.注意
临时降低用户或组权限
setfacl -m m::rw mulu
mask会影响到除了所有者和所有人
mask权限决定了最高权限
mask用户临时降低用户的权限
任何重新设置acl会清理mask所限定权限