There are two common commands for setting ACL permissions: setfacl and getfacl. The former is used to set ACL permissions for specified files or directories, and the latter is used to check whether the configuration is successful.
The getfacl command is used to view the ACL permission information currently set for a file or directory. The basic format of this command is:
[root@localhost ~]# getfacl file name
The getfacl command is very simple to use and is often used in conjunction with the setfacl command.
setfacl command can directly set the access rights of users or groups to specified files. The basic format of this command is:
[root@localhost ~]# setfacl option file name
Table 1 lists the options and functions that can be used with this command.
Table 1 setfacl command options and usage
Option function
-The M parameter sets ACL permissions. If ACL permission is given to the user, the parameter will use the format of "U: user name: permission". For example, setfacl -m u:st:rx /project indicates that the st user has rx permission on the project directory; If the group ACL permission is given, the parameter will use the format of "g: Group Name: permission". For example, setfacl -m g:tgroup:rx /project indicates that the group tgroup has rx permission on the project directory.
-The X parameter deletes the ACL permission of the specified user (the parameter uses u: user name) or group (the parameter uses g: group name). For example, setfacl -x u:st /project means to delete the ACL permission of the st user on the project directory.
-Bdelete all ACL permissions. For example, setfacl -b /project means to delete all ACL permissions related to the project directory.
-D set the default ACL permission. The command format is "setfacl -m d:u: user name: permission file name" (if it is a group, use d:g: Group Name: permission). It only takes effect for the directory, which means that the newly created file in the directory has this default permission. For example, setfacl -m d:u:st:rx /project means that the st user has rx permission for the newly created file in the project directory.
-R recursively sets ACL permission, which means that the set ACL permission will take effect on all sub files in the directory. The command format is "setfacl -m u: user name: permission - R file name" (the group uses g: Group Name: permission). For example, setfacl -m u:st:rx -R /project means that st user has rx permission on sub files and subdirectories existing in the project directory.
-k delete the default ACL permission.
setfacl -m: add ACL permissions to users or groups
Returning to the case in the previous section, the solution is as follows:
The teacher uses root as the owner of / project and has rwx permissions on the project directory;
Create a new tgroup group as the group of the project directory, including all class students of the class (assuming only zhangsan and lisi), and have rwx permission to the project;
Set the permission of other users to access the project directory to 0 (i.e. -).
For the audition student st, we set the ACL permission to make the user have rx permission to the project.
The specific setting commands are as follows:
[root@localhost ~]# useradd zhangsan [root@localhost ~]# useradd lisi [root@localhost ~]# useradd st [root@localhost ~]# Groupadd tgroup < -- add users and user groups to be tested, and omit the process of setting passwords [root@localhost ~]# MKDIR / Project < -- create a directory that needs to be assigned permissions [root@localhost ~]# Chown root: tgroup / Project < -- change the owner and group of / project directory [root@localhost ~]# Chmod 770 / Project < -- specify permissions for the / project directory [root@localhost ~]# ll -d /project drwxrwx---. 2 root tgroup 4096 Apr 16 12:55 /project #At this time, st students came to audition. How to assign permissions to her [root@localhost ~]# setfacl -m u:st:rx /project #Give r-x permission to user st and use the format of "u: user name: permission" [root@localhost /]# cd / [root@localhost /]# ll -d /project drwxrwx---+ 2 root tgroup 4096 Apr 16 12:55 /project
#If you find a "+" after the permission bit during query, it indicates that this directory has ACL permission
[root@localhost /]# getfacl project #View ACL permissions of / prject directory #File: Project < -- file name #Owner: root < -- the owner of the file #Group: tgroup < -- the group to which the file belongs user::rwx <--If the user name column is empty, it indicates the permission of the owner user:st:r-x <--user st Permissions for group::rwx <--If the group name column is empty, it indicates the permission of the group to which it belongs mask::rwx <--mask jurisdiction other::--- <--Permission of others
It can be seen that by setting ACL permissions, we can assign r-x permissions to st users independently without setting any identity for st users.
Similarly, you can set ACL permissions for user groups, for example:
[root@localhost /]# groupadd tgroup2 #Add new group [root@localhost /]# setfacl -m g:tgroup2:rwx project #Configure ACL permissions for group tgroup2 [root@localhost /]# ll -d project drwxrwx---+ 2 root tgroup 4096 1 April 19:21 project #The membership group has not been changed [root@localhost /]# getfacl project #file: project #owner: root #group: tgroup user::rwx user:st:r-x group::rwx group:tgroup2:rwx <-User group tgroup2 Have rwx jurisdiction mask::rwx other::---
setfacl -d: set default ACL permissions
Now that the ACL permission has been set for the project directory, if some sub files and subdirectories are created in this directory, will these files inherit the ACL permission of the parent directory? Execute the following command to verify:
[root@localhost /]# cd project [root@localhost project]# touch abc [root@localhost project]# mkdir d1 #abc file and d1 directory are created in / project directory [root@localhost project]#ll Total consumption 4 -rw-r--r-- 1 root root 01 May 19:20 abc drwxr-xr-x 2 root root 4096 1 May 19:20 d1
You can see that there is no "+" after the two newly created file permission bits, indicating that they do not inherit ACL permissions. This indicates that the created sub files or subdirectories do not inherit the ACL permissions of the parent directory.
Of course, we can manually assign ACL permissions to these two files, but if we create new files in the directory, it will be too troublesome to specify them manually. In this case, the default ACL permission is required.
The function of default ACL permission is that if the default ACL permission is set for the parent directory, all new child files in the parent directory will inherit the ACL permission of the parent directory. It should be noted that the default ACL permission is only valid for directories.
For example, to set the default ACL permission for st user to access rx to the project file, execute the following instructions:
[root@localhost /]# setfacl -m d:u:st:rx project [root@localhost project]# getfacl project # file: project # owner: root # group: tgroup user:: rwx user:st:r-x group::rwx group:tgroup2:rwx mask::rwx other::--- default:user::rwx <--It's too much default field default:user:st:r-x default:group::rwx default:mask::rwx default:other::--- [root@localhost /]# cd project [root@localhost project]# touch bcd [root@localhost project]# mkdir d2
#New sub files and subdirectories
[root@localhost project]# Total consumption 8 -rw-r--r-- 1 root root 01 May 19:20 abc -rw-rw----+ 1 root root 01 May 19:33 bcd drwxr-xr-x 2 root root 4096 1 May 19:20 d1 drwxrwx---+ 2 root root 4096 1 May 19:33 d2 #The newly created bcd and d2 have inherited the ACL permission of the parent directory
Did you find out? The original abc and d1 still do not have ACL permission, because the default ACL permission is effective for newly created files.
The default ACL permissions set for the directory can be deleted directly by using the setfacl -k command. For example:
[root@localhost /]# setfacl -k project
With this command, you can delete the default ACL permission of the project directory. Readers can view it by themselves through the getfacl command.
setfacl -R: set recursive ACL permissions
Recursive ACL permission means that when the parent directory sets ACL permission, all child files and subdirectories will have the same ACL permission.
For example, set the recursive ACL permission of st user access permission rx to the project directory, and execute the following command:
[root@localhost project]# setfacl -m u:st:rx -R project [root@localhost project]# ll Total consumption 8 -rw-r-xr--+ 1 root root 01 May 19:20 abc -rw-rwx--+ 1 root root 01 May 19:33 bcd drwxr-xr-x+ 2 root root 4096 1 May 19:20 d1 drwxrwx---+ 2 root root 4096 1 May 19:33 d2 #abc and d1 also have ACL permissions
Note that the default ACL permission refers to that the subsequent files and directories in the parent directory will inherit the ACL permission of the parent directory; Recursive ACL permission means that all child files and subdirectories that already exist in the parent directory will inherit the ACL permission of the parent directory.
setfacl -x: deletes the specified ACL permission
Use the setfacl -x command to delete the specified ACL permission. For example, delete the ACL permission of the previously established st user on the project directory. Execute the command as follows:
[root@localhost /]# setfacl -x u:st project
#Deletes ACL permissions for the specified user and user group
[root@localhost /]# getfacl project # file:project # owner: root # group: tgroup user::rwx group::rwx group:tgroup2:rwx mask::rwx other::--- #The permission of st user has been deleted
setfacl -b: deletes all ACL permissions of the specified file
This command removes all ACL permissions associated with the specified file or directory. For example, now we delete all ACL permissions related to the project directory, and execute the following command:
[root@localhost /]# setfacl -b project #All ACL permissions for the file are deleted [root@localhost /]# getfacl project #file: project #owner: root # group: tgroup user::rwx group::rwx other::--- #All ACL permissions have been deleted