Linux使用ACL来管理文件权限

文件访问控制列表实现了文件更细致的权限管理,目前redhat的发行版本都默认启用了这个功能。
1. getfacl 获得文件的ACL访问权限信息

# getfacl somefile

# file: somefile
# owner: root
# group: root
user::rw-
group::r–
other::r–

 
可以看出somefile文件只设置了基础的访问控制(644).
2. setfacl 设定文件的访问控制列表信息
-m, –modify=acl        modify the current ACL(s) of file(s)
额外的访问控制都用这个-m选项来实现,例如:
setfacl -m user:admin:7 somefile 则admin用户就会有额外的rwx权限(用户的权限会排列在前面,优先于group和others的权限)
setfacl -m group:adminusers:r-x somefile adminusers的用户拥有r-x权限
-M, –modify-file=file  read ACL entries to modify from file
-x, –remove=acl        remove entries from the ACL(s) of file(s)
-X, –remove-file=file  read ACL entries to remove from file
  -b, –remove-all        remove all extended ACL entries, the base ACL entries of the owner, group and others are retained.
批量修改File ACL
  -R, –recursive         recurse into subdirectories
-L, –logical           logical walk, follow symbolic links
-P, –physical          physical walk, do not follow symbolic links
 

setfacl -b somefile                #清空额外ACL规则
setfacl -m u:admin:rx somefile
getfacl somefile
# file: somefile
# owner: root
# group: root
user::rw-
user:admin:r-x
group::—
mask::r-x
other::—
# su – admin
$ cat /root/somefile
访问成功
ACL生效时,ls -l 命令会出现+号
# ll somefile
-rw-rwx—+ 1 root root 0 Aug 14 16:50 somefile

设置默认规则(d – default),那么在该目录下新建的文件都具有该权限。
$mkdir somedir
setfacl -b somedir
setfacl -m d:u:oracle:5 somedir/
setfacl -m d:g:dba:5 somedir/
setfacl -m d:o:0 somedir/
$ getfacl somedir/
# file: somedir/
# owner: oracle
# group: oinstall
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:oracle:r-x
default:group::r-x
default:group:dba:r-x
default:mask::r-x
default:other::—

$ cd somedir
$ mkdir subdir
$ getfacl subdir #继承了default权限
# file: subdir
# owner: oracle
# group: oinstall
user::rwx
user:oracle:r-x
group::r-x
group:dba:r-x
mask::r-x
other::—
default:user::rwx
default:user:oracle:r-x
default:group::r-x
default:group:dba:r-x
default:mask::r-x
default:other::—

$ cd subdir/
$ touch 1
$ ll 1
-rw-r—–+ 1 oracle oinstall 0 Feb 21 15:09 1
$ getfacl 1
# file: 1
# owner: oracle
# group: oinstall
user::rw-
user:oracle:r-x #effective:r–
group::r-x #effective:r–
group:dba:r-x #effective:r–
mask::r–
other::—

3. 使acl默认生效
acl默认对RHEL6的系统是开启的,如果要打开或者关闭acl,可以在mount -o acl或者noacl选项,
查看当前文件系统的挂载选项:
# tune2fs -l /dev/sda1 | grep “mount option”
Default mount options: user_xattr acl
使用tune2fs开启和关闭acl的命令:
tune2fs -o acl /dev/sda1
tune2fs -o ^acl /dev/sda1
例如:
# tune2fs -l /dev/sda1 | grep “mount option”
Default mount options: user_xattr acl #当前已经开启了acl
# tune2fs -o ^acl /dev/sda1 #通过-o ^acl来关闭acl
tune2fs 1.41.12 (17-May-2010)
# tune2fs -l /dev/sda1 | grep “mount option” #再次查看,acl功能已经关闭
Default mount options: user_xattr

Posted in Linux.