Preface:
When a user needs to read and write a file, the owner and the group that did not file the appropriate permissions, if the read and write access to the other's words, so that all users have read and write permissions, then the risk is relatively large, do not Safety. Then you need an additional permission of.
facl (access control lists): Additional original permissions model on another layer of access control mechanism, to save the file extension attribute information;
1, getfacl command
# Display the file access control lists
[root@vms002 www]# whatis getfacl getfacl (1) - get file access control lists
Command syntax:
getfacl [-aceEsRLPtpndvh] file ...
Example:
[root@vms002 www]# ls rhel.txt [root@vms002 www]# getfacl rhel.txt # file: rhel.txt # owner: root # group: root user::rw- group::r-- mask::r-- other::r--
Description: With the # is the system default permissions, the following is the ACL control authority
[root@vms002 www]# getfacl --omit rhel.txt user::rw- group::r-- mask::r-- other::r--
2, setfacl command
1) Function: File Access Control Lists
[root@vms002 www]# whatis setfacl setfacl (1) - set file access control lists
2) Command Syntax
setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file ...
3) Common options
Options |
meaning |
-m |
The current access control permissions to modify the file -m u: username: perms file \\ set a user's facl permissions (file) -mg: groupname: perms file \\ setting group facl permissions (file) -mm :: Perms file \\ setting mask value -md: U: username: Perms dir \\ d to the directory settings facl default permissions (directory) d -m: G: GROUPNAME: Perms dir \\ d to the directory settings facl default permissions (directory) |
-x |
Cancel facl rights -xu: username file \\ cancel user facl permissions (file) -xg: groupname file \\ cancel group facl permissions (file) -x d: u: username dir \\ cancel the user's directory facl default permissions (directory) -x d: g: groupname dir \\ cancellation directory group facl default permissions (directory) |
-R |
Recursion |
-b |
Delete all of facl rights |
-k |
Remove the default facl rights |
-d |
Set the default facl permissions |
3, practical demonstration
1) to set facl rhel.txt file read and write permissions and privileges canceled facl[root @ vms002 the WWW] # LS rhel.txt # View rhel.txt of facl rights [root @ vms002 the WWW] the getfacl rhel.txt # # File: rhel.txt # owner: root # Group: root the User :: rw- Group r-- :: mask :: r-- OTHER :: r-- # set read and write permissions for user jerry has facl rhel.txt file [root @ vms002 www] # setfacl -m u: jerry: rw- rhel.txt # View facl rights rhel.txt, have you set success [root @ vms002 the WWW] the getfacl rhel.txt # # File: rhel.txt # owner: root # Group: root the User :: rw- the User: Jerry: rw- #jerry the user has read and write permissions Group :: r-- mask :: rw- OTHER :: r-- # cancel reader users jerry has facl of rhel.txt file permissions [root @ vms002 www] # setfacl -xu: jerry rhel.txt # View facl rights rhel.txt whether to cancel a successful [root @ vms002 the WWW] the getfacl rhel.txt # # File: rhel.txt # owner: root # Group: root the User :: rw- Group :: r-- mask: : r-- OTHER :: r--
2) Set the default directory to www rwx permissions facl and cancel the default permissions facl
[root @ vms002 www] # LS rhel.txt www # View www directory facl default permissions [root @ vms002 www] # the getfacl www / # File: www / # owner: root # Group: root the User :: rwx Group :: rx OTHER :: rx # set jerry users have facl www directory of the default rwx permissions [root @ vms002 www] # the setfacl -m d: U: jerry: rwx www / # View www directory facl default permissions, permission is set facl success [root @ vms002 the WWW] the getfacl the WWW # / # File: the WWW / # owner: root # Group: root the User :: rwx Group :: rx OTHER :: rx default: the User :: rwx default: the User: Jerry: rwx #jerry user has facl default permissions of rwx default: Group :: rx default: mask :: rwx default: OTHER :: rx # cancel jerry user facl default permissions to the directory www [root @ vms002 www] # the setfacl -x d: U: jerry www / # View www directory facl default permissions, whether to cancel facl default permissions success [root @ vms002 www] # getfacl the WWW / # File: the WWW / # owner: root # Group: root the User :: rwx Group :: rx OTHER :: rx default: the User :: rwx default: Group :: rx default: mask :: rx default: OTHER :: rx
Note: This d mean default, no matter who is in the www directory file / directory created for jerry user has a default facl permissions rwx, the emphasis here is www directory newly created, does not include the parent directory itself and old files.
Temporary permission mask 3) Set rhel.txt file
[root @ vms002 the WWW] # LS rhel.txt the WWW # see the value of rhel.txt mask file [root @ vms002 the WWW] the getfacl rhel.txt # # File: rhel.txt # owner: root # Group: root the User :: rw- Group :: r-- mask :: r-- OTHER :: r-- # rhel.txt file mask set permissions for temporary read-write access [root @ vms002 www] # setfacl -mm :: rw- rhel. TXT # View rhel.txt file mask values, and is set success [root @ vms002 the WWW] the getfacl rhel.txt # # file: rhel.txt # owner: root # Group: root the User :: rw- Group :: R- - mask :: rw- #mask value has been set (interim authority) OTHER :: r--
Tip: mask is temporary permission, if permission mask is set to ---, you o take effect; if the rights of non---- mask, the mask permissions to take effect.
4, summary
1) getfacl command: access to view the file / folder list control authority;
2) setfacl command: access settings file / directory permissions control list;
3) setfacl options: Set -m facl rights, -x canceled facl rights;
4) d facl as the default permissions in the directory entry into force of the new file created;
5) m temporary permission.