ACL 存取控制清單
UGO及ACL整合判斷流程圖如下:
對Linux U(User)G(Group)O(Other)權限認知都知道UGO權限限制。無法針對多使用者及多個群組做檔案的權限設定,因此就有ACL(Access Control Lists)計畫來補充UGO權限的不足。ACL是以 kernel-base方式來支援Linux
檔案系統是否支援ACL
dumpe2fs /dev/mapper/VolGroup00-LogVol00 |grep -i Default dumpe2fs 1.35 (28-Feb-2004) Default mount options: acl -->表示此系統有支援 Default directory hash: tea
或是用tune2fs也可看到相關資訊
tune2fs -l /dev/mapper/VolGroup00-LogVol00 |grep -i Default
或是用 mount看相關ACL資訊
mount /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw,acl) ~略~
相反地,若無支援ACL如何讓檔案系統支援。兩種方法
- 即刻生效(重新開機後,回覆成無支援ACL狀態)
#mount -o remount,acl /dev/mapper/VolGroup00-LogVol00 #mount /dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw,acl) ~略~
- 直接修改/etc/fstab或用tune2fs調整核心支援ACL
vim /etc/fstab ~略~ /dev/VolGroup00/LogVol00 / ext3 defaults,acl 1 1 ~略~ #mout -o remount / -->重新掛載即生效 或是重新開機 #sync;reboot
用tune2fs 掛 ACL或卸除 ACL 支援
#tune2fs -o +acl /dev/mapper/VolGroup00-LogVol00
卸除ACL
#tune2fs -o ^acl /dev/mapper/VolGroup00-LogVol00
用tune2fs工具調整核心來支援ACL,需要重新開機
#reboot
ACL相關指令
- getfacl 看acl權限
#ls -l test ~略~ -rw-r--r-- 1 root root 0 Mar 28 11:28 test ~略~ #getfacl test # file: test # owner: root # group: root user::rw- group::r-- other::r--
- setfacl 設定acl權限
#setfacl -[m|b|x](m,x不可一起服用) [u|g|d|m]:[uid|使用者名稱]:rwx 檔案或目錄
由上一個項目得知 test的權限為root rw。現在要加入一個使用者andy rw #setfacl -m u:andy:rw test ==> -m 修改 u(使用者):帳號:權限 # getfacl test # file: test # owner: root # group: root user::rw- user:andy:rw- group::r-- mask::rw- other::r-- #ls -l test -rw-rw-r--+ 1 root root 0 Mar 28 11:28 test -->設定完ACL,會出現+
完全清除掉acl設定
#setfacl -b test #getfacl test # file: test # owner: root # group: root user::rw- group::r-- other::r-- #ls -l test -rw-r--r-- 1 root root 0 Mar 28 11:28 test -->清掉所有的ACL,無+
子目錄繼承ACL權限
# mkdir test #setfacl -m u:andy:rwx test/ #touch test/file{1..3} #ll test/ -rw-r--r-- 1 root root 0 Mar 28 14:20 file1 -rw-r--r-- 1 root root 0 Mar 28 14:20 file2 -rw-r--r-- 1 root root 0 Mar 28 14:20 file3 以上file1~file3都沒有 +(表示沒繼承)設定繼承的ACL
# setfacl -x u:andy test/ (先清除acl單) #setfacl -m d:andy:rwx test/ #getfacl test/ # file: test/ # owner: root # group: root user::rwx user:andy:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:andy:rwx default:group::r-x default:mask::rwx default:other::r-x #touch test/aclFile{1..3} #ls -l test/ total 0 -rw-rw-r--+ 1 root root 0 Mar 28 14:26 aclFile1 -rw-rw-r--+ 1 root root 0 Mar 28 14:26 aclFile2 -rw-rw-r--+ 1 root root 0 Mar 28 14:26 aclFile3 -rw-r--r-- 1 root root 0 Mar 28 14:20 file1 -rw-r--r-- 1 root root 0 Mar 28 14:20 file2 -rw-r--r-- 1 root root 0 Mar 28 14:20 file3 aclFile1~3 有+表示有繼承
案例說明
有三個群組分別是students,teachers,shareUsers共同對此目錄/mnt/projects分別有不同權限;root為此目錄擁有者;student是有效群組,並且有讀寫創建新檔案 ;teachers群組能夠有讀寫存取新檔;shareUsers群組只有讀取檔案權限。不包含students,teachers,shareUsers群組的其他人(Outher)無法存取此目錄。
- 事前先建立群組及使用者
#groupadd teachers #groupadd shareUsers #groupadd students #useradd -G teachers joe #useradd -G students andy #useradd -G shareUsers laua #useradd tea (當其他人) #cat /etc/group|grep -E '(students|teachers|shareUsers)' teachers:x:512:joe shareUsers:x:513:laua students:x:514:andy
- 結果狀態
#ls -ld /mnt/projects/ drwxrws---+ 3 root students 4096 Mar 29 10:23 /mnt/projects/ #ll /mnt/projects/ drwxrws---+ 2 andy students 4096 Mar 29 10:44 rootD1 -rw-rw----+ 1 root students 0 Mar 29 10:40 rootF1 drwxrws---+ 2 andy students 4096 Mar 29 10:43 studentD1 -rw-rw----+ 1 andy students 0 Mar 29 10:43 studentF1 drwxrws---+ 2 joe students 4096 Mar 29 10:26 teacherD1 -rw-rw----+ 1 joe students 19 Mar 29 10:21 teacherF1
開始設定ACL
#chgrp students /mnt/projects/ #chmod 2770 /mnt/projects/ #setfacl -m g:teachers:rwx /mnt/projects/ #setfacl -m g:shareUsers:rx /mnt/projects/ #setfacl -m d:g:teachers:rwx /mnt/projects/ #setfacl -m d:g:shareUsers:r /mnt/projects/ #getfacl /mnt/projects/ # file: mnt/projects/ # owner: root # group: students # flags: -s- user::rwx group::rwx group:teachers:rwx group:shareUsers:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:teachers:rwx default:group:shareUsers:r-- default:mask::rwx default:other::---
開始測試ACL
#cat /etc/group|grep -E '(students|teachers|shareUsers)' teachers:x:512:joe shareUsers:x:513:laua students:x:514:andy [tea@Main mnt]$cd /mnt/projects/ bash: cd: /mnt/projects/: Permission denied ============================================ [laua@Main mnt]$cd /mnt/projects/ [laua@Main projects]$ls -l drwxrws---+ 2 andy students 4096 Mar 29 10:44 rootD1 -rw-rw----+ 1 root students 0 Mar 29 10:40 rootF1 drwxrws---+ 2 andy students 4096 Mar 29 10:43 studentD1 -rw-rw----+ 1 andy students 0 Mar 29 10:43 studentF1 drwxrws---+ 2 joe students 4096 Mar 29 10:26 teacherD1 -rw-rw----+ 1 joe students 19 Mar 29 10:21 teacherF1 [laua@Main projects]$cat teacherF1 My name is teacher [laua@Main projects]$ echo "hello" >>teacherF1 bash: teacherF1: Permission denied [laua@Main projects]$ls teacherD1/ ls: cannot access teacherD1/F1: Permission denied ============================================ [andy@Main mnt]$cd /mnt/projects/ [andy@Main projects]$touch studentF2;ls -l drwxrws---+ 2 andy students 4096 Mar 29 10:44 rootD1 -rw-rw----+ 1 root students 0 Mar 29 10:40 rootF1 drwxrws---+ 2 andy students 4096 Mar 29 10:43 studentD1 -rw-rw----+ 1 andy students 0 Mar 29 10:43 studentF1 -rw-rw----+ 1 andy students 0 Mar 29 11:13 studentF2 drwxrws---+ 2 joe students 4096 Mar 29 10:26 teacherD1 -rw-rw----+ 1 joe students 19 Mar 29 10:21 teacherF1 ============================================ [joe@Main mnt]$ cd projects/ [joe@Main projects]$touch teacherF2;ls -l drwxrws---+ 2 andy students 4096 Mar 29 10:44 rootD1 -rw-rw----+ 1 root students 0 Mar 29 10:40 rootF1 drwxrws---+ 2 andy students 4096 Mar 29 10:43 studentD1 -rw-rw----+ 1 andy students 0 Mar 29 10:43 studentF1 -rw-rw----+ 1 andy students 0 Mar 29 11:13 studentF2 drwxrws---+ 2 joe students 4096 Mar 29 10:26 teacherD1 -rw-rw----+ 1 joe students 19 Mar 29 10:21 teacherF1 -rw-rw----+ 1 joe students 0 Mar 29 11:16 teacherF2 [joe@Main projects]$rm -f studentF2;ls -l