文件控制列表命令setfacl和getfacl的使用
一 需求
有以下需求,通過setfacl命令實現
一組用戶可寫可讀可執行,一組用戶可寫可執行,另一組用戶只可讀
linux rwx
oracle wx
uplook r
二 解決
第一步 添加六個用戶linux01、linux02、oracle01、oracle02、uplook01、uplook02
[plain]
[root@serv01 learning]# useradd linux01
[root@serv01 learning]# useradd linux02
[root@serv01 learning]# useradd oracle01
[root@serv01 learning]# useradd oracle02
[root@serv01 learning]# useradd uplook01
[root@serv01 learning]# useradd uplook02
第二步 分別設置密碼
[plain]
[root@serv01 learning]# passwd linux01
[root@serv01 learning]# passwd linux02
[root@serv01 learning]# passwd oracle01
[root@serv01 learning]# passwd oracle02
[root@serv01 learning]# passwd uplook01
[root@serv01 learning]# passwd uplook02
第三步 添加三個組oracle、linux、uplook
[plain]
[root@serv01 learning]# groupadd oracle
[root@serv01 learning]# groupadd linux
[root@serv01 learning]# groupadd uplook
第四步 查看data目錄的權限
[plain]
[root@serv01 learning]# ll data -d
drwxr-xr-x. 2 root root 4096 Sep 20 23:31data
第五步 實現功能‘
[plain]
[root@serv01 learning]# setfacl -m u:linux01:rwx data/
[root@serv01 learning]# setfacl -m u:linux02:rwx data/
[root@serv01 learning]# setfacl -m u:oracle01:rwx data/
[root@serv01 learning]# setfacl -m u:oracle02:rwx data/
[root@serv01 learning]# setfacl -m u:oracle01:wx data/
[root@serv01 learning]# setfacl -m u:oracle02:wx data/
[root@serv01 learning]# setfacl -m u:uplook01:r data/
[root@serv01 learning]# setfacl -m u:uplook02:r data/
#查看data目錄的權限
[root@serv01 learning]# getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:linux01:rwx
user:linux02:rwx
user:oracle01:-wx
user:oracle02:-wx
user:uplook01:r--
user:uplook02:r--
group::r-x
mask::rwx
other::r-x
#再次查看data目錄的權限
[root@serv01 learning]# ll data/ -d
drwxrwxr-x+ 2 root root 4096 Sep 20 23:31 data/
第六步 驗證
[plain]
#以linux01用戶登錄,發現對data目錄可寫、可讀、可執行
[root@larrywen /]# ssh
[email protected]
[email protected]'s password:
Welcome to zhink learn
[linux01@serv01 learning]$ cd data
[linux01@serv01 data]$ ll
total 0
[linux01@serv01 data]$ touch file
[linux01@serv01 data]$ ls
file
#以oracle01用戶登錄,發現對data目錄可寫、可執行,沒有讀的權限
[root@larrywen /]#
[email protected]
[oracle01@serv01 ~]$ cd/home/learning/data/
[oracle01@serv01 data]$ ll
ls: cannot open directory .: Permissiondenied
[oracle01@serv01 data]$ touch file2
[oracle01@serv01 data]$ rm -f file2
#以uplook01用戶登錄,發現對data目錄值具有讀的權限
[root@larrywen /]#
[email protected]
[email protected]'s password:
Welcome to zhink learn
[uplook01@serv01 ~]$ cd /home/learning/data
-bash: cd: /home/learning/data: Permissiondenied
[uplook01@serv01 ~]$ cat/home/learning/data/test.txt
cat: /home/learning/data/test.txt:Permission denied
[uplook01@serv01 ~]$ ls/home/learning/data/
ls: cannot access /home/learning/data/file:Permission denied
ls: cannot access /home/learning/data/test.txt:Permission denied
file test.txt
第七步 以組的形式進行權限分配
[plain]
#修改創建的六個用戶到對應的組,比如linux01、linux02到linux組,以此類推
[root@serv01 learning]# usermod -g linuxlinux01
[root@serv01 learning]# usermod -g linuxlinux02
[root@serv01 learning]# usermod -g oracleoracle01
[root@serv01 learning]# usermod -g oracleoracle02
[root@serv01 learning]# usermod -g uplookuplook01
[root@serv01 learning]# usermod -g uplookuplook02
#以組的形式進行權限分配
[root@serv01 learning]# setfacl -mg:linux:rwx data/
[root@serv01 learning]# setfacl -m g:oracle:wxdata/
[root@serv01 learning]# setfacl -mg:uplook:r data/
[root@serv01 learning]# getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:linux01:rwx
user:linux02:rwx
user:oracle01:-wx
user:oracle02:-wx
user:uplook01:r--
user:uplook02:r--
group::r-x
group:oracle:-wx
group:linux:rwx
group:uplook:r--
mask::rwx
other::r-x
三 setfacl的其他使用方法
[plain]
#獲得文件權限控制
[root@serv01 learning]# getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:linux01:rwx
user:linux02:rwx
user:oracle01:-wx
user:oracle02:-wx
user:uplook01:r--
user:uplook02:r--
group::r-x
group:oracle:-wx
group:linux:rwx
group:uplook:r--
mask::rwx
other::r-x
#修改mask m參數
[root@serv01 learning]# setfacl -m m:rdata/
[root@serv01 learning]# getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:linux01:rwx #effective:r--
user:linux02:rwx #effective:r--
user:oracle01:-wx #effective:---
user:oracle02:-wx #effective:---
user:uplook01:r--
user:uplook02:r--
group::r-x #effective:r--
group:oracle:-wx #effective:---
group:linux:rwx #effective:r--
group:uplook:r--
mask::r--
other::r-x
#設置mask的值 m參數
[root@serv01 learning]# setfacl -m m:rwxdata/
[root@serv01 learning]# getfacl data/
# file: data/
# owner: root
# group: root
user::rwx
user:linux01:rwx
user:linux02:rwx
user:oracle01:-wx
user:oracle02:-wx
user:uplook01:r--
user:uplook02:r--
group::r-x
group:oracle:-wx
group:linux:rwx
group:uplook:r--
mask::rwx
other::r-x
#取消權限 -x
[root@serv01 learning]# setfacl -x g:linuxdata/
[root@serv01 learning]# getfacl data/
# file: data/
# owner: root
# group: root
user::rwx
user:linux01:rwx
user:linux02:rwx
user:oracle01:-wx
user:oracle02:-wx
user:uplook01:r--
user:uplook02:r--
group::r-x
group:oracle:-wx
group:uplook:r--
mask::rwx
other::r-x
#移除所有的文件權限控制 -b
[root@serv01 learning]# setfacl -b data/
[root@serv01 learning]# getfacl data/
# file: data/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
setfacl -m ug:user group:rwx data/
setfacl -m m:rwx data/
setfacl -x ug:user group data/
setfacl -b data/
getfacl data/
#文件權限可以復制,通過getfacl和setfacl控制
[root@larrywen soft]# setfacl --help
setfacl 2.2.49 -- set file access controllists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ...} file ...
-m,--modify=acl modify the currentACL(s) of file(s)
-M,--modify-file=file read ACL entries tomodify from file
-x,--remove=acl remove entries fromthe ACL(s) of file(s)
-X,--remove-file=file read ACL entries toremove from file
-b,--remove-all remove all extendedACL entries
-k,--remove-default remove the defaultACL
--set=acl set the ACL offile(s), replacing the current ACL
--set-file=file read ACLentries to set from file
--mask do recalculatethe effective rights mask
-n,--no-mask don't recalculate theeffective rights mask
-d,--default operations apply tothe default ACL
-R,--recursive recurse intosubdirectories
-L,--logical logical walk, followsymbolic links
-P,--physical physical walk, do notfollow symbolic links
--restore=file restore ACLs(inverse of `getfacl -R')
--test test mode(ACLs are not modified)
-v,--version print version andexit
-h,--help this help text
[root@serv01 test]# touch aa01.txt
[root@serv01 test]# getfacl aa01.txt
# file: aa01.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@serv01 test]# setfacl -m g:linux:rwxaa01.txt
[root@serv01 test]# getfacl aa01.txt
# file: aa01.txt
# owner: root
# group: root
user::rw-
group::r--
group:linux:rwx
mask::rwx
other::r--
[root@serv01 test]# touch bb01.txt
[root@serv01 test]# getfacl bb01.txt
# file: bb01.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@serv01 test]# getfacl aa01.txt|setfacl --set-file=- bb01.txt
[root@serv01 test]# getfacl bb01.txt
# file: bb01.txt
# owner: root
# group: root
user::rw-
group::r--
group:linux:rwx
mask::rwx
other::r--