What is ACL
ACL stands for Access Control List (ACL), an access control list for file / directory. It UGO permissions (owner, is a group, others) provide an additional, more flexible rights management mechanism for file system management on the basis. It was designed as a supplement UNIX file permissions management. ACL allows you to set access any file / directory to any user or group of users.
ACL What use
since it is a supplement UGO rights management, ACL natural UGO impossible or very difficult to have the ability, for example:
You can set permissions for a particular user
can set permissions for a specific user group
inherit the parent directory permissions sub-file / directory
The main thing is our privilege when a directory or file is set to others --- but they require a user to view the contents inside, the owner of the user that is not the file or directory or user group has he belongs to
another user, the other user does not have any rights to the file, this time we can use to set the ACL.
First, check whether Linux supports ACL
ACL needs to work with the Linux kernel and file system, most current Linux distributions we can see are supported by default. But it is best able to check first:
tune2fs the -l sudo / dev / sda1 | grep "the Default Mount Options:"
the Default Mount Options: user_xattr acl
we can see by default (Default mount options :) has joined acl support.
Second, how to set the ACL
we can use the setfacl and getfacl or view acl command to set permissions on the file / directory.
usage:
setfacl [parameters] file / directory names
parameter
-m: acl configuration parameters back to the file / directory to use, can not be combined with -x;
-x: acl delete follow-up parameters, can not be combined with -m;
-b: Remove all ACL configuration parameters;
-k: Shift other parameters default ACL;
-R & lt: recursively arranged acl;
-d: configuration "acl default parameters", only valid for the directory in which the new directory is referenced data this default value;
To set user permissions ACL: setfacl -mu: Username: Permissions specify the file name
to the user group setting ACL permissions: setfacl -mg: group name: Permission specify the file name
acl permissions to view the file / directory
usage:
getfacl file / directory names
Third, Let's demonstrate basic usage of ACL permissions through some examples.
For the user to set permissions
1, assume that a user creates a file pi1 ii permissions are as follows
-------------------------------------- ---------
[root @ CentOS7 home] # LL II
-rw-R & lt -----. 14. 1 PI1 PI1. 7 dated 16 13:55 ii # no permissions to other users
[root @ CentOS7 home ] #
-----------------------------------------------
2, read and write permissions for a user to add pi2, pi2 files belonging to other users ii
--------------------------------- --------------
[PI1 @ CentOS7 Home] $ setfacl -mu: PI2: rw ii #root or file owner can add permissions by setfacl command
-------- ---------------------------------------
3, once again view ii permissions
-------------------------------------------- ---
[root @ CentOS7 Home] # LL ii
-rw-rx --- + 1 PI1 PI1 14 7 Yue 16 13:55 ii # permissions section you can see more than a +
[root @ CentOS7 Home] #
- ---------------------------------------------
4, see the ACL file permissions ii
------------------------------------------ -----
[root @ CentOS7 Home] the getfacl ii #
# file: ii # Description file
# owner: has a pi1 #ii file
# group: group owns pi1 #ii file
user :: rw- # user list field is empty, representing the file has a permission
user: pi2: rw- # pi2 for permission to rx, the owner different
group :: r-- # r only set permissions for the file owner group
mask :: rw- # this file is the default effective rights (mask)
oTHER :: --- # others have rights
[root@CentOS7 home]#
-----------------------------------------------
5, read and write privileges for a user group to add pi2, pi2 files belonging to other users ii
-------------------------------- ---------------
[root @ CentOS7 Home] # -mg the setfacl: PI2: rw ii
-------------------- ---------------------------
6, see the ACL file permissions ii
------------------------------------------ -----
[root @ CentOS7 Home] the getfacl ii #
# File: ii
# owner: PI1
# Group: PI1
the User :: rw-
the User: PI2: rw-
Group :: r--
Group: PI2: rw- # more than a pi2 rights group
mask :: rw-
OTHER :: ---
[root@CentOS7 home]#
-----------------------------------------------
Fourth, the maximum effective rights mask
We set the ACL permissions to users or groups of users are not really available to us rights, permissions and permissions mask the real user permissions available after the "phase", what does this mean to you and that is when pi1 the user sets permissions rwx, but permission r-- mask is so user permissions ip1 actually received only r, usually the default mask ACL permissions are the permissions you add the same, so what you set up user permissions it has what rights.
Example: to change the permissions mask
--------------------------------------------- -
[root @ CentOS7 Home] the setfacl -mm #: # r ii mask set permissions only r
[root @ CentOS7 Home] the getfacl ii #
# File: ii
# owner: PI1
# Group: PI1
the User :: rw-
the User: PI2 : rw- #effective: r-- # prompted valid permission to r
Group :: r--
Group: PI2: rw- #effective: r--
mask :: r--
OTHER :: ---
--- --------------------------------------------
Fifth, the ACL permissions recursively
ACL permissions by adding the -R option recursively set of files, all subdirectories and subfolders will have the same ACL permissions.
setfacl -mu: Username: Permission -R filename
Sixth, the default ACL permissions
If the parent directory is set to the default ACL permissions, then the parent directory for all new subfolders will inherit ACL permissions from the parent directory.
setfacl -md: u: Username: access to the file name
Seven delete ACL permissions
1, delete the ACL permissions for the specified user
setfacl -xu: Username file name
2, delete the ACL permissions of the specified user group
setfacl -xg: group name filename
3, All ACL permission to delete files
setfacl -b filename
