======ACL 存取控制清單======
**UGO及ACL**整合判斷流程圖如下:
{{:linux:perm:ugo權限流程配合acl2.gif?300|}}
對Linux **U(User)G(Group)O(Other)**權限認知都知道UGO權限限制。無法針對多使用者及多個群組做檔案的權限設定,因此就有**ACL(Access Control Lists)**計畫來補充UGO權限的不足。ACL是以 kernel-base方式來支援Linux
=====檔案系統是否支援ACL=====
dumpe2fs /dev/mapper/VolGroup00-LogVol00 |grep -i Default
dumpe2fs 1.35 (28-Feb-2004)
Default mount options: acl -->表示此系統有支援
Default directory hash: tea
或是用tune2fs也可看到相關資訊tune2fs -l /dev/mapper/VolGroup00-LogVol00 |grep -i Default或是用 mount看相關ACL資訊mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw,acl)
~略~
相反地,若無支援ACL如何讓檔案系統支援。兩種方法
- 即刻生效(重新開機後,回覆成無支援ACL狀態)#mount -o remount,acl /dev/mapper/VolGroup00-LogVol00
#mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw,acl)
~略~
- 直接修改/etc/fstab或用tune2fs調整核心支援ACLvim /etc/fstab
~略~
/dev/VolGroup00/LogVol00 / ext3 defaults,acl 1 1
~略~
#mout -o remount / -->重新掛載即生效
或是重新開機 #sync;reboot
用tune2fs 掛 ACL或卸除 ACL
支援#tune2fs -o +acl /dev/mapper/VolGroup00-LogVol00
卸除ACL#tune2fs -o ^acl /dev/mapper/VolGroup00-LogVol00
用tune2fs工具調整核心來支援ACL,需要重新開機#reboot
=====ACL相關指令=====
* getfacl 看acl權限#ls -l test
~略~
-rw-r--r-- 1 root root 0 Mar 28 11:28 test
~略~
#getfacl test
# file: test
# owner: root
# group: root
user::rw-
group::r--
other::r--
* setfacl 設定acl權限#setfacl -[m|b|x](m,x不可一起服用) [u|g|d|m]:[uid|使用者名稱]:rwx 檔案或目錄
由上一個項目得知 test的權限為root rw。現在要加入一個使用者andy rw
#setfacl -m u:andy:rw test ==> -m 修改 u(使用者):帳號:權限
# getfacl test
# file: test
# owner: root
# group: root
user::rw-
user:andy:rw-
group::r--
mask::rw-
other::r--
#ls -l test
-rw-rw-r--+ 1 root root 0 Mar 28 11:28 test -->設定完ACL,會出現+
完全清除掉acl設定#setfacl -b test
#getfacl test
# file: test
# owner: root
# group: root
user::rw-
group::r--
other::r--
#ls -l test
-rw-r--r-- 1 root root 0 Mar 28 11:28 test -->清掉所有的ACL,無+
子目錄繼承ACL權限# mkdir test
#setfacl -m u:andy:rwx test/
#touch test/file{1..3}
#ll test/
-rw-r--r-- 1 root root 0 Mar 28 14:20 file1
-rw-r--r-- 1 root root 0 Mar 28 14:20 file2
-rw-r--r-- 1 root root 0 Mar 28 14:20 file3
以上file1~file3都沒有 +(表示沒繼承)
設定繼承的ACL# setfacl -x u:andy test/ (先清除acl單)
#setfacl -m d:andy:rwx test/
#getfacl test/
# file: test/
# owner: root
# group: root
user::rwx
user:andy:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:andy:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
#touch test/aclFile{1..3}
#ls -l test/
total 0
-rw-rw-r--+ 1 root root 0 Mar 28 14:26 aclFile1
-rw-rw-r--+ 1 root root 0 Mar 28 14:26 aclFile2
-rw-rw-r--+ 1 root root 0 Mar 28 14:26 aclFile3
-rw-r--r-- 1 root root 0 Mar 28 14:20 file1
-rw-r--r-- 1 root root 0 Mar 28 14:20 file2
-rw-r--r-- 1 root root 0 Mar 28 14:20 file3
aclFile1~3 有+表示有繼承
=====案例說明=====
有三個群組分別是students,teachers,shareUsers共同對此目錄/mnt/projects分別有不同權限;root為此目錄擁有者;student是有效群組,並且有讀寫創建新檔案
;teachers群組能夠有讀寫存取新檔;shareUsers群組只有讀取檔案權限。不包含students,teachers,shareUsers群組的其他人(Outher)無法存取此目錄。
* 事前先建立群組及使用者
#groupadd teachers
#groupadd shareUsers
#groupadd students
#useradd -G teachers joe
#useradd -G students andy
#useradd -G shareUsers laua
#useradd tea (當其他人)
#cat /etc/group|grep -E '(students|teachers|shareUsers)'
teachers:x:512:joe
shareUsers:x:513:laua
students:x:514:andy
* 結果狀態
#ls -ld /mnt/projects/
drwxrws---+ 3 root students 4096 Mar 29 10:23 /mnt/projects/
#ll /mnt/projects/
drwxrws---+ 2 andy students 4096 Mar 29 10:44 rootD1
-rw-rw----+ 1 root students 0 Mar 29 10:40 rootF1
drwxrws---+ 2 andy students 4096 Mar 29 10:43 studentD1
-rw-rw----+ 1 andy students 0 Mar 29 10:43 studentF1
drwxrws---+ 2 joe students 4096 Mar 29 10:26 teacherD1
-rw-rw----+ 1 joe students 19 Mar 29 10:21 teacherF1
**開始設定ACL**#chgrp students /mnt/projects/
#chmod 2770 /mnt/projects/
#setfacl -m g:teachers:rwx /mnt/projects/
#setfacl -m g:shareUsers:rx /mnt/projects/
#setfacl -m d:g:teachers:rwx /mnt/projects/
#setfacl -m d:g:shareUsers:r /mnt/projects/
#getfacl /mnt/projects/
# file: mnt/projects/
# owner: root
# group: students
# flags: -s-
user::rwx
group::rwx
group:teachers:rwx
group:shareUsers:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:teachers:rwx
default:group:shareUsers:r--
default:mask::rwx
default:other::---
**開始測試ACL**#cat /etc/group|grep -E '(students|teachers|shareUsers)'
teachers:x:512:joe
shareUsers:x:513:laua
students:x:514:andy
[tea@Main mnt]$cd /mnt/projects/
bash: cd: /mnt/projects/: Permission denied
============================================
[laua@Main mnt]$cd /mnt/projects/
[laua@Main projects]$ls -l
drwxrws---+ 2 andy students 4096 Mar 29 10:44 rootD1
-rw-rw----+ 1 root students 0 Mar 29 10:40 rootF1
drwxrws---+ 2 andy students 4096 Mar 29 10:43 studentD1
-rw-rw----+ 1 andy students 0 Mar 29 10:43 studentF1
drwxrws---+ 2 joe students 4096 Mar 29 10:26 teacherD1
-rw-rw----+ 1 joe students 19 Mar 29 10:21 teacherF1
[laua@Main projects]$cat teacherF1
My name is teacher
[laua@Main projects]$ echo "hello" >>teacherF1
bash: teacherF1: Permission denied
[laua@Main projects]$ls teacherD1/
ls: cannot access teacherD1/F1: Permission denied
============================================
[andy@Main mnt]$cd /mnt/projects/
[andy@Main projects]$touch studentF2;ls -l
drwxrws---+ 2 andy students 4096 Mar 29 10:44 rootD1
-rw-rw----+ 1 root students 0 Mar 29 10:40 rootF1
drwxrws---+ 2 andy students 4096 Mar 29 10:43 studentD1
-rw-rw----+ 1 andy students 0 Mar 29 10:43 studentF1
-rw-rw----+ 1 andy students 0 Mar 29 11:13 studentF2
drwxrws---+ 2 joe students 4096 Mar 29 10:26 teacherD1
-rw-rw----+ 1 joe students 19 Mar 29 10:21 teacherF1
============================================
[joe@Main mnt]$ cd projects/
[joe@Main projects]$touch teacherF2;ls -l
drwxrws---+ 2 andy students 4096 Mar 29 10:44 rootD1
-rw-rw----+ 1 root students 0 Mar 29 10:40 rootF1
drwxrws---+ 2 andy students 4096 Mar 29 10:43 studentD1
-rw-rw----+ 1 andy students 0 Mar 29 10:43 studentF1
-rw-rw----+ 1 andy students 0 Mar 29 11:13 studentF2
drwxrws---+ 2 joe students 4096 Mar 29 10:26 teacherD1
-rw-rw----+ 1 joe students 19 Mar 29 10:21 teacherF1
-rw-rw----+ 1 joe students 0 Mar 29 11:16 teacherF2
[joe@Main projects]$rm -f studentF2;ls -l