File access control (acl list)
(1) acl defines
acl = access control
Specifies that special users have special permissions on special files
drwxrwx---+ 2 root root 17 Jul 18 01:39 /westos/
^
表示/westos目录时有权限列表
getfacl /westos/
file: westos/ ##文件名称
owner: root ##文件所有人
group: root ##文件所有组
user::rwx ##拥有者权限
user:student:rwx ##特殊用户权限
group::--- ##组权限
mask::rwx ##权限掩码
other::--- ##其他人权限
Note: When there is a list of permissions on the file, the permissions that ls -l can see are false
#Check
getfacl file
#The content is as follows:
file: file #File name
# owner: root #The owner of the file
# group: root #The group of the file
user::rwx #The permission of the file owner
group::rwx #The permission of the file group
mask::rwx #Maximum permissions
other::rwx #Permissions of others
##Setting
Set the acl list The
setting method is:
setfacl -m <u|g>:<username|groupname>:权限 文件|目录
-m #设定
u #用户
g #组
d ##默认设定权限,只对该目录内新建的文件和目录有效,对本目录及目录内原有的文件和目录无效。
- 1
- 2
- 3
- 4
- 5
As shown in the figure below, after setting the acl list of setfacl, ls -l queries the file permissions, with + in the permissions, you should use the getfacl file name at this time, you can view the detailed and complete permissions of the file (ls -l
Query permissions are incomplete).
Delete a user or group from the list
setfacl -x <u|g>:<username|groupname> 文件|目lu
Delete the users in the list, and use getfacl to find that the users added before are not in the list. As shown in FIG.
close list
setfacl -b file|directory
As shown below
6. acl mask value
(1) mask permission mask
mask is used to indicate that it can give users the maximum permissions.
When chmod is used to change the normal permissions of the file, it may be destroyed
repair
setfacl -mm:rwx /mnt/file #Use this command to restore the value of the mask
The authority of user westos is rwx, the mask is set to rw, and getfacl prompts that the effective authority of westos is rw. As shown below
####Default permissions of the acl list##### #Permissions
are valid for directories
#When a common permission list is set for a directory, it cannot be determined that a specific user has the specified permission to create a new file in the directory
# If you need permissions to be automatically added to new files, then set the default permissions of the directory
setfacl -md:u:student:rwx /mnt/westos ##Set in the westos directory
Note:
The default permissions are only valid for newly created files or directories in the directory, not valid for files that have already been created, and are also invalid for the directory itself
As shown in the figure below, after setting the default permissions for the directory linux, switch to the hello user, and delete the original files in linux, the system reports an error: no permission