歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux基礎 >> 關於Linux

文件控制列表命令setfacl和getfacl的使用

文件控制列表命令setfacl和getfacl的使用   一 需求 有以下需求,通過setfacl命令實現 一組用戶可寫可讀可執行,一組用戶可寫可執行,另一組用戶只可讀 linux rwx oracle wx uplook r   二 解決   第一步 添加六個用戶linux01、linux02、oracle01、oracle02、uplook01、uplook02 [plain]  [root@serv01 learning]# useradd linux01   [root@serv01 learning]# useradd linux02   [root@serv01 learning]# useradd oracle01   [root@serv01 learning]# useradd oracle02   [root@serv01 learning]# useradd uplook01   [root@serv01 learning]# useradd uplook02     第二步 分別設置密碼 [plain]  [root@serv01 learning]# passwd linux01   [root@serv01 learning]# passwd linux02   [root@serv01 learning]# passwd oracle01   [root@serv01 learning]# passwd oracle02   [root@serv01 learning]# passwd uplook01   [root@serv01 learning]# passwd uplook02     第三步 添加三個組oracle、linux、uplook [plain]  [root@serv01 learning]# groupadd oracle   [root@serv01 learning]# groupadd linux   [root@serv01 learning]# groupadd uplook     第四步 查看data目錄的權限 [plain]  [root@serv01 learning]# ll data -d   drwxr-xr-x. 2 root root 4096 Sep 20 23:31data     第五步 實現功能‘ [plain]  [root@serv01 learning]# setfacl -m u:linux01:rwx data/   [root@serv01 learning]# setfacl -m u:linux02:rwx data/   [root@serv01 learning]# setfacl -m u:oracle01:rwx data/   [root@serv01 learning]# setfacl -m u:oracle02:rwx data/   [root@serv01 learning]# setfacl -m u:oracle01:wx data/   [root@serv01 learning]# setfacl -m u:oracle02:wx data/   [root@serv01 learning]# setfacl -m u:uplook01:r data/   [root@serv01 learning]# setfacl -m u:uplook02:r data/      #查看data目錄的權限   [root@serv01 learning]# getfacl data   # file: data   # owner: root   # group: root   user::rwx   user:linux01:rwx   user:linux02:rwx   user:oracle01:-wx   user:oracle02:-wx   user:uplook01:r--   user:uplook02:r--   group::r-x   mask::rwx   other::r-x      #再次查看data目錄的權限   [root@serv01 learning]# ll data/ -d   drwxrwxr-x+ 2 root root 4096 Sep 20 23:31 data/     第六步 驗證 [plain]  #以linux01用戶登錄,發現對data目錄可寫、可讀、可執行   [root@larrywen /]# ssh [email protected]   [email protected]'s password:   Welcome to zhink learn       [linux01@serv01 learning]$ cd data   [linux01@serv01 data]$ ll   total 0   [linux01@serv01 data]$ touch file   [linux01@serv01 data]$ ls   file       #以oracle01用戶登錄,發現對data目錄可寫、可執行,沒有讀的權限   [root@larrywen /]# [email protected]   [oracle01@serv01 ~]$ cd/home/learning/data/   [oracle01@serv01 data]$ ll   ls: cannot open directory .: Permissiondenied   [oracle01@serv01 data]$ touch file2   [oracle01@serv01 data]$ rm -f file2       #以uplook01用戶登錄,發現對data目錄值具有讀的權限   [root@larrywen /]# [email protected]   [email protected]'s password:   Welcome to zhink learn   [uplook01@serv01 ~]$ cd /home/learning/data   -bash: cd: /home/learning/data: Permissiondenied   [uplook01@serv01 ~]$ cat/home/learning/data/test.txt   cat: /home/learning/data/test.txt:Permission denied   [uplook01@serv01 ~]$ ls/home/learning/data/   ls: cannot access /home/learning/data/file:Permission denied   ls: cannot access /home/learning/data/test.txt:Permission denied   file test.txt     第七步 以組的形式進行權限分配 [plain]  #修改創建的六個用戶到對應的組,比如linux01、linux02到linux組,以此類推   [root@serv01 learning]# usermod -g linuxlinux01   [root@serv01 learning]# usermod -g linuxlinux02   [root@serv01 learning]# usermod -g oracleoracle01   [root@serv01 learning]# usermod -g oracleoracle02   [root@serv01 learning]# usermod -g uplookuplook01   [root@serv01 learning]# usermod -g uplookuplook02       #以組的形式進行權限分配   [root@serv01 learning]# setfacl -mg:linux:rwx data/   [root@serv01 learning]# setfacl -m g:oracle:wxdata/   [root@serv01 learning]# setfacl -mg:uplook:r data/   [root@serv01 learning]# getfacl data   # file: data   # owner: root   # group: root   user::rwx   user:linux01:rwx   user:linux02:rwx   user:oracle01:-wx   user:oracle02:-wx   user:uplook01:r--   user:uplook02:r--   group::r-x   group:oracle:-wx   group:linux:rwx   group:uplook:r--   mask::rwx   other::r-x     三 setfacl的其他使用方法 [plain]  #獲得文件權限控制   [root@serv01 learning]# getfacl data   # file: data   # owner: root   # group: root   user::rwx   user:linux01:rwx   user:linux02:rwx   user:oracle01:-wx   user:oracle02:-wx   user:uplook01:r--   user:uplook02:r--   group::r-x   group:oracle:-wx   group:linux:rwx   group:uplook:r--   mask::rwx   other::r-x       #修改mask m參數   [root@serv01 learning]# setfacl -m m:rdata/   [root@serv01 learning]# getfacl data   # file: data   # owner: root   # group: root   user::rwx   user:linux01:rwx        #effective:r--   user:linux02:rwx        #effective:r--   user:oracle01:-wx             #effective:---   user:oracle02:-wx             #effective:---   user:uplook01:r--   user:uplook02:r--   group::r-x                   #effective:r--   group:oracle:-wx        #effective:---   group:linux:rwx                 #effective:r--   group:uplook:r--   mask::r--   other::r-x       #設置mask的值 m參數   [root@serv01 learning]# setfacl -m m:rwxdata/   [root@serv01 learning]# getfacl data/   # file: data/   # owner: root   # group: root   user::rwx   user:linux01:rwx   user:linux02:rwx   user:oracle01:-wx   user:oracle02:-wx   user:uplook01:r--   user:uplook02:r--   group::r-x   group:oracle:-wx   group:linux:rwx   group:uplook:r--   mask::rwx   other::r-x       #取消權限 -x   [root@serv01 learning]# setfacl -x g:linuxdata/   [root@serv01 learning]# getfacl data/   # file: data/   # owner: root   # group: root   user::rwx   user:linux01:rwx   user:linux02:rwx   user:oracle01:-wx   user:oracle02:-wx   user:uplook01:r--   user:uplook02:r--   group::r-x   group:oracle:-wx   group:uplook:r--   mask::rwx   other::r-x       #移除所有的文件權限控制 -b   [root@serv01 learning]# setfacl -b data/   [root@serv01 learning]# getfacl data/   # file: data/   # owner: root   # group: root   user::rwx   group::r-x   other::r-x       setfacl -m ug:user group:rwx data/   setfacl -m m:rwx data/   setfacl -x ug:user group data/   setfacl -b data/   getfacl data/       #文件權限可以復制,通過getfacl和setfacl控制   [root@larrywen soft]# setfacl --help   setfacl 2.2.49 -- set file access controllists   Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ...} file ...     -m,--modify=acl        modify the currentACL(s) of file(s)     -M,--modify-file=file  read ACL entries tomodify from file     -x,--remove=acl        remove entries fromthe ACL(s) of file(s)     -X,--remove-file=file  read ACL entries toremove from file     -b,--remove-all        remove all extendedACL entries     -k,--remove-default    remove the defaultACL        --set=acl           set the ACL offile(s), replacing the current ACL        --set-file=file     read ACLentries to set from file        --mask              do recalculatethe effective rights mask     -n,--no-mask           don't recalculate theeffective rights mask     -d,--default           operations apply tothe default ACL     -R,--recursive         recurse intosubdirectories     -L,--logical           logical walk, followsymbolic links     -P,--physical          physical walk, do notfollow symbolic links        --restore=file      restore ACLs(inverse of `getfacl -R')        --test              test mode(ACLs are not modified)     -v,--version           print version andexit     -h,--help              this help text       [root@serv01 test]# touch aa01.txt   [root@serv01 test]# getfacl aa01.txt   # file: aa01.txt   # owner: root   # group: root   user::rw-   group::r--   other::r--   [root@serv01 test]# setfacl -m g:linux:rwxaa01.txt   [root@serv01 test]# getfacl aa01.txt   # file: aa01.txt   # owner: root   # group: root   user::rw-   group::r--   group:linux:rwx   mask::rwx   other::r--       [root@serv01 test]# touch bb01.txt   [root@serv01 test]# getfacl bb01.txt   # file: bb01.txt   # owner: root   # group: root   user::rw-   group::r--   other::r--       [root@serv01 test]# getfacl aa01.txt|setfacl --set-file=- bb01.txt   [root@serv01 test]# getfacl bb01.txt   # file: bb01.txt   # owner: root   # group: root   user::rw-   group::r--   group:linux:rwx   mask::rwx   other::r--    
Copyright © Linux教程網 All Rights Reserved