文件控制列表命令setfacl和getfacl的使用

文章由LinuxBoy分享于2019-03-24 04:03:42热评（425）

文件控制列表命令setfacl和getfacl的使用

一需求

有以下需求，通过setfacl命令实现

一组用户可写可读可执行，一组用户可写可执行，另一组用户只可读

linux rwx

oracle wx

uplook r

二解决

第一步添加六个用户linux01、linux02、oracle01、oracle02、uplook01、uplook02

[plain]

[root@serv01 learning]# useradd linux01

[root@serv01 learning]# useradd linux02

[root@serv01 learning]# useradd oracle01

[root@serv01 learning]# useradd oracle02

[root@serv01 learning]# useradd uplook01

[root@serv01 learning]# useradd uplook02

第二步分别设置密码

[plain]

[root@serv01 learning]# passwd linux01

[root@serv01 learning]# passwd linux02

[root@serv01 learning]# passwd oracle01

[root@serv01 learning]# passwd oracle02

[root@serv01 learning]# passwd uplook01

[root@serv01 learning]# passwd uplook02

第三步添加三个组oracle、linux、uplook

[plain]

[root@serv01 learning]# groupadd oracle

[root@serv01 learning]# groupadd linux

[root@serv01 learning]# groupadd uplook

第四步查看data目录的权限

[plain]

[root@serv01 learning]# ll data -d

drwxr-xr-x. 2 root root 4096 Sep 20 23:31data

第五步实现功能‘

[plain]

[root@serv01 learning]# setfacl -m u:linux01:rwx data/

[root@serv01 learning]# setfacl -m u:linux02:rwx data/

[root@serv01 learning]# setfacl -m u:oracle01:rwx data/

[root@serv01 learning]# setfacl -m u:oracle02:rwx data/

[root@serv01 learning]# setfacl -m u:oracle01:wx data/

[root@serv01 learning]# setfacl -m u:oracle02:wx data/

[root@serv01 learning]# setfacl -m u:uplook01:r data/

[root@serv01 learning]# setfacl -m u:uplook02:r data/

#查看data目录的权限

[root@serv01 learning]# getfacl data

# file: data

# owner: root

# group: root

user::rwx

user:linux01:rwx

user:linux02:rwx

user:oracle01:-wx

user:oracle02:-wx

user:uplook01:r--

user:uplook02:r--

group::r-x

mask::rwx

other::r-x

#再次查看data目录的权限

[root@serv01 learning]# ll data/ -d

drwxrwxr-x+ 2 root root 4096 Sep 20 23:31 data/

第六步验证

[plain]

#以linux01用户登录，发现对data目录可写、可读、可执行

[root@larrywen /]# ssh linux01@192.168.1.11

linux01@192.168.1.11's password:

Welcome to zhink learn

[linux01@serv01 learning]$ cd data

[linux01@serv01 data]$ ll

total 0

[linux01@serv01 data]$ touch file

[linux01@serv01 data]$ ls

file

#以oracle01用户登录，发现对data目录可写、可执行，没有读的权限

[root@larrywen /]# sshoracle01@192.168.1.11

[oracle01@serv01 ~]$ cd/home/learning/data/

[oracle01@serv01 data]$ ll

ls: cannot open directory .: Permissiondenied

[oracle01@serv01 data]$ touch file2

[oracle01@serv01 data]$ rm -f file2

#以uplook01用户登录，发现对data目录值具有读的权限

[root@larrywen /]# sshuplook01@192.168.1.11

uplook01@192.168.1.11's password:

Welcome to zhink learn

[uplook01@serv01 ~]$ cd /home/learning/data

-bash: cd: /home/learning/data: Permissiondenied

[uplook01@serv01 ~]$ cat/home/learning/data/test.txt

cat: /home/learning/data/test.txt:Permission denied

[uplook01@serv01 ~]$ ls/home/learning/data/

ls: cannot access /home/learning/data/file:Permission denied

ls: cannot access /home/learning/data/test.txt:Permission denied

file test.txt

第七步以组的形式进行权限分配

[plain]

#修改创建的六个用户到对应的组，比如linux01、linux02到linux组，以此类推

[root@serv01 learning]# usermod -g linuxlinux01

[root@serv01 learning]# usermod -g linuxlinux02

[root@serv01 learning]# usermod -g oracleoracle01

[root@serv01 learning]# usermod -g oracleoracle02

[root@serv01 learning]# usermod -g uplookuplook01

[root@serv01 learning]# usermod -g uplookuplook02

#以组的形式进行权限分配

[root@serv01 learning]# setfacl -mg:linux:rwx data/

[root@serv01 learning]# setfacl -m g:oracle:wxdata/

[root@serv01 learning]# setfacl -mg:uplook:r data/

[root@serv01 learning]# getfacl data

# file: data

# owner: root

# group: root

user::rwx

user:linux01:rwx

user:linux02:rwx

user:oracle01:-wx

user:oracle02:-wx

user:uplook01:r--

user:uplook02:r--

group::r-x

group:oracle:-wx

group:linux:rwx

group:uplook:r--

mask::rwx

other::r-x

三 setfacl的其他使用方法

[plain]

#获得文件权限控制

[root@serv01 learning]# getfacl data

# file: data

# owner: root

# group: root

user::rwx

user:linux01:rwx

user:linux02:rwx

user:oracle01:-wx

user:oracle02:-wx

user:uplook01:r--

user:uplook02:r--

group::r-x

group:oracle:-wx

group:linux:rwx

group:uplook:r--

mask::rwx

other::r-x

#修改mask m参数

[root@serv01 learning]# setfacl -m m:rdata/

[root@serv01 learning]# getfacl data

# file: data

# owner: root

# group: root

user::rwx

user:linux01:rwx #effective:r--

user:linux02:rwx #effective:r--

user:oracle01:-wx #effective:---

user:oracle02:-wx #effective:---

user:uplook01:r--

user:uplook02:r--

group::r-x #effective:r--

group:oracle:-wx #effective:---

group:linux:rwx #effective:r--

group:uplook:r--

mask::r--

other::r-x

#设置mask的值 m参数

[root@serv01 learning]# setfacl -m m:rwxdata/

[root@serv01 learning]# getfacl data/

# file: data/

# owner: root

# group: root

user::rwx

user:linux01:rwx

user:linux02:rwx

user:oracle01:-wx

user:oracle02:-wx

user:uplook01:r--

user:uplook02:r--

group::r-x

group:oracle:-wx

group:linux:rwx

group:uplook:r--

mask::rwx

other::r-x

#取消权限 -x

[root@serv01 learning]# setfacl -x g:linuxdata/

[root@serv01 learning]# getfacl data/

# file: data/

# owner: root

# group: root

user::rwx

user:linux01:rwx

user:linux02:rwx

user:oracle01:-wx

user:oracle02:-wx

user:uplook01:r--

user:uplook02:r--

group::r-x

group:oracle:-wx

group:uplook:r--

mask::rwx

other::r-x

#移除所有的文件权限控制 -b

[root@serv01 learning]# setfacl -b data/

[root@serv01 learning]# getfacl data/

# file: data/

# owner: root

# group: root

user::rwx

group::r-x

other::r-x

setfacl -m ug:user group:rwx data/

setfacl -m m:rwx data/

setfacl -x ug:user group data/

setfacl -b data/

getfacl data/

#文件权限可以复制，通过getfacl和setfacl控制

[root@larrywen soft]# setfacl --help

setfacl 2.2.49 -- set file access controllists

Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ...} file ...

-m,--modify=acl modify the currentACL(s) of file(s)

-M,--modify-file=file read ACL entries tomodify from file

-x,--remove=acl remove entries fromthe ACL(s) of file(s)

-X,--remove-file=file read ACL entries toremove from file

-b,--remove-all remove all extendedACL entries

-k,--remove-default remove the defaultACL

--set=acl set the ACL offile(s), replacing the current ACL

--set-file=file read ACLentries to set from file

--mask do recalculatethe effective rights mask

-n,--no-mask don't recalculate theeffective rights mask

-d,--default operations apply tothe default ACL

-R,--recursive recurse intosubdirectories

-L,--logical logical walk, followsymbolic links

-P,--physical physical walk, do notfollow symbolic links

--restore=file restore ACLs(inverse of `getfacl -R')

--test test mode(ACLs are not modified)

-v,--version print version andexit

-h,--help this help text

[root@serv01 test]# touch aa01.txt

[root@serv01 test]# getfacl aa01.txt

# file: aa01.txt

# owner: root

# group: root

user::rw-

group::r--

other::r--

[root@serv01 test]# setfacl -m g:linux:rwxaa01.txt

[root@serv01 test]# getfacl aa01.txt

# file: aa01.txt

# owner: root

# group: root

user::rw-

group::r--

group:linux:rwx

mask::rwx

other::r--

[root@serv01 test]# touch bb01.txt

[root@serv01 test]# getfacl bb01.txt

# file: bb01.txt

# owner: root

# group: root

user::rw-

group::r--

other::r--

[root@serv01 test]# getfacl aa01.txt|setfacl --set-file=- bb01.txt

[root@serv01 test]# getfacl bb01.txt

# file: bb01.txt

# owner: root

# group: root

user::rw-

group::r--

group:linux:rwx

mask::rwx

other::r--

推荐文章：

文件控制列表命令setfacl和getfacl的使用