Why use ACL? In linux, we can use "ll filename" to view the permissions of files.
[root@Centos6 ~]# ll 1.txt ---x-wxr-x. 1 zhangsan zhangsan 9 Jul 19 13:47 1.txt [root@Centos6 ~]# getent group zhangsan zhangsan:x:522: [root@Centos6 ~]# chmod 770 1.txt [root@Centos6 ~]# ll 1.txt -rwxrwx---. 1 zhangsan zhangsan 9 Jul 19 13:47 1.txt [root@Centos6 ~]#
We can see that for 1.txt, only the owner: zhangsan and the people in the zhangsan group can access the file, but no one else can access it. If an ordinary user Li Si wants to access this file at this time, what can we do?
1: We can
[root@Centos6 ~]# chown lisi 1.txt [root@Centos6 ~]# ll 1.txt -rwxrwx---. 1 lisi zhangsan 9 Jul 19 13:47 1.txt [root@Centos6 ~]#
Change the owner of 1.txt and change zhangsan to lisi, so that lisi belongs to the file owner and can naturally switch to lisi users to access 1.txt.
Disadvantage: Change too much, for many important documents, can not directly change owner.
2: We can
[root@Centos6 ~]# gpasswd -a lisi zhangsan Adding user lisi to group zhangsan [root@Centos6 ~]# getent group zhangsan zhangsan:x:522:lisi
Add Li Si to the zhangsan group as an additional group, so that Li Si belongs to the file group and can naturally switch to the lisi user to access 1.txt.
Disadvantage: Li Si belonged to zhangsan group at this time. He could not only view 1.txt, but also all other documents belonging to zhangsan group. Li Si had the same rights.
3: We can
[root@Centos6 ~]# chmod 777 1.txt [root@Centos6 ~]# ll 1.txt -rwxrwxrwx. 1 lisi zhangsan 9 Jul 19 13:47 1.txt [root@Centos6 ~]#
Change the permissions of 1.txt so that other users can access the file, of course, Li Si can also.
Disadvantage: Anyone can have his or her other bit right. Important files have no hiding.
4: We can
When 1.txt is an executable binary file, we can also chmod u+s, so that Li Si temporarily has the right of owner.
We can also chmod g+s. When sgid is applied to an executable binary file, anyone who executes the file temporarily has permission for all its groups. In this way, Li Si temporarily belongs to the people in the three groups of Zhang, and can execute group rights on documents.
Disadvantage: Most files are not executable binary files. So temporary owner ship, or group rights, is not feasible.
So the best way is: we can let Li Si not belong to any group, but be given specific privileges as a single user. At this time, we can use ACL to help us realize the flexible management of file permissions.
acl
How to turn on acl
centos7 supports acl by default
centos6 and earlier, the file system created during the operating system installation supports acl by default, while the file system formatted with mkfs after the operation installation is not opened by default
acl, need to be opened manually, the method is as follows:
First.
tune2fs -o acl /dev/sda5
Second.
mount -o acl /dev/sda5 /app
The following two commands are most commonly used:
-
getfacl: Get ACL settings for files or directories
Command: getfacl [- bkndRLP] {- m | - M | - x | - X...} file...
Parameters:- a,--access: Displays access control lists for files or directories
- d, - - default: Displays default (default) access control lists for files or directories
- c,--omit-header: does not display the default access control list
- R, - - recursive: Operations recursive to subdirectories
We can grant Li Si r-x rights through ACL as follows:
[root@Centos6 ~]# ll 1.txt -rwxrwx---. 1 zhangsan zhangsan 9 Jul 19 13:47 1.txt [root@Centos6 ~]# groups zhangsan zhangsan : zhangsan [root@Centos6 ~]# groups lisi lisi : lisi [root@Centos6 ~]#
1. The owner of TXT belongs to Zhang Sangroup and only Zhang Sansan belongs to Zhang Sangroup. The other bit permission is empty.
[lisi@Centos6 ~]$ ls /home/zhangsan/ ls: cannot open directory /home/zhangsan/: Permission denied [lisi@Centos6 ~]$ exit
We add ACL rights to Li Si.
[zhangsan@Centos6 /home]$ setfacl -m u:lisi:rx /home/zhangsan/1.txt [zhangsan@Centos6 ~]$ ll /home/zhangsan/ total 8 -rw-rwxr--+ 1 zhangsan zhangsan 0 Jul 18 12:10 1.txt drwxrwxr-x. 2 zhangsan zhangsan 4096 Jul 18 13:13 qjc [zhangsan@Centos6 ~]$
View the set ACL
[zhangsan@Centos6 ~]$ getfacl /home/zhangsan/1.txt getfacl: Removing leading '/' from absolute path names # file: home/zhangsan/1.txt # owner: zhangsan # group: zhangsan user::rw- user:lisi:r-x group::rw- mask::rwx other::r-- [zhangsan@Centos6 ~]$
Quit switching lisi user to view 1.txt in Zhang Sanjia catalog, check success.
[lisi@Centos6 ~]$ cat /home//zhangsan/1.txt ohello [lisi@Centos6 ~]$
Delete ACL for validation
[zhangsan@Centos6 ~]$ setfacl -b /home/zhangsan/1.txt [zhangsan@Centos6 ~]$ exit logout [root@Centos6 ~]# su - lisi [lisi@Centos6 ~]$ cat /home/zhangsan/1.txt cat: /home/zhangsan/1.txt: Permission denied [lisi@Centos6 ~]$
The validation was successful.
Next, the ACL's jurisdiction judgment is compared:
Specifically include: user, ACL user, group, other
First, compare owner with ACL owner.
Let's continue to use the examples above.
[zhangsan@Centos6 ~]$ setfacl -m u:zhangsan:rx /home/zhangsan/1.txt [zhangsan@Centos6 ~]$ ll /home/zhangsan/1.txt ----rwx---+ 1 zhangsan zhangsan 9 Jul 20 00:44 /home/zhangsan/1.txt [zhangsan@Centos6 ~]$ getfacl /home/zhangsan/1.txt getfacl: Removing leading '/' from absolute path names # file: home/zhangsan/1.txt # owner: zhangsan # group: zhangsan user::--- user:zhangsan:r-x group::rwx mask::rwx other::--- [zhangsan@Centos6 ~]$ cat /home/zhangsan/1.txt cat: /home/zhangsan/1.txt: Permission denied [zhangsan@Centos6 ~]$
Set user privileges to: -, ACL user privileges to: rx for long listing, the result is rejected, indicating user privileges > ACL user
Next, look at the comparison between ACL user and group:
[zhangsan@Centos6 ~]$ setfacl -m u:lisi:--- /home/zhangsan/1.txt [zhangsan@Centos6 ~]$ getfacl /home/zhangsan/1.txt getfacl: Removing leading '/' from absolute path names # file: home/zhangsan/1.txt # owner: zhangsan # group: zhangsan user::--- user:zhangsan:r-x user:lisi:--- group::rwx mask::rwx other::--- [zhangsan@Centos6 ~]$ exit logout [root@Centos6 ~]# su - lisi [lisi@Centos6 ~]$ cat /home/zhangsan/1.txt cat: /home/zhangsan/1.txt: Permission denied
Adding lisi to zhangsan group, setting 1.txt group permission to: rwx, setting lisi to ACL user permission to - -, switching to lisi user, found that the permission is insufficient, indicating that the ACL user permission of Li Si is greater than the permission of group Zhang 3 where lisi is located.
Groups are inherently more powerful than other permissions. So their permissions are owner > ACL user > group > other