在使用setfacl之前,首先要检查系统的内核是否支持setfacl啦,另外还需要编辑/etc/fstab文件,对需要setfacl的分区激活acl的功能。
ACL 有两种:存取 ACL(access ACLs)和默认 ACL(default ACLs)。存取 ACL 是对指定文件或目录的存取控制列表。默认 ACL 只能和目录相关。如果目录中的文件没有存取 ACL,它就会使用该目录的默认 ACL。默认 ACL 是可选的。
ACL 可以按以下条件配置:
每用户
每组群
通过有效权限屏蔽
为不属于文件用户组群的用户配置
其实用户打开访问文件服务器时,他看见的只有两个共享的目录,这两个共享目录是samba共享出来的,分配给所有的用户(everyoen组)都有写的权限(rwx),由于系统的权限行前与samba的权限,所以我在系统中设置了所有用户(everyone组)只有r-x的权限,所有在共享出来的目录中,每个用户在这个目录下不能写了。
setfacl 工具为文件和目录设置 ACL。使用 -m 来添加或修改文件或目录的 ACL:
setfacl -m <rules> <files>
规则(<rules>)必须使用以下格式指定。同一条命令中可以指定多项规则,只要它们是用逗号分开即可。
u:<uid>:<perms>为用户设置存取 ACL。用户名或 UID 必须被指定。用户可以是系统上的任何合法用户。
g:<gid>:<perms>为组群设置存取 ACL。组群名称或 GID 必须被指定。组群可以是系统上的任何合法组群。
m:<perms>设置有效权限屏蔽。该屏蔽是组群所有者和所有用户和组群项目的权限的合集。
o:<perms>为文件的组群用户之外的用户设置存取 ACL。
空格被忽略。权限(<perms>)必须是代表读、写、和执行的字符(r、w、x)的组合。
如果某文件或目录已经有了一个 ACL,而 setfacl 命令仍被使用了,额外的规则就会被添加到已存在的 ACL 中,或用来修改已存在的规则。
例如,要给用户 tfox 以读写权限:
setfacl -m u:tfox:rw /project/somefile
要删除用户、组群或其它人的所有权限,使用 -x 选项,并且不指定任何权限:
setfacl -x <rules> <files>
例如,删除 UID 为 500 的用户的所有权限:
setfacl -x u:500 /project/somefile
setfacl - modify the Access Control List (ACL) for a file or files SYNOPSIS
setfacl [ -r ] -s acl_entries file setfacl [ -r ] -md acl_entries file setfacl [ -r ] -f acl_filefile DESCRIPTION
For each file specified, setfacl will either replace its entire ACL, including the default ACL on a directory, or it will add, modify, or delete one or more ACL entries, includ- ing default entries on directories. Setting an ACL on a file also modifies the file's permission bits. The user entry modifies the file owner permission bits. If you don't specify a mask entry, the group entry modifies the file group owner permission bits. If you specify a mask entry, the file group owner permission bits are modified based on the intersection (bitwise AND) of the group and mask entries. The other entry modifies the other permission bits. If you use the chmod(1) command to change the file group owner permissions on a file with ACL entries, both the file group owner permissions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions may change the effective permissions for additional users and groups who have ACL entries on the file. A directory may contain default ACL entries. If a file or directory is created in a directory that contains default ACL entries, the newly created file will have permissions generated according to the intersection of the default ACL entries and the permissions requested at creation time. The umask(1) will not be applied if the directory contains default ACL entries. If a default ACL is specified for a specific user (or users), the file will have a regular ACL created; otherwise, only the mode bits will be initialized according to the intersection described above. The default ACL should be thought of as the maximum discretionary access permissions that may be granted. acl_entries Syntax For the -m and -s options, acl_entries are one or more comma-separated ACL entries. An ACL entry consists of the following fields separated by colons: entry_type Type of ACL entry on which to set file permis- sions. For example, entry_type can be user (the owner of a file) or mask (the ACL mask). uid or gid User name or user identification number. Or, group name or group identification number. perms Represents the permissions that are set on entry_type. perms can be indicated by the sym- bolic characters rwx or a number (the same per- missions numbers used with the chmod command). The following table shows the valid ACL entries (default entries may only be specified for directories): ACL Entry Description u[ser]::perms File owner permissions. g[roup]::perms File group owner permissions. o[ther]:perms Permissions for users other than the file owner or members of file group owner. m[ask]:perms The ACL mask. The mask entry indi- cates the maximum permissions allowed for users (other than the owner) and for groups. The mask is a quick way to change permissions on all the users and groups. u[ser]:uid:perms Permissions for a specific user. For uid, you can specify either a user name or a numeric UID. g[roup]:gid:perms Permissions for a specific group. For gid, you can specify either a group name or a numeric GID. d[efault]:u[ser]::perms Default file owner permissions. d[efault]:g[roup]::perms Default file group owner permis- sions. d[efault]:o[ther]:perms Default permissions for users other than the file owner or members of the file group owner. d[efault]:m[ask]:perms Default ACL mask. d[efault]:u[ser]:uid:perms Default permissions for a specific user. For uid, you can specify either a user name or a numeric UID. d[efault]:g[roup]:gid:perms Default permissions for a specific group. For gid, you can specify either a group name or a numeric GID. For the -d option, acl_entries are one or more comma- separated ACL entries without permissions. Note that the entries for file owner, file group owner, ACL mask, and oth- ers may not be deleted. OPTIONS
The options have the following meaning: -s acl_entries Set a file's ACL. All old ACL entries are removed and replaced with the newly specified ACL. The entries need not be in any specific order. They will be sorted by the command before being applied to the file. Required entries: o Exactly one user entry specified for the file owner. o Exactly one group entry for the file group owner. o Exactly one other entry specified. If there are additional user and group entries: o Exactly one mask entry specified for the ACL mask that indicates the maximum permissions allowed for users (other than the owner) and groups. o Must not be duplicate user entries with the same uid. o Must not be duplicate group entries with the same gid. If file is a directory, the following default ACL entries may be specified: o Exactly one default user entry for the file owner. o Exactly one default group entry for the file group owner. o Exactly one default mask entry for the ACL mask. o Exactly one default other entry. There may be additional default user entries and addi- tional default group entries specified, but there may not be duplicate additional default user entries with the same uid, or duplicate default group entries with the same gid. -m acl_entries Add one or more new ACL entries to the file, and/or modify one or more existing ACL entries on the file. If an entry already exists for a specified uid or gid, the specified permissions will replace the current permissions. If an entry does not exist for the speci- fied uid or gid, an entry will be created. -d acl_entries Delete one or more entries from the file. The entries for the file owner, the file group owner, and others may not be deleted from the ACL. Note that deleting an entry does not necessarily have the same effect as removing all permissions from the entry. -f acl_file Set a file's ACL with the ACL entries contained in the file named acl_file. The same constraints on specified entries hold as with the -s option. The entries are not required to be in any specific order in the file. Also, if you specify a dash '-' for acl_file, standard input is used to set the file's ACL. The character "#" in acl_file may be used to indicate a comment. All characters, starting with the "#" until the end of the line, will be ignored. Note that if the acl_file has been created as the output of the get- facl(1) command, any effective permissions, which will follow a "#", will be ignored. -r Recalculate the permissions for the ACL mask entry. The permissions specified in the ACL mask entry are ignored and replaced by the maximum permissions neces- sary to grant the access to all additional user, file group owner, and additional group entries in the ACL. The permissions in the additional user, file group owner, and additional group entries are left unchanged. EXAMPLES
Example 1: Adding read permission only The following example adds one ACL entry to file abc, which gives user shea read permission only. setfacl -m user:shea:r-- abc Example 2: Replacing a file's entire ACL The following example replaces the entire ACL for the file abc, which gives shea read access, the file owner all access, the file group owner read access only, the ACL mask read/write access, and others no access. setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc Note that after this command, the file permission bits are rwxr-----. Even though the file group owner was set with read/write permissions, the ACL mask entry limits it to have only read permissions. The mask entry also specifies the maximum permissions available to all additional user and group ACL entries. Once again, even though the user shea was set with all access, the mask limits it to have only read permissions. The ACL mask entry is a quick way to limit or open access to all the user and group entries in an ACL. For example, by changing the mask entry to read/write, both the file group owner and user shea would be given read/write access. Example 3: Setting the same ACL on two files The following example sets the same ACL on file abc as the file xyz. getfacl xyz | setfacl -f - abc 其实Linux系统中有许多功能我还没有用到,因为没有这个需求,呵呵
本文地址:http://com.8s8s.com/it/it34016.htm