文件控制列表命令setfacl和getfacl的使用

一 需求

有以下需求，通过setfacl命令实现

一组用户可写可读可执行，一组用户可写可执行，另一组用户只可读

linux rwx

oracle wx

uplook r

二 解决

第一步 添加六个用户linux01、linux02、oracle01、oracle02、uplook01、uplook02

[root@serv01 learning]# useradd linux01
[root@serv01 learning]# useradd linux02
[root@serv01 learning]# useradd oracle01
[root@serv01 learning]# useradd oracle02
[root@serv01 learning]# useradd uplook01
[root@serv01 learning]# useradd uplook02

第二步 分别设置密码

[root@serv01 learning]# passwd linux01
[root@serv01 learning]# passwd linux02
[root@serv01 learning]# passwd oracle01
[root@serv01 learning]# passwd oracle02
[root@serv01 learning]# passwd uplook01
[root@serv01 learning]# passwd uplook02

第三步 添加三个组oracle、linux、uplook

[root@serv01 learning]# groupadd oracle
[root@serv01 learning]# groupadd linux
[root@serv01 learning]# groupadd uplook

第四步 查看data目录的权限

[root@serv01 learning]# ll data -d
drwxr-xr-x. 2 root root 4096 Sep 20 23:31data

第五步 实现功能‘

[root@serv01 learning]# setfacl -m u:linux01:rwx data/
[root@serv01 learning]# setfacl -m u:linux02:rwx data/
[root@serv01 learning]# setfacl -m u:oracle01:rwx data/
[root@serv01 learning]# setfacl -m u:oracle02:rwx data/
[root@serv01 learning]# setfacl -m u:oracle01:wx data/
[root@serv01 learning]# setfacl -m u:oracle02:wx data/
[root@serv01 learning]# setfacl -m u:uplook01:r data/
[root@serv01 learning]# setfacl -m u:uplook02:r data/

#查看data目录的权限
[root@serv01 learning]# getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:linux01:rwx
user:linux02:rwx
user:oracle01:-wx
user:oracle02:-wx
user:uplook01:r--
user:uplook02:r--
group::r-x
mask::rwx
other::r-x

#再次查看data目录的权限
[root@serv01 learning]# ll data/ -d
drwxrwxr-x+ 2 root root 4096 Sep 20 23:31 data/

第六步 验证

#以linux01用户登录，发现对data目录可写、可读、可执行
[root@larrywen /]# ssh linux01@192.168.1.11
linux01@192.168.1.11's password:
Welcome to zhink learn
 
[linux01@serv01 learning]$ cd data
[linux01@serv01 data]$ ll
total 0
[linux01@serv01 data]$ touch file
[linux01@serv01 data]$ ls
file
 
#以oracle01用户登录，发现对data目录可写、可执行，没有读的权限
[root@larrywen /]# sshoracle01@192.168.1.11
[oracle01@serv01 ~]$ cd/home/learning/data/
[oracle01@serv01 data]$ ll
ls: cannot open directory .: Permissiondenied
[oracle01@serv01 data]$ touch file2
[oracle01@serv01 data]$ rm -f file2
 
#以uplook01用户登录，发现对data目录值具有读的权限
[root@larrywen /]# sshuplook01@192.168.1.11
uplook01@192.168.1.11's password:
Welcome to zhink learn
[uplook01@serv01 ~]$ cd /home/learning/data
-bash: cd: /home/learning/data: Permissiondenied
[uplook01@serv01 ~]$ cat/home/learning/data/test.txt
cat: /home/learning/data/test.txt:Permission denied
[uplook01@serv01 ~]$ ls/home/learning/data/
ls: cannot access /home/learning/data/file:Permission denied
ls: cannot access /home/learning/data/test.txt:Permission denied
file test.txt

第七步 以组的形式进行权限分配

#修改创建的六个用户到对应的组，比如linux01、linux02到linux组，以此类推
[root@serv01 learning]# usermod -g linuxlinux01
[root@serv01 learning]# usermod -g linuxlinux02
[root@serv01 learning]# usermod -g oracleoracle01
[root@serv01 learning]# usermod -g oracleoracle02
[root@serv01 learning]# usermod -g uplookuplook01
[root@serv01 learning]# usermod -g uplookuplook02
 
#以组的形式进行权限分配
[root@serv01 learning]# setfacl -mg:linux:rwx data/
[root@serv01 learning]# setfacl -m g:oracle:wxdata/
[root@serv01 learning]# setfacl -mg:uplook:r data/
[root@serv01 learning]# getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:linux01:rwx
user:linux02:rwx
user:oracle01:-wx
user:oracle02:-wx
user:uplook01:r--
user:uplook02:r--
group::r-x
group:oracle:-wx
group:linux:rwx
group:uplook:r--
mask::rwx
other::r-x

三 setfacl的其他使用方法

#获得文件权限控制
[root@serv01 learning]# getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:linux01:rwx
user:linux02:rwx
user:oracle01:-wx
user:oracle02:-wx
user:uplook01:r--
user:uplook02:r--
group::r-x
group:oracle:-wx
group:linux:rwx
group:uplook:r--
mask::rwx
other::r-x
 
#修改mask m参数
[root@serv01 learning]# setfacl -m m:rdata/
[root@serv01 learning]# getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:linux01:rwx        #effective:r--
user:linux02:rwx        #effective:r--
user:oracle01:-wx             #effective:---
user:oracle02:-wx             #effective:---
user:uplook01:r--
user:uplook02:r--
group::r-x                   #effective:r--
group:oracle:-wx        #effective:---
group:linux:rwx                 #effective:r--
group:uplook:r--
mask::r--
other::r-x
 
#设置mask的值 m参数
[root@serv01 learning]# setfacl -m m:rwxdata/
[root@serv01 learning]# getfacl data/
# file: data/
# owner: root
# group: root
user::rwx
user:linux01:rwx
user:linux02:rwx
user:oracle01:-wx
user:oracle02:-wx
user:uplook01:r--
user:uplook02:r--
group::r-x
group:oracle:-wx
group:linux:rwx
group:uplook:r--
mask::rwx
other::r-x
 
#取消权限 -x
[root@serv01 learning]# setfacl -x g:linuxdata/
[root@serv01 learning]# getfacl data/
# file: data/
# owner: root
# group: root
user::rwx
user:linux01:rwx
user:linux02:rwx
user:oracle01:-wx
user:oracle02:-wx
user:uplook01:r--
user:uplook02:r--
group::r-x
group:oracle:-wx
group:uplook:r--
mask::rwx
other::r-x
 
#移除所有的文件权限控制 -b
[root@serv01 learning]# setfacl -b data/
[root@serv01 learning]# getfacl data/
# file: data/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
 
setfacl -m ug:user group:rwx data/
setfacl -m m:rwx data/
setfacl -x ug:user group data/
setfacl -b data/
getfacl data/
 
#文件权限可以复制，通过getfacl和setfacl控制
[root@larrywen soft]# setfacl --help
setfacl 2.2.49 -- set file access controllists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ...} file ...
  -m,--modify=acl        modify the currentACL(s) of file(s)
  -M,--modify-file=file  read ACL entries tomodify from file
  -x,--remove=acl        remove entries fromthe ACL(s) of file(s)
  -X,--remove-file=file  read ACL entries toremove from file
  -b,--remove-all        remove all extendedACL entries
  -k,--remove-default    remove the defaultACL
     --set=acl           set the ACL offile(s), replacing the current ACL
     --set-file=file     read ACLentries to set from file
     --mask              do recalculatethe effective rights mask
  -n,--no-mask           don't recalculate theeffective rights mask
  -d,--default           operations apply tothe default ACL
  -R,--recursive         recurse intosubdirectories
  -L,--logical           logical walk, followsymbolic links
  -P,--physical          physical walk, do notfollow symbolic links
     --restore=file      restore ACLs(inverse of `getfacl -R')
     --test              test mode(ACLs are not modified)
  -v,--version           print version andexit
  -h,--help              this help text
 
[root@serv01 test]# touch aa01.txt
[root@serv01 test]# getfacl aa01.txt
# file: aa01.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
[root@serv01 test]# setfacl -m g:linux:rwxaa01.txt
[root@serv01 test]# getfacl aa01.txt
# file: aa01.txt
# owner: root
# group: root
user::rw-
group::r--
group:linux:rwx
mask::rwx
other::r--
 
[root@serv01 test]# touch bb01.txt
[root@serv01 test]# getfacl bb01.txt
# file: bb01.txt
# owner: root
# group: root
user::rw-
group::r--
other::r--
 
[root@serv01 test]# getfacl aa01.txt|setfacl --set-file=- bb01.txt
[root@serv01 test]# getfacl bb01.txt
# file: bb01.txt
# owner: root
# group: root
user::rw-
group::r--
group:linux:rwx
mask::rwx
other::r--

我的邮箱：wgbno27@163.com  新浪微博：@Wentasy27
  微信公众平台：JustOracle（微信号：justoracle）
  数据库技术交流群：336882565（加群时验证 From CSDN XXX）
  Oracle交流讨论组：https://groups.google.com/d/forum/justoracle
  By Larry Wen

	@Wentasy 博文仅供参考，欢迎大家来访。如有错误之处，希望批评指正。原创博文如需转载请注明出处，谢谢 :) [CSDN博客]