文件系统访问控制列表:
FACL: FILEsystemAccess Control List
利用文件扩展属性保存额外控制权限
setfacl 设置facl
-m设定额外的访问控制列表
u:UID:perm
用户lisi创建一个文件,让zhangsan可以编辑但其他用户不能编辑
[[email protected]]$ touch aaa
[[email protected]]$ ls -l
总用量 0
-rw-rw-r--. 1lisi lisi 0 5月 26 08:45 aaa
[[email protected]]$ setfacl -m u:zhangsan:rw- aaa
[[email protected]]$ getfacl aaa
# file: aaa
# owner: lisi
# group: lisi
user::rw-
user:zhangsan:rw-
group::rw-
mask::rw-
other::r—
[[email protected]]# su – zhangsan
[[email protected]]$ vi aaa
[[email protected]]$ ls -l
总用量 8
-rw-rw-r--+ 1lisi lisi 8 5月 26 08:48 aaa
g:GID:perm
[[email protected] tmp]$ setfacl -m g:zhangsanaaa
setfacl: Option -m incomplete
[[email protected] tmp]$ setfacl -mg:zhangsan:rwx aaa
[[email protected] tmp]$ getfacl aaa
# file: aaa
# owner: lisi
# group: lisi
user::rw-
group::rw-
group:zhangsan:rwx
mask::rwx
other::r—
[[email protected] ~]# usermod -a -G zhangsanwangwu
[[email protected] ~]# id wangwu
uid=502(wangwu) gid=502(wangwu) 组=502(wangwu),500(zhangsan)
[[email protected]~]# su - wangwu
[[email protected] ~]$ cd /tmp
[[email protected] tmp]$ getfacl aaa
# file: aaa
# owner: lisi
# group: lisi
user::rw-
group::rw-
group:zhangsan:rwx
mask::rwx
other::r—
[[email protected] tmp]$ vi aaa
[[email protected] tmp]$ ls -l
总用量 12
-rw-rwxr--+ 1 lisi lisi 16 5月 26 09:46 aaa
-rw-rwxr--+ 1 wangwu wangwu 0 5月 26 09:20 bbb
[[email protected] tmp]# su - wangwu
[[email protected] ~]$ cd /tmp
[[email protected] tmp]$ vi aaa
[[email protected] tmp]$ id wangwu
uid=502(wangwu) gid=502(wangwu) 组=502(wangwu),500(zhangsan)
由此说明只要给文件添加组的facl 无论是附加组还是基本组都能有facl的权限
-x 取消设定
getfacl获取facl信息
mask 最大权限,无论给了什么权限都无法超出 mask权限
[[email protected] ~]#setfacl -m mask:rw /tmp/aaa
[[email protected] ~]#getfacl /tmp/aaa
getfacl: Removingleading ‘/‘ from absolute path names
# file: tmp/aaa
# owner: root
# group: root
user::rw-
user:lisi:rwx #effective:rw-
group::r--
mask::rw-
other::r—
setfacl -x u:rwx user1 取消facl用户权限
setfacl -x g:rwx user2 取消facl组权限
setfacl -m d:u:user1:rwx /tmp/aaa 设定目录facl,在目录里新建的文件也继承facl权限
setfacl -m d:g:user1:rwx /tmp/aaa
[[email protected] ~]#setfacl -m d:u:lisi:rwx /tmp/bbb
[[email protected] ~]#getfacl /tmp/bbb
getfacl: Removingleading ‘/‘ from absolute path names
# file: tmp/bbb
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:lisi:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
setfacl -x d:u:lisi/tmp/bbb 取消
[[email protected] ~]#setfacl -x d:u:lisi /tmp/bbb
[[email protected] ~]#getfacl /tmp/bbb
getfacl: Removingleading ‘/‘ from absolute path names
# file: tmp/bbb
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:mask::r-x
default:other::r-x