linux implements flexible special privilege management ACL, and ACL privilege judgment order!

Keywords: Permission denied Linux

Why use ACL? In linux, we can use "ll filename" to view the permissions of files.

[root@Centos6 ~]# ll 1.txt
---x-wxr-x. 1 zhangsan zhangsan 9 Jul 19 13:47 1.txt
[root@Centos6 ~]# getent group zhangsan
zhangsan:x:522:
[root@Centos6 ~]# chmod 770 1.txt
[root@Centos6 ~]# ll 1.txt
-rwxrwx---. 1 zhangsan zhangsan 9 Jul 19 13:47 1.txt
[root@Centos6 ~]# 

We can see that for 1.txt, only the owner: zhangsan and the people in the zhangsan group can access the file, but no one else can access it. If an ordinary user Li Si wants to access this file at this time, what can we do?

1: We can

[root@Centos6 ~]# chown lisi 1.txt
[root@Centos6 ~]# ll 1.txt
-rwxrwx---. 1 lisi zhangsan 9 Jul 19 13:47 1.txt
[root@Centos6 ~]# 

Change the owner of 1.txt and change zhangsan to lisi, so that lisi belongs to the file owner and can naturally switch to lisi users to access 1.txt.

Disadvantage: Change too much, for many important documents, can not directly change owner.

2: We can

[root@Centos6 ~]# gpasswd -a lisi zhangsan
Adding user lisi to group zhangsan
[root@Centos6 ~]# getent group zhangsan
zhangsan:x:522:lisi

Add Li Si to the zhangsan group as an additional group, so that Li Si belongs to the file group and can naturally switch to the lisi user to access 1.txt.

Disadvantage: Li Si belonged to zhangsan group at this time. He could not only view 1.txt, but also all other documents belonging to zhangsan group. Li Si had the same rights.

3: We can

[root@Centos6 ~]# chmod 777 1.txt
[root@Centos6 ~]# ll 1.txt
-rwxrwxrwx. 1 lisi zhangsan 9 Jul 19 13:47 1.txt
[root@Centos6 ~]# 

Change the permissions of 1.txt so that other users can access the file, of course, Li Si can also.

Disadvantage: Anyone can have his or her other bit right. Important files have no hiding.

4: We can

When 1.txt is an executable binary file, we can also chmod u+s, so that Li Si temporarily has the right of owner.

We can also chmod g+s. When sgid is applied to an executable binary file, anyone who executes the file temporarily has permission for all its groups. In this way, Li Si temporarily belongs to the people in the three groups of Zhang, and can execute group rights on documents.

Disadvantage: Most files are not executable binary files. So temporary owner ship, or group rights, is not feasible.

So the best way is: we can let Li Si not belong to any group, but be given specific privileges as a single user. At this time, we can use ACL to help us realize the flexible management of file permissions.

acl
How to turn on acl
centos7 supports acl by default
centos6 and earlier, the file system created during the operating system installation supports acl by default, while the file system formatted with mkfs after the operation installation is not opened by default
acl, need to be opened manually, the method is as follows:
First.
    tune2fs -o acl /dev/sda5
Second.
    mount -o acl /dev/sda5 /app

The following two commands are most commonly used:

  • getfacl: Get ACL settings for files or directories
    Command: getfacl [- bkndRLP] {- m | - M | - x | - X...} file...
    Parameters:

    - a,--access: Displays access control lists for files or directories
    - d, - - default: Displays default (default) access control lists for files or directories
    - c,--omit-header: does not display the default access control list
    - R, - - recursive: Operations recursive to subdirectories

We can grant Li Si r-x rights through ACL as follows:

[root@Centos6 ~]# ll 1.txt
-rwxrwx---. 1 zhangsan zhangsan 9 Jul 19 13:47 1.txt
[root@Centos6 ~]# groups zhangsan
zhangsan : zhangsan
[root@Centos6 ~]# groups lisi
lisi : lisi
[root@Centos6 ~]# 

1. The owner of TXT belongs to Zhang Sangroup and only Zhang Sansan belongs to Zhang Sangroup. The other bit permission is empty.

[lisi@Centos6 ~]$ ls /home/zhangsan/
ls: cannot open directory /home/zhangsan/: Permission denied
[lisi@Centos6 ~]$ exit

We add ACL rights to Li Si.

[zhangsan@Centos6 /home]$ setfacl -m u:lisi:rx /home/zhangsan/1.txt 
[zhangsan@Centos6 ~]$ ll /home/zhangsan/
total 8
-rw-rwxr--+ 1 zhangsan zhangsan    0 Jul 18 12:10 1.txt
drwxrwxr-x. 2 zhangsan zhangsan 4096 Jul 18 13:13 qjc
[zhangsan@Centos6 ~]$ 

View the set ACL

[zhangsan@Centos6 ~]$ getfacl /home/zhangsan/1.txt 
getfacl: Removing leading '/' from absolute path names
# file: home/zhangsan/1.txt
# owner: zhangsan
# group: zhangsan
user::rw-
user:lisi:r-x
group::rw-
mask::rwx
other::r--
[zhangsan@Centos6 ~]$ 

Quit switching lisi user to view 1.txt in Zhang Sanjia catalog, check success.

[lisi@Centos6 ~]$ cat /home//zhangsan/1.txt 

ohello 
[lisi@Centos6 ~]$ 

Delete ACL for validation

[zhangsan@Centos6 ~]$ setfacl -b /home/zhangsan/1.txt 
[zhangsan@Centos6 ~]$ exit
logout
[root@Centos6 ~]# su - lisi
[lisi@Centos6 ~]$ cat /home/zhangsan/1.txt
cat: /home/zhangsan/1.txt: Permission denied
[lisi@Centos6 ~]$ 

The validation was successful.

Next, the ACL's jurisdiction judgment is compared:

Specifically include: user, ACL user, group, other

First, compare owner with ACL owner.

Let's continue to use the examples above.

[zhangsan@Centos6 ~]$ setfacl -m u:zhangsan:rx /home/zhangsan/1.txt
[zhangsan@Centos6 ~]$ ll /home/zhangsan/1.txt
----rwx---+ 1 zhangsan zhangsan 9 Jul 20 00:44 /home/zhangsan/1.txt
[zhangsan@Centos6 ~]$ getfacl /home/zhangsan/1.txt
getfacl: Removing leading '/' from absolute path names
# file: home/zhangsan/1.txt
# owner: zhangsan
# group: zhangsan
user::---
user:zhangsan:r-x
group::rwx
mask::rwx
other::---

[zhangsan@Centos6 ~]$ cat /home/zhangsan/1.txt
cat: /home/zhangsan/1.txt: Permission denied
[zhangsan@Centos6 ~]$ 

Set user privileges to: -, ACL user privileges to: rx for long listing, the result is rejected, indicating user privileges > ACL user

Next, look at the comparison between ACL user and group:

[zhangsan@Centos6 ~]$ setfacl -m u:lisi:--- /home/zhangsan/1.txt
[zhangsan@Centos6 ~]$ getfacl /home/zhangsan/1.txt 
getfacl: Removing leading '/' from absolute path names
# file: home/zhangsan/1.txt
# owner: zhangsan
# group: zhangsan
user::---
user:zhangsan:r-x
user:lisi:---
group::rwx
mask::rwx
other::---

[zhangsan@Centos6 ~]$ exit
logout
[root@Centos6 ~]# su - lisi
[lisi@Centos6 ~]$ cat /home/zhangsan/1.txt
cat: /home/zhangsan/1.txt: Permission denied

Adding lisi to zhangsan group, setting 1.txt group permission to: rwx, setting lisi to ACL user permission to - -, switching to lisi user, found that the permission is insufficient, indicating that the ACL user permission of Li Si is greater than the permission of group Zhang 3 where lisi is located.

Groups are inherently more powerful than other permissions. So their permissions are owner > ACL user > group > other

 

Posted by JAB Creations on Sun, 12 May 2019 00:54:54 -0700