文件系統訪問控制列表:
FACL: FILEsystemAccess Control List
利用文件擴展屬性保存額外控制權限
setfacl 設置facl
-m設定額外的訪問控制列表
u:UID:perm
用戶lisi創建一個文件,讓zhangsan可以編輯但其他用戶不能編輯
[lisi@localhosttmp]$ touch aaa
[lisi@localhosttmp]$ ls -l
總用量 0
-rw-rw-r--. 1lisi lisi 0 5月 26 08:45 aaa
[lisi@localhosttmp]$ setfacl -m u:zhangsan:rw- aaa
[lisi@localhosttmp]$ getfacl aaa
# file: aaa
# owner: lisi
# group: lisi
user::rw-
user:zhangsan:rw-
group::rw-
mask::rw-
other::r—
[root@localhosttmp]# su – zhangsan
[zhangsan@localhosttmp]$ vi aaa
[zhangsan@localhosttmp]$ ls -l
總用量 8
-rw-rw-r--+ 1lisi lisi 8 5月 26 08:48 aaa
g:GID:perm [lisi@localhost tmp]$ setfacl -m g:zhangsanaaasetfacl: Option -m incomplete[lisi@localhost tmp]$ setfacl -mg:zhangsan:rwx aaa[lisi@localhost tmp]$ getfacl aaa# file: aaa# owner: lisi# group: lisiuser::rw-group::rw-group:zhangsan:rwxmask::rwxother::r—[root@localhost ~]# usermod -a -G zhangsanwangwu[root@localhost ~]# id wangwuuid=502(wangwu) gid=502(wangwu) 組=502(wangwu),500(zhangsan) [root@localhost~]# su - wangwu
[wangwu@localhost ~]$ cd /tmp[wangwu@localhost tmp]$ getfacl aaa# file: aaa# owner: lisi# group: lisiuser::rw-group::rw-group:zhangsan:rwxmask::rwxother::r—[wangwu@localhost tmp]$ vi aaa[wangwu@localhost tmp]$ ls -l總用量 12-rw-rwxr--+ 1 lisi lisi 16 5月 26 09:46 aaa-rw-rwxr--+ 1 wangwu wangwu 0 5月 26 09:20 bbb[root@localhost tmp]# su - wangwu[wangwu@localhost ~]$ cd /tmp [wangwu@localhost tmp]$ vi aaa[wangwu@localhost tmp]$ id wangwuuid=502(wangwu) gid=502(wangwu) 組=502(wangwu),500(zhangsan)由此說明只要給文件添加組的facl 無論是附加組還是基本組都能有facl的權限
-x 取消設定
getfacl獲取facl信息
mask 最大權限,無論給了什麼權限都無法超出 mask權限
[root@localhost ~]#setfacl -m mask:rw /tmp/aaa
[root@localhost ~]#getfacl /tmp/aaa
getfacl: Removingleading '/' from absolute path names
# file: tmp/aaa
# owner: root
# group: root
user::rw-
user:lisi:rwx #effective:rw-
group::r--
mask::rw-
other::r—
setfacl -x u:rwx user1 取消facl用戶權限
setfacl -x g:rwx user2 取消facl組權限
setfacl -m d:u:user1:rwx /tmp/aaa 設定目錄facl,在目錄裡新建的文件也繼承facl權限
setfacl -m d:g:user1:rwx /tmp/aaa
[root@localhost ~]#setfacl -m d:u:lisi:rwx /tmp/bbb
[root@localhost ~]#getfacl /tmp/bbb
getfacl: Removingleading '/' from absolute path names
# file: tmp/bbb
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:lisi:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
setfacl -x d:u:lisi/tmp/bbb 取消
[root@localhost ~]#setfacl -x d:u:lisi /tmp/bbb
[root@localhost ~]#getfacl /tmp/bbb
getfacl: Removingleading '/' from absolute path names
# file: tmp/bbb
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:mask::r-x
default:other::r-x
本文出自 “linux運維” 博客,謝絕轉載!