table of Contents
ACL permissions command setfacl command and getfacl
setfacl command is used to set the command line ACL (Access Control List). In the command line, followed by a series of commands to a series of file names.
Options
| Parameter | Description |
| - | - |
| -b: | acl delete all extensions of the rules, the basic rules of acl (owner, group, others) will be retained.
| -k: | acl delete the default rule. If no default rule, you will not be prompted.
| -n: | Do not recalculate the effective rights. setfacl default will recalculate the ACL mask, mask unless explicitly formulated.
| --mask: | recalculate the effective rights, even if the ACL mask is explicitly specified. |
| -D: | acl set the default rule.
| --restore = file: | recover files from a backup acl rules (these files generated by getfacl -R). Through this mechanism can be recovered acl rule the entire directory tree. This parameter can not be any argument other than --test together to perform.
| --set = acl | Set the current file's ACL rule |
| --set-File = File | from the file read ACL rules to set the ACL rules in the current file or directory |
| --test: | test mode, will not acl rule change any file, acl specifications of the operation will be listed. |
| -R: | recursive operate on all files and directories.
| -L: | follow symbolic links by default only follow symbolic links to the file, skip symbolic links directory.
| -P: | skip all symbolic links, including symbolic link files.
| --version: | setfacl output version number and exit.
| --help: | output help information.
| -: | identifies the command-line arguments ended, all subsequent parameters will be regarded as filenames: - If the filename is -, setfacl reads the file name from standard input. |
| -M | ACL rule changes to the file or directory |
| -M | from a file read ACL setup information and use it as a template to modify ACL rules of the current file or directory |
| -x | delete a file or directory ACL rule specified |
| -X | from a file read ACL settings information and use it to delete ACL rules in the current file or directory as a template |
- Options -mand -xback to acl with the rules. Number of acl rule (,) separated by commas. Options -Mand -Xused to read acl rules from a file or standard input.
- Options --setand --set-fileto set acl rules file or directory, the previous settings will be overwritten.
- Options -m(--modify)and -M(--modify-file)acl rule options to modify the file or directory.
- Options -x(--remove)and -X(--remove-file)Options delete acl rules.
When used in the file is read from the rule -M, -X options, setfacl getfacl receiving command output format. Each row at least one rule, the rows beginning with # are treated as comments.
When using the setfacl command on the file system does not support ACLs, setfacl to modify the file permission bits. If acl rules do not entirely match the file permission bits, setfacl will modify the file permission bits reacted acl rules as much as possible, and will send an error message to standard error, the state greater than 0 is returned.
Competence
The owner as well as documents CAP_FOWNERthe user can set acl process a file. (In the current linux system, root user is the only CAP_FOWNERuser capability)
ACL rules
setfacl command recognizes the following format rules:
- [d [efault]:] [u [ser]:] uid [: perms] to specify user permissions, file owner's permission (if uid is not specified).
- [d [efault]:] g [roup]: gid [: perms] permissions specified group, the permissions for all files groups (if not specified gid)
- [D [EFAULT]:] m [ASK] [: ] [: perms] effective permission mask
- [d [efault]:] o [ther] [: perms] other permissions
Acl appropriate rules are modified and used in the set operation, and for uid GID, can specify a
number that can specify a name. perms field is a combination of letters on behalf of a variety of privileges: read -rwrite -wexecution -x, execution is only suitable for a number of executable files and directories. pers domain can also be set in octal.
Automatic creation of rules
Initially, the file directory contains only three basic rules acl. In order to be able to perform the normal rules, you need to meet the following rules.
- Three basic rules can not be deleted.
- any rule that contains a specified user name or group name must contain a valid combination of privileges.
- Rules contain any of the default rules when using the default rule must exist.
The ACL Definitions
ACL is a series consisting of Access Entry, each Access Entry defines the operating authority for specific categories of files can have.
Access Entry has three components:
- the Entry Tag of the type
- qualifier (optional)
- permission.
Entry tag type it has the following types:
| Types of | Explanation |
|---|---|
| ACL_USER_OBJ: | Linux equivalent of permission in file_owner |
| ACL_USER: | It defines permission additional users can have this file |
| ACL_GROUP_OBJ: | The equivalent of Linux in the group's permission |
| ACL_GROUP: | It defines an additional set of permission This file may have |
| ACL_MASK: | It defines the maximum authority ACL_USER, ACL_GROUP_OBJ and the ACL_GROUP |
| ACL_OTHER: | The equivalent of Linux in the other's permission |
For example example of what
Here we use getfacl command to view the ACL file a good definition:
[root@localhost ~]# getfacl ./test.txt
#file: test.txt
#owner: root
#group: admin
user::rw-
user:john:rw-
group::rw-
group:dev:r--
mask::rw-
other::r--The first three starts with a # define the file name, fi
Le owner and group. This information is not much effect, then we can come out with --omit-header omitted.
| Types of | Explanation |
|---|---|
| user::rw- | Defines ACL_USER_OBJ, description file owner has read and write permission |
| user:john:rw- | Defines ACL_USER, so that the user john to have read and write access to the file, to achieve the goal we started to be achieved |
| group::rw- | Defines ACL_GROUP_OBJ, documentation of the group have read and write permission |
| group:dev:r-- | Defines ACL_GROUP, so that the dev group have read permission to the file |
| mask::rw- | It defines ACL_MASK permission to read and write |
| other::r-- | It defines ACL_OTHER permission to read |
From here we can see that we can define ACL provides the functionality specific users and user groups, then the next we look at how to set up a file of ACL:
How to set the ACL file
First we talk about setting ACL file format, from the above example we can see every Access Entry is composed of three is: No. separated fields, the first one is the Entry tag type.
- user corresponds ACL_USER_OBJ and ACL_USER
- Group corresponds ACL_GROUP_OBJ and ACL_GROUP
- corresponding to the mask ACL_MASK
- OTHER corresponds ACL_OTHER
Call qualifier on the second field, i.e. in the above example and john dev group that defines the permissions for a specific user files and support groups. Here we can find only user and group have a qualifier, others are empty. The third field is a familiar permission. It is the same as the definition and Linux permission, there is not much talk about it.
Example one:
Test.txt The file's ACL set it to achieve our above requirements.
The beginning of the file no additional ACL attributes:
[root@localhost ~]# ls -l -rw-rw-r-- 1 root admin 0 Jul 3 22:06 test.txt
[root@localhost ~]# getfacl --omit-header ./test.txt user::rw- group::rw- other::r--We let the user john has read and write permissions to the test.txt file:
[root@localhost ~]# setfacl -m user:john:rw- ./tes
t.txt
[root@localhost ~]# getfacl --omit-header ./test.txt
user::rw-
user:john:rw-
group::rw-
mask::rw-
other::r--Then we can see the john user in the ACL which already has read and write access to the file.
This time, if we look at the permission linux, we will find a different place.
[root@localhost ~]# ls -l ./test.txt
-rw-rw-r--+ 1 root admin 0 Jul 3 22:06 ./test.txt In the file permission last more than a + sign when a document has any value or ACL_GROUP ACL_USER later we can call it the ACL file, the + sign is used to remind us.
We can also have found that when a file ACL_USERor ACL_GROUPa ACL_MASK will also be defined value.
Next we set the dev group has read permission:
[root@localhost ~ ]# setfacl -m group:dev:r-- ./test.txt
[root@localhost ~]# getfacl --omit-header ./test.txt
user::rw-
user:john:rw-
group::rw-
group:dev:r--
mask::rw-
other::r-- Here we completed the requirements mentioned above, it is not very simple.
ACL_MASKEffective permission
It is important here to talk about ACL_MASK, because this is another key to master the ACL, which in Linux file permission for such as we all know rw-rw-r--, it is that which rw-refers to permission file group. However, in this case just inside the ACL is not in ACL_MASK under the presence of established. If the file has ACL_MASK value, which the rw-is the mask value represents rather than the group permission.
Let's look at the following example:
[root@localhost ~]# ls -l
-rwxrw-r-- 1 root admin 0 Jul 3 23:10 test.sh Test.sh document described here only file owner: root has read, write, execute / search permission. admin group only read and write permission
John and let the user also has the same root permission to test.sh.
[root@localhost ~]# setfacl -m user:john:rwx ./test.sh
[root@localhost ~]# getfacl --omit-header ./test.sh
user::rwx user:john:rwx
group::rw-
mask::rwx
other::r--Here we see the john already have rwx permission, mask value is also set to rwx, it is because it provides ACL_USER, ACL_GROUPand ACL_GROUP_OBJthe maximum value, and now we look at test.sh of Linux permission, it has become:
[root@localhost ~]# ls -l
-rwxrwxr--+ 1 root admin 0 Jul 3 23:10 test.sh If the program is now set admin user wants to perform test.sh what would happen? It is permission deny. The reason is that in fact only user admin group read and write permission, which is displayed here rwxis a value ACL_MASK group instead of permission.
So from here we can know if a file behind + mark, we need to use getfacl to confirm its permission, in order to avoid confusion.
Here let us continue to look at an example, if we set the mask test.sh now is read only, then the admin user group will have write permission it?
[root@localhost ~]# setfacl -m mask::r-- ./test.sh
[root@localhost ~]# getfacl --omit-header ./test.sh
user::rwx
user:john:rwx #effective:r--
group::rw- #effective:r--
mask::r--
other::r--At this time we can see the next ACL_USER ACL_GROUP_OBJ and much more #effective:r--, what does it mean? Let's look at ACL_MASKthe definition. It specifies ACL_USER, ACL_GROUP_OBJand ACL_GROUPthe greatest privilege. So in our case their maximum privilege is read only. While we are here to give ACL_USERand ACL_GROUP_OBJto set up other privileges, but they really have effect only read permissions.
At this time we have come to see Linux file permission test.sh its group permission will display the value of its mask (r--)
[root@localhost ~]# ls -l
-rwxr--r--+ 1 root admin 0 Jul 3 23:10 test.shDefault ACL
Above all we are talking about Access ACL, that is, for the file. Now I simply talk about Default ACL. Default ACL refers to a directory Default ACL settings, and files created in this directory will inherit the ACL for this directory.
Similarly, we do a test description, such as the root user now has established a directory dir:
[root@localhost ~]# mkdir dirHe hoped that all files created in this directory can be accessed by the user john, then we should set the Default ACL on the directory dir.
[root@localhost ~]# setfacl -d -m user:john:rw ./dir
[root@localhost ~]# getfacl --omit-header ./dir
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:john:rwx
default:group::rwx
default:mask::rwx
default: other::r-xHere we can see ACL defines the default option, john users have read default of, write, excute / search permission. All is not defined in the default permission from all over the copy file, now the root user to create a test.txt file in the dir.
[root@localhost ~]# touch ./dir/test.txt
[root@localhost ~]# ls -l ./dir/test.txt
-rw-rw-r--+ 1 root root 0 Jul 3 23:46 ./dir/test.txt
[root@localhost ~]# getfacl --omit-header ./dir/test.txt
user::rw-
user:john:rw-
group::rwx #effective:rw-
mask::rw-
other::r-- Here we see file created under dir john automatic user will have read and write permission
ACL-related commands
The previous example we have taken note of getfacl command is used to read the file ACL, setfacl is used to set the file Acess ACL. There is also a chacl is used to change the Access ACL files and directories and Default ACL, its specific parameters we can see the man page. I just want to mention about chacl -B. It can completely remove a file or directory ACL attributes (including Default ACL), that is, for example, you use the setfacl -x delete all the ACL properties file, or the + sign appears at the end of the file, so the correct approach should be deleted with chacl -Btime to copy files with cp we can now add the -p option.
So when copying files will be copied ACL properties file, the properties can not be copied for the ACL will be given a warning.
mv command will move the default ACL properties file, if the same operation without allowing a warning will be given.
Points to note if you need the file system does not support ACL, you may need to mount your file system:
mount -o remount, acl [mount point] If you change the Linux file perm with the chmod command
corresponding ACL values ission time will change, otherwise change the value of the ACL, the appropriate file permission will change.
Example Two
1. Preparations
First, create a blank file 512KB of:
[root@FC3-vm opt]# dd if=/dev/zero of=/opt/testptn count=512
512+0 records in
512+0 records outAnd a loop device associated with:
[root@FC3-vm opt]# losetup /dev/loop0 /opt/testptnCreate a EXT2 file system:
[root@FC3-vm opt]# mke2fs /dev/loop0
mke2fs 1.35 (28-Feb-2004)
max_blocks 262144, rsv_groups = 32, rsv_gdb = 0
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
32 inodes, 256 blocks
12 blocks (4.69%) reserved for the super user
First data block=1
1 block group
8192 blocks per group, 8192 fragments per group
32 inodes per group
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 30 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.Mount the new file system
Note acl mount option in the logo, we relied on to inform the kernel we need to use ACL in the file system
[root@FC3-vm opt]# mount -o rw,acl /dev/loop0 /mnt
[root@FC3-vm opt]# cd /mnt
[root@FC3-vm mnt]# ls
lost+foundNow I've got a small file system. And it is supported by the ACL. And even complete damage will not affect other valuable data on the hard disk. You can begin our tour of ACL experience.
The basic operation 2.ACL: add and modify
First create a new document as an object of implementation of ACL:
[root@FC3-vm mnt]# touch file1
[root@FC3-vm mnt]# ls -l file1
-rw-r--r-- 1 root root 7 Dec 11 00:28 file1View this document default ACL
Then this file in addition to the usual rights of UGO, and no ACL
[root@FC3-vm mnt]# getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
group::r--
other::r--Note: Even if the case does not support the ACL, getfacl still be able to return to such a result. But setfacl is not working.
Add a few users and groups, for a while I'll use ACL to give them different permissions:
[root@FC3-vm mnt]# groupadd testg1
[root@FC3-vm mnt]# useradd testu1
[root@FC3-vm mnt]# useradd testu2
[root@FC3-vm mnt]# usermod -G testg1 testu1Now we see what testu1 can do:
[root@FC3-vm mnt]# su testu1
[testu1@FC3-vm mnt]$ echo "testu1" >> file1
bash: file1: Permission deniedFailed. Because in addition to write file1 does not allow users other than root.
File1 modify the ACL gives testu1 sufficient permissions:
[root@FC3-vm mnt]# setfacl -m u:testu1:rw file1
[root@FC3-vm mnt]# su testu1
[testu1@FC3-vm mnt]$ echo "testu1" >> file1
[testu1@FC3-vm mnt]$ cat file1
testu1Modify successful, the user can testu1 file1 do read and write operation.
We take a look at the ACL file1
[testu1@FC3-vm mnt]$ getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:testu1:rw-
group::r--
mask::rw-
other::r--We look at ls:
[root@FC3-vm mnt]# ls -l file1
-rw-rw-r--+ 1 root root 7 Dec 11 00:28 file1You can see the "+" yet? Usually we see on the side of the permission bits. This description file1 set ACL
Modify testu1 rights, while giving testg1 the group permissions to read:
[root@FC3-vm mnt]# setfacl -m u:testu1:rwx,g:testg1:r file1
[root@FC3-vm mnt]# getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:testu1:rwx
group::r--
group:testg1:r--
mask::rwx
other::r--Permissions can see the settings, testu1 have execute permissions, and testg1 this group also received permission to read the contents of the file. Some people may have noticed two problems: First, the group permission from file1 r-- become rw-. Secondly, what and mask is? Why we have changed it? We start talking about the mask. If acl higher priority than UGO, then the mask is truly a last line of defense. It determines the maximum permissions a user / group can get. So that we do not undermine the foundations of the existing ACL definition, can temporarily increase or reduce the level of security:
Set the default MASK
[root@FC3-vm mnt]# setfacl -m mask::r file1
[root@FC3-vm mnt]# getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:testu1:rwx #effective:r--
group::r--
group:testg1:r--
mask::r--
other::r--
[root@FC3-vm mnt]# ls -l file1
-rw-r--r--+ 1 root root 7 Dec 11 00:28 file1Behind ACL entries testu1 corresponding emergence of the word effective, which is the actual authority testu1 get. Mask only permissions to other users and groups, but on the other rights owner and is of no effect. The results also show the ls UGO also been provided corresponding to the change. Because in the case of the ACL, group permissions displayed is the current mask. We usually mask set to rwx, so as not to prevent any single ACL entry.
It should be noted that every time you modify or add a user or group ACL entries of the time, mask will subsequently modified to enable the latest changes can really take effect. So if you need a more stringent mask, you may need to reset it every time mask.
Other features 3. ACL: Delete and coverage
How to remove the existing ACL entries
[root@FC3-vm mnt]# setfacl -x g:testg1 file1
[root@FC3-vm mnt]# getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:testu1:rwx
group::r--
mask::rwx
other::r--We see testg1 authority has been removed.
Remove all ACL can use the -b option. All ACL entries will be removed.
[root@FC3-vm mnt]# setfacl -b file1
[root@FC3-vm mnt]# getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
group::r--
other::r--We can use the --set set some new ACL entry, and the original ACL entries are all overwritten. And different -m, -m option but to modify the existing configuration or add some new. --set option will delete all existing ACL entries, with a new alternative, it is noted that we must include UGO settings, not just the same as -m add ACL on it.
--set set the new acl items
[root@FC3-vm mnt]# setfacl --set u::rw,u:testu1:rw,g::r,o::- file1
[root@FC3-vm mnt]# getfacl file1
# file: file1
# owner: root
# group: root
user::rw-
user:testu1:rw-
group::r--
mask::rw-
other::---o::-Another thing to note is. In fact, the complete wording is other :: ---, written as a complete u :: rw is user :: rw-. Usually we can "-" omitted, but when the permission bits contains only "-", you must leave at least one. If written o ::, there will be mistakes.
All subdirectories under the directory are set the same ACL, you can use the -R parameter:
[root@FC3-vm mnt]# setfacl --set u::rw,u:testu1:rw,g::r,o::- dir1ACL to read from a file, and modify the current file ACL, -M parameters may be:
[root@FC3-vm mnt]# cat test.acl
user:testu1:rw-
user:testu2:rw-
group:testg1:r--
group:testg2:r--
mask::rw-
other::---The default ACL 4. Directory
If we want to create a new directory in a file and directory use the same predefined ACL, then we can use the default (Default) ACL. After a directory is set to the default ACL, is created for each file in the directory will automatically inherit the default directory ACL as its ACL. With setfacl -d option would be to do this:
[root@FC3-vm mnt]# setfacl -d --set g:testg1:rwx dir1
[root@FC3-vm mnt]# getfacl dir1
# file: dir1
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:testg1:rwx
default:mask::rwx
default:other::r-xYou can see the default ACL has been set up. Try to create a file:
Create a test file
[root@FC3-vm mnt]# touch dir1/file1
[root@FC3-vm mnt]# getfacl dir1/file1
# file: dir1/file1
# owner: root
# group: root
user::rw-
group::r-x #effective:r--
group:testg1:rwx #effective:rw-
mask::rw-
other::r--file1 automatically inherit the ACL dir1 to testg1 settings. Only because of the presence of mask makes testg1 only get rw- permission.
5. Backup and restore ACL
The main file manipulation commands cp and mv support ACL, cp command just need to add the -p parameter. But common backup tool such as tar ACL information is not preserved directory and file. If you want to back up and restore files and directories with ACL, then the ACL can be put back up to a file. After the option to reply with --restore ACL information saved in this file:
[root@FC3-vm mnt]# getfacl -R dir1 > dir1.acl
[root@FC3-vm mnt]# ls -l dir1.acl
total 16
-rw-r--r-- 1 root root 310 Dec 12 21:10 dir1.aclRemove all ACL data with the -b option, to simulate a response from backup files and directories:
[root@FC3-vm mnt]# setfacl -R -b dir1
[root@FC3-vm mnt]# getfacl -R dir1
# file: dir1
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: dir1/file1
# owner: root
# group: root
user::rw-
group::r--
other::r--Now we restore ACL information is deleted from the dir1.acl in:
[root@FC3-vm mnt]# setfacl --restore dir1.acl
[root@FC3-vm mnt]# getfacl -R dir1
# file: dir1
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:testg1:rwx
default:mask::rwx
default:other::r-x
# file: dir1/file1
# owner: root
# group: root
user::rw-
group::r-x #effective:r--
group:testg1:rwx #effective:rw-
mask::rw-
other::r--6. Conclusion
ACL allows the introduction of large-scale, complex rights management can be easily implemented on Linux. For the / home partition to store such a large number of user files can be done more effectively managed. But we also see a lack in backup tools, and good FC2 has begun ACL contains a backup tool support such a star, although still alpha version.
ACL entries in the number of individual files, different file systems have different limits. Ext2 and Ext3 file can only support 25 each ACL entry. ReiserFS and JFS can support more than 8,000 entries. This aspect Ext * file system also needs to be strengthened.
No matter how complex the system, the rights-managed file systems are the most basic content. The Linux support for ACL, is undoubtedly a massive user management system tool for Linux more convenient to play a greater role in large-scale enterprise applications, add a fire.
mask
acl permissions have a " mask " option, which is the greatest privilege ACL permissions, now is rwx, when you set the ACL permissions a user or group permission to keep mask "phase" produced only after permission is the ultimate authority of the user, which is the maximum allowed to join rx mask is, but you have to st set by the user is rwx permissions, user permissions on it at this time st only rx permission, because "phase" draw the maximum authority the result is rx.
If the ACL takes precedence over UGO, then the mask is truly a last line of defense. It determines the maximum permissions a user / group can get. So we do not change the basis of an existing ACL definition, can temporarily increase or reduce the level of security:
zhou@zhou-desktop:~/Temp$ setfacl -m mask::r aclTest/
zhou@zhou-desktop:~/Temp$ getfacl aclTest/
# file: aclTest
# owner: zhou
# group: zhou
user::rwx
user:guest:rwx #effective:r--
group::r-x #effective:r--
group:guest:rwx #effective:r--
mask::r--
other::r-xWe can see, when we will mask set to read-only access, or more mask line ACL permissions, in addition to the file owner, have become read-only, that is, #effective:r--the actual authority identified. This provides a convenient temporary permission to change the overall and rapid recovery. mask only permissions to other users and groups, but on the other rights owner and is of no effect. In the case of the ACL, group permissions displayed is the current mask. We usually mask set to rwx, so as not to prevent any single ACL entries so far.