zoukankan      html  css  js  c++  java
  • linux中ACL权限

    1.ACL权限简介与开启

    一.ACL权限是为了解决所有者/所属组/其他人三种身份不足的问题

    二.查看分区ACL权限是否开启

    dumpe2fs命令是查询指定分区详细文件系统信息的命令

    dumpe2fs -h /dev/sda3

    -h 仅显示超级块中信息,而不显示磁盘块组的详细信息
    
    [root@izm5e2q95pbpe1hh0kkwoiz ~]# df -h
    Filesystem      Size  Used Avail Use% Mounted on
    /dev/vda1        40G   14G   25G  36% /
    devtmpfs        911M     0  911M   0% /dev
    tmpfs           920M     0  920M   0% /dev/shm
    tmpfs           920M  548K  920M   1% /run
    tmpfs           920M     0  920M   0% /sys/fs/cgroup
    tmpfs           184M     0  184M   0% /run/user/0
    tmpfs           184M     0  184M   0% /run/user/1002
    [root@izm5e2q95pbpe1hh0kkwoiz ~]# dumpe2fs -h /dev/vda1
    dumpe2fs 1.42.9 (28-Dec-2013)
    Filesystem volume name:   <none>
    Last mounted on:          /
    Filesystem UUID:          eb448abb-3012-4d8d-bcde-94434d586a31
    Filesystem magic number:  0xEF53
    Filesystem revision #:    1 (dynamic)
    Filesystem features:      has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize
    Filesystem flags:         signed_directory_hash 
    Default mount options:    user_xattr acl
    Filesystem state:         clean
    Errors behavior:          Continue
    Filesystem OS type:       Linux
    Inode count:              2621440
    Block count:              10485248
    Reserved block count:     524262
    Free blocks:              8958387
    Free inodes:              2519237
    First block:              0
    Block size:               4096
    Fragment size:            4096
    Reserved GDT blocks:      1021
    Blocks per group:         32768
    Fragments per group:      32768
    Inodes per group:         8192
    Inode blocks per group:   512
    RAID stride:              32639
    Flex block group size:    16
    Filesystem created:       Sun Oct 15 23:18:59 2017
    Last mount time:          Tue Aug 14 10:15:43 2018
    Last write time:          Tue Aug 14 18:15:42 2018
    Mount count:              6
    Maximum mount count:      -1
    Last checked:             Wed Jun 27 22:35:57 2018
    Check interval:           0 (<none>)
    Lifetime writes:          30 GB
    Reserved blocks uid:      0 (user root)
    Reserved blocks gid:      0 (group root)
    First inode:              11
    Inode size:               256
    Required extra isize:     28
    Desired extra isize:      28
    Journal inode:            8
    First orphan inode:       1050280
    Default directory hash:   half_md4
    Directory Hash Seed:      2579899c-6862-4625-a8e6-425550384200
    Journal backup:           inode blocks
    Journal features:         journal_incompat_revoke
    Journal size:             128M
    Journal length:           32768
    Journal sequence:         0x006beeea
    Journal start:            22131
    

    Default mount options: user_xattr acl显示支持acl

    三.临时开启分区ACL权限

    重新挂载根分区,并挂载加入acl权限

    mount -o remount,acl /

    四.永久开启分区ACL权限(一定要谨慎)

    # 加入acl
    vim /etc/fstab
    UUID=eb448abb-3012-4d8d-bcde-94434d586a31 /                       ext4    defaults        1 1
    修改为
    UUID=eb448abb-3012-4d8d-bcde-94434d586a31 /                       ext4    defaults,acl        1 1
    
    # 重新挂载文件系统或重新启动系统,使修改生效
    mount -o remount /
    

    2.查看和设定ACL权限

    一.查看ACL命令

    查看acl权限

    getfacle 文件名

    二.设定ACL权限的命令

    setfacl 选项 文件名

    选项 作用
    -m 设定ACL权限
    -x 删除指定的ACL权限
    -b 删除所有的ACL全新啊
    -d 设定默认ACL权限
    -k 删除默认ACL权限
    -R 递归设定ACL权限

    三.给用户设定ACL权限和给组设定ACL权限

    # 进入tmp目录
    [root@izm5e2q95pbpe1hh0kkwoiz /]# cd /tmp
    
    # 创建project目录
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# mkdir project
    
    # 查看是否创建
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# ls
    Aegis-<Guid(5A2C30A2-A87D-490A-9281-6765EDAD7CBA)>  eternityz  hsperfdata_root  issue.soft  Japan  mysql.sock  php-cgi.sock  project  systemd-private-9255c5ee9ec84f5987c1d9ba485e177e-ntpd.service-eKcnmD  test.txt
    
    # 添加用户zhangsan
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# useradd zhangsan
    
    # 添加用户lisi
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# useradd lisi
    
    # 添加组tgroup
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# groupadd tgroup
    
    # 将zhangsan添加到组tgroup中
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# gpasswd -a zhangsan tgroup
    Adding user zhangsan to group tgroup
    
    # 将lisi添加到组tgroup中
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# gpasswd -a lisi tgroup
    Adding user lisi to group tgroup
    
    # 查看组内的用户(最后一行)
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# cat /etc/group
    root:x:0:eternity
    bin:x:1:
    daemon:x:2:
    sys:x:3:
    adm:x:4:
    tty:x:5:
    disk:x:6:
    lp:x:7:
    mem:x:8:
    kmem:x:9:
    wheel:x:10:
    cdrom:x:11:
    mail:x:12:postfix
    man:x:15:
    dialout:x:18:
    floppy:x:19:
    games:x:20:
    tape:x:30:
    video:x:39:
    ftp:x:50:
    lock:x:54:
    audio:x:63:
    nobody:x:99:
    users:x:100:
    utmp:x:22:
    utempter:x:35:
    ssh_keys:x:999:
    input:x:998:
    systemd-journal:x:190:
    systemd-network:x:192:
    dbus:x:81:
    polkitd:x:997:
    postdrop:x:90:
    postfix:x:89:
    chrony:x:996:
    sshd:x:74:
    ntp:x:38:
    tcpdump:x:72:
    nscd:x:28:
    screen:x:84:
    mysql:x:1000:
    www:x:1001:
    rabbitmq:x:995:
    eternity:x:1002:
    eternityz:x:1003:
    slocate:x:21:
    saslauth:x:76:
    mailnull:x:47:
    smmsp:x:51:
    zhangsan:x:1004:
    lisi:x:1005:
    tgroup:x:1006:zhangsan,lisi
    
    # 将project目录的所属组更改为tgroup
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# chown root:tgroup project
    
    # 将project目录的权限更改为770
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# chmod 770 project
    
    # 查看更改权限的project目录
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# ll -d project
    drwxrwx--- 2 root tgroup 4096 Dec 10 17:00 project
    
    # 增加试听学员st
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# useradd st
    
    # 修改试听学员st的密码
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# passwd st
    Changing password for user st.
    New password: 
    BAD PASSWORD: The password is shorter than 8 characters
    Retype new password: 
    passwd: all authentication tokens updated successfully.
    
    # 给试听学员st设定ACL权限rx
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -m u:st:rx project
    
    # 查看ACL权限
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project
    # file: project
    # owner: root
    # group: tgroup
    user::rwx
    user:st:r-x  #st用户拥有rx权限
    group::rwx
    mask::rwx
    other::---
    
    # 切换到st用户
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# su - st
    
    # 进入/tmp/project目录
    [st@izm5e2q95pbpe1hh0kkwoiz ~]$ cd /tmp/project
    
    # 创建文件test.txt,提示没有权限
    [st@izm5e2q95pbpe1hh0kkwoiz project]$ touch test.txt
    touch: cannot touch ‘test.txt’: Permission denied
    
    # 退出st用户
    [st@izm5e2q95pbpe1hh0kkwoiz project]$ exit
    logout
    
    # 增加组tgroup2
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# groupadd tgroup2
    
    # 给组tgroup2设定ACL权限rwx
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -m g:tgroup2:rwx project
    
    # 查看ACL权限
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project
    # file: project
    # owner: root
    # group: tgroup
    user::rwx
    user:st:r-x # 用户st拥有ACL权限rx
    group::rwx
    group:tgroup2:rwx # 组tgroup2拥有ACL权限rwx
    mask::rwx
    other::---
    

    有ACL权限和没ACL权限的文件夹

    # 没有ACL权限的后面没有+号
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# ll -d project
    drwxrwx--- 2 root tgroup 4096 Dec 10 17:00 project
    
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -m u:st:rx project
    
    # 有ACL权限的后面带着+号
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# ll -d project
    drwxrwx---+ 2 root tgroup 4096 Dec 10 17:00 project
    
    

    3.最大有效权限和删除ACL权限

    一.最大有效权限mask

    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project
    # file: project
    # owner: root
    # group: tgroup
    user::rwx
    user:st:r-x
    group::rwx
    group:st:rwx
    group:tgroup2:rwx
    mask::rwx
    other::---
    

    mask是用来指定最大有效权限的.如果我给用户赋予了ACL权限,是需要和mask的权限"相与"才能得到用户的真正权限

    A B and
    r r r
    r - -
    - r -
    - - -

    修改mask的值

    setfacl -m m:rx project

    # 更改mask的值
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -m m:rx project
    
    # 查询ACL权限
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project
    # file: project
    # owner: root
    # group: tgroup
    user::rwx
    user:st:r-x
    group::rwx                      #effective:r-x
    group:st:rwx                    #effective:r-x
    group:tgroup2:rwx               #effective:r-x
    mask::r-x
    other::---
    
        mask的值只影响具有ACL权限的,不影响用户的权限
        用户st的权限为rx
        组st的ACL权限是rwx,但是实际生效的只是rx权限
        组tgroup2的ACL权限是rwx,但是实际生效的是rx权限
    

    二.删除ACL权限

    删除指定用户的ACL权限

    setfacl -x u:用户名 文件/文件夹

    删除指定用户组的ACL权限

    setfacl -x g:组名 文件/文件夹

    # 之前的有组tgroup2的ACL权限
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project
    # file: project
    # owner: root
    # group: tgroup
    user::rwx
    user:st:r-x
    group::rwx                      #effective:r-x
    group:st:rwx                    #effective:r-x
    group:tgroup2:rwx               #effective:r-x
    mask::r-x
    other::---
    
    # 移除组tgroup2的ACL权限
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -x g:tgroup2 project
    
    # 再次查询,tgroup2的ACL权限没有了
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project
    # file: project
    # owner: root
    # group: tgroup
    user::rwx
    user:st:r-x
    group::rwx
    group:st:rwx
    mask::rwx
    other::---
    

    删除文件或文件假的所有的ACL权限

    sefacl -b 文件/文件夹

    # 之前project目录的ACL权限
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project
    # file: project
    # owner: root
    # group: tgroup
    user::rwx
    user:st:r-x
    group::rwx
    group:st:rwx
    mask::rwx
    other::---
    
    # 移除所有的ACL权限
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# setfacl -b project
    
    # 再次查询,ACL权限和mask都没有了
    [root@izm5e2q95pbpe1hh0kkwoiz tmp]# getfacl project
    # file: project
    # owner: root
    # group: tgroup
    user::rwx
    group::rwx
    other::---
    
    

    4.默认ACL权限和递归ACL权限

    一.递归ACL权限

    递归是父目录在设定ACL权限时,所有的子文件和子目录也会拥有相同的ACL权限
    

    setfacl -m u:用户名:权限 -R 文件夹

    # -R必须在后面,否则报错
    
    # 给文件夹及下面的所有文件及文件夹设置ACL权限,运行此命令后,新建的文件不具备ACL权限
    

    二.默认ACL权限

    默认ACL权限的作用是如果给父目录设定了默认ACL权限,那么父目录中所有新建的子文件都会继承父目录的ACL权限
    

    setfacl -m d:u:用户名:权限 文件夹

    # 运行上面的命令之后,以后此文件夹下新建文件或文件夹都具备ACL权限
    
  • 相关阅读:
    [LeetCode] Search a 2D Matrix
    CCBPM中的消息机制,CCIM服务端安装说明
    程序基石系列之C++多态的前提条件
    汇编中常见的一些错误信息
    浏览器的CSS Hacks
    易学设计模式看书笔记(7)
    [易飞]简易制程日报-月报
    js thiskeyword
    时空-问题集锦(转载)
    Delphi 组件渐进开发浅谈(二)——双简合璧
  • 原文地址:https://www.cnblogs.com/eternityz/p/12386423.html
Copyright © 2011-2022 走看看