setfacl command is used to set the ACL (Access Control List) on the command line
Options
-b, - remove-all: delete all extensions of the acl rules, the basic rules of acl (owner, group, others) will be retained.
-k, - remove-default: acl delete the default rule. If no default rule, you will not be prompted.
-n, - no-mask: Do not recalculate the effective rights. setfacl default will recalculate the ACL mask, mask unless explicitly formulated.
--mask: recalculate the effective rights, even if the ACL mask is explicitly specified.
-d, - default: set the default acl rule.
--restore = file: acl rule restore from the backup files (which may be generated getfacl -R). Through this mechanism can be recovered acl rule the entire directory tree. This parameter can not be any argument other than --test together to perform.
--test: test mode, will not change the rules of any file acl, acl specifications of the operation will be listed.
-R, - recursive: recursive operate on all files and directories.
-L, - logical: follow symbolic links by default only follow symbolic links to files, skip symbolic links directory.
-P, - physical: skip all symbolic links, including symbolic link files.
--version: output setfacl the version number and exit.
--help: Output help information.
-: identifies the command-line arguments ended, all subsequent parameters will be regarded as filenames
: - If the filename is -, setfacl reads the file name from standard input.
• -m and -x option to back with acl rules. Number of acl rule (,) separated by commas. -M and -X options acl rules used to read from a file or standard input.
• option --set and --set-file to set acl rules file or directory, the previous settings will be overwritten.
• Option -m (- modify) and -M (- modify-file) acl rule option to modify the file or directory.
• Option -x (- remove) and -X (- remove-file) option to delete acl rules.
When used in the file is read from the rule -M, -X options, setfacl getfacl receiving command output format. Each row at least one rule, the rows beginning with # are treated as comments.
When using the setfacl command on the file system does not support ACLs, setfacl to modify the file permission bits. If acl rules do not entirely match the file permission bits, setfacl will modify the file permission bits reacted acl rules as much as possible, and will send an error message to standard error, the state greater than 0 is returned.
Competence
Owner of the file and have CAP_FOWNER user can set acl process a file. (In the current linux system, root user is the only user CAP_FOWNER capacity)
ACL rules
setfacl command recognizes the following format rules:
[D [EFAULT]:] [U [Ser]:] uid [: PERMS] specified user permissions, file owner permissions (uid, if not specified).
[d [efault]:] g [roup]: gid [: perms] authority designated group of the file permissions of all groups (if not specified gid)
[D [EFAULT]:] m [ASK] [:] [ : perms] valid permission mask
[d [efault]:] o [ther] [: perms] other permissions
Acl appropriate rules are modified and used in the set operation, and for uid GID, can specify a number, a name can be specified. perms field is a combination of letters on behalf of a variety of privileges: read -r -w write execution -x, only suitable for the implementation of a number of executable files and directories. pers domain can also be set in octal.
Automatic creation of rules
Initially, the file directory contains only three basic rules acl. In order to be able to perform the normal rules, you need to meet the following rules.
• 3 basic rules can not be deleted.
• contain any of the rules specified user name or group name must contain a valid combination of privileges.
• Any rule that contains a default rule when using the default rule must exist.
The ACL Definitions
Let's look at the definition of each term in the ACL inside, these terms I mostly picked Although some boring from the man page, but to understand the following or helpful.
ACL is a series consisting of Access Entry, each Access Entry defines the operating authority for specific categories of files can have. Access Entry has three components: Entry tag type, qualifier (optional), permission.
Let's look at the most important Entry tag type, it has the following types:
ACL_USER_OBJ: the equivalent of Linux in file_owner the permission
ACL_USER: defines the file permission additional users can have this
ACL_GROUP_OBJ: the equivalent of Linux in the group of permission
ACL_GROUP: define additional permission groups that file may have
ACL_MASK: it defines the maximum authority ACL_USER, ACL_GROUP_OBJ and ACL_GROUP of (this I will be devoted below)
ACL_OTHER: the equivalent of Linux in the other's permission
Let's explain, according to an example, we use the following command to view the ACL file getfacl a good definition:
[root @ localhost ~] # getfacl ./test.txt
# File: test.txt
# owner: root
# Group : ADMIN
the User :: rw-
the User: john: rw-
Group :: rw-
Group: dev: r--
mask :: rw- OTHER :: r--
The first three starts with a # define the file name, file owner and group. This information is not much effect, then we can come out with --omit-header omitted.
user :: rw- defined ACL_USER_OBJ, description file owner has the Write permission and the Read
the User: john: rw- defined ACL_USER, so that the user john to have read and write access to the file, to achieve the goal we started to reach the
group :: rw- defined ACL_GROUP_OBJ, explained group files have the Write permission and read
group: dev: r-- defined ACL_GROUP, so that the dev group have read permission to the file
mask :: rw- defines the rights ACL_MASK to read the Write and
OTHER :: r-- defines ACL_OTHER permission to read
From here we can see that we can define ACL provides the functionality specific users and user groups, then the next we look at how to set up a file of ACL:
How to set the ACL file
First we talk about setting ACL file format, from the above example we can see every Access Entry is composed of three is: No. separated fields, the first one is the Entry tag type.
and corresponding to the user ACL_USER_OBJ ACL_USER
Group corresponds ACL_GROUP_OBJ and ACL_GROUP
mask corresponding to the ACL_MASK
OTHER corresponds ACL_OTHER
Call qualifier on the second field, i.e. in the above example and john dev group that defines the permissions for a specific user files and support groups. Here we can find only user and group have a qualifier, others are empty. The third field is a familiar permission. It is the same as the definition and Linux permission, there is not much talk about it.
Here we look at how to set the file test.txt ACL it to achieve our above requirements.
The beginning of the file no additional ACL attributes:
[root @ localhost ~] # LS the -l
-rw-rw-r-- 1 root ADMIN 0 Jul 3 22:06 test.txt
[root@localhost ~]# getfacl --omit-header ./test.txt
user::rw- group::rw- other::r--
We let the user john has read and write permissions to the test.txt file:
[root @ localhost ~] # the setfacl -m the User: john: rw- ./test.txt
[root @ localhost ~] # the getfacl --omit-header ./test.txt
the User :: rw-
the User: john: rw-
Group :: rw-
mask :: rw-
OTHER :: r--
Then we can see the john user in the ACL which already has read and write access to the file. This time, if we look at the permission linux, we will find a different place.
[the root @ localhost ~] -l ./test.txt LS #
-rw-R & lt-RW - the root ADMIN. 1 + 0. 3 Jul-22:06 ./test.txt
In the file permission last more than a + sign when a document has any value or ACL_GROUP ACL_USER later we can call it the ACL file, the + sign is used to remind us. We can also find ACL_MASK will also be defined when a document has a value ACL_USER or ACL_GROUP time.
Next we set the permission dev group has the Read:
[root @ localhost ~] # the setfacl -m Group: dev: r-- ./test.txt
[root @ localhost ~] # the getfacl --omit-header ./test. TXT
the User :: rw-
the User: john: rw-
Group :: rw-
Group: dev: r--
mask :: rw-
OTHER :: r--
Here we completed the requirements mentioned above, it is not very simple.
ACL_MASK和Effective permission
We should highlight some ACL_MASK, because this is another key to master the ACL, the Linux file permission which we all know, such as for rw-rw-r-- it, which means that rw- permission file group. However, this is only true in the case of ACL_MASK not present in the ACL inside. If the file has ACL_MASK value, which value rw- mask that is represented rather than the group permission.
Let's look at the following example:
[root @ localhost ~] # LS the -l
-rwxrw-r-- 1 root ADMIN 0 Jul 3 23:10 test.sh
Test.sh document described here only file owner: root has read, write, execute / search permission . admin group only read and write permission, and now we want the user john also has the same root permission to test.sh.
[the root @ localhost ~] # the setfacl -m User: John: rwx ./test.sh
[the root @ localhost ~] # header ./test.sh the getfacl --omit-
User :: rwx User: John: rwx
Group :: rw-
mask :: rwx
OTHER :: r--
Here we see the john already have rwx permission, mask value is also set to rwx, it is because it provides maximum ACL_USER, ACL_GROUP and ACL_GROUP_OBJ, and now we look test.sh of Linux permission, it has become become:
[the root @ localhost ~] -l LS #
-rwxrwxr - the root ADMIN. 1 + 0. 3 23:10 Jul-test.sh
If the program is now set admin user wants to perform test.sh what would happen? It is permission deny. The reason is that in fact only user admin group read and write permission, rwx displayed here is a value which is not the group of ACL_MASK permission.
So from here we can know if a file behind + mark, we need to use getfacl to confirm its permission, in order to avoid confusion.
Here let us continue to look at an example, if we set the mask test.sh now is read only, then the admin user group will have write permission it?
[the root @ localhost ~] # ./test.sh the setfacl -m mask :: r--
[the root @ localhost ~] # header ./test.sh the getfacl --omit-
User :: rwx
User: John: rwx #effective : r--
Group :: rw- #effective: r--
mask :: r--
OTHER :: r--
At this time we can see the next ACL_USER ACL_GROUP_OBJ and more than a #effective: r-, What does it mean? Let's look at the definition of ACL_MASK. It specifies the maximum authority ACL_USER, ACL_GROUP_OBJ and ACL_GROUP of. So in our case their maximum privilege is read only. While we are here to ACL_USER and ACL_GROUP_OBJ set additional permissions, but they really have effect only read permissions.
It also displays the group permission of the value of its mask (ie r-) At this time we have come to see Linux file permission test.sh of
[root @ localhost ~] # LS the -l
-rwxr - r - 1 root ADMIN + 0 Jul 3 23:10 test.sh
Default ACL
Above all we are talking about Access ACL, that is, for the file. Now I simply talk about Default ACL. Default ACL refers to a directory Default ACL settings, and files created in this directory will inherit the ACL for this directory.
Similarly, we do a test description, such as the root user now has established a dir directory:
[root @ localhost ~] # mkdir dir
He hoped that all files created in this directory can be accessed by the user john, then we should set the Default ACL on the directory dir.
[the root @ localhost ~] # the setfacl -d -m User: John: RW ./dir
[the root @ localhost ~] # header ./dir the getfacl --omit-
User :: rwx
Group :: rwx
OTHER RX ::
default: :: rwx the User
default: the User: john: rwx
default: Group :: rwx
default: mask :: rwx
default: OTHER :: rx
Here we can see ACL defines the default option, john users have read default of, write, excute / search permission. All is not defined in the default permission from all over the copy file, now the root user to create a test.txt file in the dir.
[the root @ localhost ~] # Touch ./dir/test.txt
[the root @ localhost ~] -l ./dir/test.txt LS #
-rw-R & lt-RW - the root the root. 1 + 0. 3 Jul-23:46 ./dir/test.txt
[root@localhost ~]# getfacl --omit-header ./dir/test.txt
user::rw-
user:john:rw-
group::rwx #effective:rw-
mask::rw-
other::r--
Here we see established under the dir file john users automatically have a read and write permission,
ACL-related commands
The previous example we have taken note of getfacl command is used to read the file ACL, setfacl is used to set the file Acess ACL. There is also a chacl is used to change the Access ACL files and directories and Default ACL, its specific parameters we can see the man page. I just want to mention about chacl -B. It can completely remove a file or directory ACL attributes (including Default ACL), that is, for example, you use the setfacl -x delete all the ACL properties file, or the + sign appears at the end of the file, so the correct approach should be deleted we can now add the -p option is used when chacl -B use cp to copy files. So when copying files will be copied ACL properties file, the properties can not be copied for the ACL will be given a warning.
mv command will move the default ACL properties file, if the same operation without allowing a warning will be given.
Some need to pay attention
If your file system does not support ACL, you may need to re-mount your System File:
mount -o remount, acl [mount Point]
If you change the value of the corresponding ACL Linux file permission when using chmod command will change, otherwise change the value of the ACL, the appropriate file permission will change.