11 ACL
ACL:Access Control List,用于定义文件和目录的更细粒度的任意访问权限。
1. 检测ACL⚓
[sink@dev 16:30:25 vitest]$ dmesg | grep ACL
[ 2.493446] systemd[1]: systemd 219 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 -SECCOMP +BLKID +ELFUTILS +KMOD +IDN)
[ 5.829942] SGI XFS with ACLs, security attributes, no debug enabled
可见XFS支持ACL。
2. 设置ACL⚓
setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file ...
setfacl --restore=file
OPTIONS
-b, --remove-all
-k, --remove-default
-d, --default 设置 Default AC,只对目录有效,在该目录新建时使用.
-n, --no-mask 不要重新计算有效权限掩码。
-R, --recursive 递归地操作。不能与--restore合用
-m --modify modify the ACL of a file or directory.
-M --modify-file
-x --remove remove ACL entries
-X --remove-file
-- End of command line options. All remaining parameters are interpreted as file names, even if they start with a dash.
- If the file name parameter is a single dash, setfacl reads a list of files from standard input.
ACL ENTRIES
# perms是 r、w、x 的组合,若不设置则为“-”
[d[efault]:] [u[ser]:]uid [:perms]
Permissions of a named user. Permissions of the file owner if uid is empty.
[d[efault]:] g[roup]:gid [:perms]
Permissions of a named group. Permissions of the owning group if gid is empty.
[d[efault]:] o[ther][:] [:perms]
Permissions of others.
[d[efault]:] m[ask][:] [:perms]
Effective rights mask
[sink@dev 16:51:17 vitest]$ ll
total 0
drwxrwxr-x 2 sink sink 6 Oct 14 16:50 test-dir
-rw-rw-r-- 1 sink sink 0 Oct 14 16:51 test-f
# 设置 user1 对文件没有任何权限
[sink@dev 16:54:04 vitest]$ setfacl -m u:user1:- test-f; ll test-f
-rw-rw-r--+ 1 sink sink 0 Oct 14 16:51 test-f
[sink@dev 16:54:51 vitest]$ getfacl test-f
# file: test-f
# owner: sink
# group: sink
user::rw-
user:user1:---
group::rw-
mask::rw-
other::r--
[sink@dev 16:56:28 vitest]$ su user1
Password:
[user1@dev vitest]$ cat test-f
cat: test-f: Permission denied
# 设置其它用户只有 user1 对文件夹有访问权限
[sink@dev 16:58:48 vitest]$ setfacl -m user1:rx test-dir/; ll -d test-dir/
drwxrwx---+ 2 sink sink 6 Oct 14 16:50 test-dir/
[sink@dev 16:59:51 vitest]$ su user1
Password:
[user1@dev vitest]$ cd test-dir/
[user1@dev test-dir]$
[user1@dev test-dir]$ touch user1-f
touch: cannot touch ‘user1-f’: Permission denied
# 用户列表为空,就设置拥有者的权限
[sink@dev test-dir]$ setfacl -m u::r sink-f1; ll sink-f1
-r--rw-r-- 1 sink sink 0 Oct 14 17:13 sink-f1
# 可以同时指定多个 -m 选项
[sink@dev test-dir]$ setfacl -m g:user1:r -m user2:r sink-f2
# mask表示权限范围,当它起作用时,即使有某些权限,但不在mask的范围中,那么权限也不会生效
# 收回除拥有者之外的所有人的写权限和执行权限
[sink@dev vitest]$ setfacl -m m:r test-dir/; ll -d test-dir/
drwxr-----+ 2 sink sink 21 Oct 14 17:13 test-dir
[sink@dev vitest]$ getfacl test-dir/
# file: test-dir/
# owner: sink
# group: sink
user::rwx
# 虽然这里的权限显示没改变,但还是会受到 mask 的限制,全部变为只读
user:user1:r-x #effective:r--
group::rwx #effective:r--
mask::r--
other::---
[sink@dev vitest]$ su user1
Password:
# 缺少x权限
[user1@dev vitest]$ cd test-dir/
bash: cd: test-dir/: Permission denied
# 只有r权限
[user1@dev vitest]$ ll test-dir/
ls: cannot access test-dir/sink-f1: Permission denied
total 0
-????????? ? ? ? ? ? sink-f1
# 可继承ACL
[sink@dev vitest]$ setfacl -m d:g:user1:rx test-dir/
# 这样一来,在test-dir下面新建文件或目录都会继承test-dir的ACL权限
3. 查看ACL⚓
getfacl [-aceEsRLPtpndvh] file ...
getfacl [-aceEsRLPtpndvh] -