ACL permission settings
brief introduction
The function of ACL is to deal with the privilege problem of complex user environment.
Whether the system supports ACL is related to the file system. In the previous version of CentOS 7, the partitions created manually by users do not support ACL by default, but the existing partitions are supported when the system is installed.
usage
setfacl -m u:user:rwx file|directory
[root@centos7 app]# ll a
-rw-r--r--. 1 root root 0 May 30 11:59 a
As shown above, there is now a file a whose owner and subgroup are both root, and the other has only r privilege. What should we do if we need to let the user tom have rw privilege on a, but everyone except tom in the other has only r privilege? ACL is needed at this time.
[root@centos7 app]# Setfacl-m u: tom: rw a // / grant Tom rw permission
[root@centos7 app]# ll a
-rw-rwxr--+ 1 root root 0 May 30 11:59 a //There is an extra "+" after the file permissions.
[root@centos7 app]# ACL permission to view files using getfacl command
# file: a
# owner: root
# group: root
user::rw-
user:tom:rw //This shows that tom already has rwx privileges
group::r--
mask::rw
other::r--
[root@centos7 app]#
After executing the setfacl command, you can see that tom already has rw privileges by using the getfacl command. Does tom really have rw privileges?
[root@centos7 app]# su tom //Switching user tom
[tom@centos7 app]$ echo nihao > a //Write "nihao" to file a
[tom@centos7 app]$ cat a //No error was reported. View the contents of a file
nihao //Write successfully, indicating that tom has w privileges on files that were not available before
[tom@centos7 app]$ exit
exit
[root@centos7 app]# su alice //Switching user alice
[alice@centos7 app]$ echo nimenhao > a //Attempt to write characters to file a
bash: a: Permission denied //Prompt without permission
[alice@centos7 app]$
The above experiments confirm the success of the modification of tom's rights. Tom can write to a file, but not to anyone else in the other.
setfacl -m g:groupname:rwx file|directory
Since setfacl can set permissions for specific users, can it set permissions for specific groups? The answer is yes.
[root@centos7 app]# touch b //Create file b
[root@centos7 app]# ll b //View File Permissions
-rw-r--r--. 1 root root 0 May 30 14:00 b
[root@centos7 app]# id tom //View tom's main group
uid=1002(tom) gid=1003(G3) groups=1003(G3)
[root@centos7 app]# id alice //View alice's main group
uid=1001(alice) gid=1002(G2) groups=1002(G2)
[root@centos7 app]# su tom //Switch to tom
[tom@centos7 app]$ echo nihao > b
bash: b: Permission denied //tom failed to attempt to write
[tom@centos7 app]$ exit
exit
[root@centos7 app]# su alice //Switch to alice
[alice@centos7 app]$ echo nihao > b
bash: b: Permission denied //alice failed to attempt to write
[alice@centos7 app]$
As can be seen from the above commands, the main group of tom is G3, and the main group of alice is G2. At this time, both users have no w permission to file b, and all attempts to write fail.
[alice@centos7 app]$ exit //Switch user to root
exit
[root@centos7 app]# setfacl -m g:G3:rw b //Give G3 group rw permission to b
[root@centos7 app]# ll b
-rw-rw-r--+ 1 root root 0 May 30 14:00 b
[root@centos7 app]# getfacl b //Permission to view file b
# file: b
# owner: root
# group: root
user::rw-
group::r--
group:G3:rw- //You can see that the G3 group already has rw privileges
mask::rw-
other::r--
[root@centos7 app]# su tom //Switch to group G3 member tom
[tom@centos7 app]$ echo nihao > b //Attempt to write "nihao" to file b
[tom@centos7 app]$ cat b //No errors reported. View files
nihao //Write successfully
[tom@centos7 app]$ exit
exit
[root@centos7 app]# su alice //Switch to Group G2 member alice
[alice@centos7 app]$ echo nimenhao > b //Attempt to write
bash: b: Permission denied //Write failure
[alice@centos7 app]$
In the experiment mentioned above, I grant rw permission to G3 where tom belongs. Then tom of G3 has permission to write and change the contents of file b, so he tries to write. The result is as successful as expected. Then I try to write characters into B with alice of non-G3 group members. The result also fails as expected, so I set a special permission experiment for a group. Success.
setfacl -m d:u:user:rwx directory
Although the setfacl command can also be used for folders, in practice we found that although a user or group has rwx privileges for a folder, the new files created under the root account under the folder do not have w privileges for previous users or groups.
[root@centos7 ~]# Ll-d/app//View Folder/app Privilege Settings
drwxr-xr--. 2 root root 24 May 30 14:00 /app
[root@centos7 ~]# Setfacl-m u: tom: rwx / app // / grant Tom rwx permission to / app
[root@centos7 ~]# The permissions of getfacl/app//view folder/app
getfacl: Removing leading '/' from absolute path names
# file: app
# owner: root
# group: root
user::rwx
user:tom:rwx
group::r-x
mask::rwx
other::r--
[root@centos7 ~]# touch /app/aa // create a new file aa under / app
[root@centos7 ~]# Permissions to getfacl/app/aa//view AA
getfacl: Removing leading '/' from absolute path names
# file: app/aa
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@centos7 ~]# // tom does not have rw permissions on the new file aa
The above experiments show that although tom has rwx privileges for folders / apps, tom only has r privileges for new files created under / app. To inherit the privilege information of folders under folders, a d can be added before u or g and separated by a colon.
[root@centos7 ~]# Rm-rf/app/*//Delete all contents in folders
[root@centos7 ~]# Setfacl-m d:u:tom:rwx/app//Execute commands after adding d before u
[root@centos7 ~]# touch /app/bb // create a new file bb under / app
[root@centos7 ~]# getfacl /app/bb // / View permission information for new file bb
getfacl: Removing leading '/' from absolute path names
# file: app/bb
# owner: root
# group: root
user::rw-
user:tom:rwx #effective:rw-
group::r-x #effective:r--
mask::rw-
other::r--
[root@centos7 ~]# // tom has rwx privileges
As in the experiment above, the permissions of new files created under the folder after executing the command will inherit the permissions of the folder as long as d is separated by colon before u in the command, but the permissions of the folder are invalid for the existing files in the folder.