分享
 
 
 

使用setfacl划分权限

王朝other·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

在认识setfacl之前,对Linux文件系统细分权限这个问题一直困扰着我

使用Samba来构建Linux文件系统可谓是功能强大,凡架设过MS Windows网络的人都知道MS Windows网络的核心是SMB/CIFS,而samba也是一套基于UNIX类系统、实现SMB/CIFS协议的软件,作为UNIX的克隆,Linux也可以运行这套软件。和NT相比较,samba的文件服务功能一点也不亚于NT,效率很高,借助Linux本身,可以实现用户磁盘空间限制功能,NT到4.0版本还是无法实现这点。可是要深刻地去认识Samba并不是一天两天的事情,samba由samba小组(http;//samba.org)开发,更新速度很快,目前最高的版本是3.0.7版,每个更新版本在功能上都所增强,也修复了已知的BUG,要使用Samba强大的功能,看来需要一段时间去探究,去理解,去不断地实践,才能领略到Samba。

现在我面临的问题只要是构建文件服务器的权限细分问题,一个100多人的企业,对公司的员工的管理是非常严格的,在文件的共享,员工的资源使用,员工的权限等等都是一样。文件服务器只要是共享日常工作的文档资料,一些共用的资料,一些对部分人保密的资料,一些普通员工不允许看到的文档资料……可见,文件服务器权限的细分有多的重要。另外,公司需要共享的目录实在是太多了,如果使用samba来一个一个目录地去配置,可谓是工程浩大。

OK,现在转入正题。我使用的系统是RedHat Enterpise Linux 3.0 Up3,价钱可性能方面,不用说我想大家也知道了。我做之前,其实我也考虑过使用samba来细分文件共享的权限,但是由于时间的问题,在紧急的关头,我发现了setfacl这个功能。

在使用setfacl之前,首先要检查系统的内核是否支持setfacl啦,另外还需要编辑/etc/fstab文件,对需要setfacl的分区激活acl的功能。

ACL 有两种:存取 ACL(access ACLs)和默认 ACL(default ACLs)。存取 ACL 是对指定文件或目录的存取控制列表。默认 ACL 只能和目录相关。如果目录中的文件没有存取 ACL,它就会使用该目录的默认 ACL。默认 ACL 是可选的。

ACL 可以按以下条件配置:

每用户

每组群

通过有效权限屏蔽

为不属于文件用户组群的用户配置

其实用户打开访问文件服务器时,他看见的只有两个共享的目录,这两个共享目录是samba共享出来的,分配给所有的用户(everyoen组)都有写的权限(rwx),由于系统的权限行前与samba的权限,所以我在系统中设置了所有用户(everyone组)只有r-x的权限,所有在共享出来的目录中,每个用户在这个目录下不能写了。

setfacl 工具为文件和目录设置 ACL。使用 -m 来添加或修改文件或目录的 ACL:

setfacl -m <rules> <files>

规则(<rules>)必须使用以下格式指定。同一条命令中可以指定多项规则,只要它们是用逗号分开即可。

u:<uid>:<perms>

为用户设置存取 ACL。用户名或 UID 必须被指定。用户可以是系统上的任何合法用户。

g:<gid>:<perms>

为组群设置存取 ACL。组群名称或 GID 必须被指定。组群可以是系统上的任何合法组群。

m:<perms>

设置有效权限屏蔽。该屏蔽是组群所有者和所有用户和组群项目的权限的合集。

o:<perms>

为文件的组群用户之外的用户设置存取 ACL。

空格被忽略。权限(<perms>)必须是代表读、写、和执行的字符(r、w、x)的组合。

如果某文件或目录已经有了一个 ACL,而 setfacl 命令仍被使用了,额外的规则就会被添加到已存在的 ACL 中,或用来修改已存在的规则。

例如,要给用户 tfox 以读写权限:

setfacl -m u:tfox:rw /project/somefile

要删除用户、组群或其它人的所有权限,使用 -x 选项,并且不指定任何权限:

setfacl -x <rules> <files>

例如,删除 UID 为 500 的用户的所有权限:

setfacl -x u:500 /project/somefile

下面要做的是对samba 共享出来的目录下的各个目录进行权限的细分,例如对于共享目录share1下有两个目录

\\samba\share1\aaa、\sambashare1bbb,其中user1和同组人(doc)对目录aaa 可以读写执行,但是只能读bbb,user2和同组人(eng)只能读bbb,不能读aaa。

首先是,所有的用户都加入到everyone组中,使用下面的命令就可以实现了:

setfacl -R -m g:everyone:r-x share1

setfacl -R -m g:doc:rwx,d:g:doc:rwx,g:everyone:--- /share1/aaa

setfacl -R -m g:doc:r-x,d:g:doc:r-x /share1/bbb

其实有很的需求都是需要具体地去拼合的,有些目录实在是太深了,对权限的细分可能有点难度,但是使用setfacl就可以对目录分得很细。

有关setfacl的用法可以参考下面的内容:

NAME setfacl - modify the Access Control List (ACL) for a file or

files

SYNOPSIS setfacl [ -r ] -s acl_entries file

setfacl [ -r ] -md acl_entries file

setfacl [ -r ] -f acl_filefile

DESCRIPTION For each file specified, setfacl will either replace its

entire ACL, including the default ACL on a directory, or it

will add, modify, or delete one or more ACL entries, includ-

ing default entries on directories.

Setting an ACL on a file also modifies the file's permission

bits. The user entry modifies the file owner permission

bits. If you don't specify a mask entry, the group entry

modifies the file group owner permission bits. If you

specify a mask entry, the file group owner permission bits

are modified based on the intersection (bitwise AND) of the

group and mask entries. The other entry modifies the other

permission bits.

If you use the chmod(1) command to change the file group

owner permissions on a file with ACL entries, both the file

group owner permissions and the ACL mask are changed to the

new permissions. Be aware that the new ACL mask permissions

may change the effective permissions for additional users

and groups who have ACL entries on the file.

A directory may contain default ACL entries. If a file or

directory is created in a directory that contains default

ACL entries, the newly created file will have permissions

generated according to the intersection of the default ACL

entries and the permissions requested at creation time. The

umask(1) will not be applied if the directory contains

default ACL entries. If a default ACL is specified for a

specific user (or users), the file will have a regular ACL

created; otherwise, only the mode bits will be initialized

according to the intersection described above. The default

ACL should be thought of as the maximum discretionary access

permissions that may be granted.

acl_entries Syntax

For the -m and -s options, acl_entries are one or more

comma-separated ACL entries.

An ACL entry consists of the following fields separated by

colons:

entry_type

Type of ACL entry on which to set file permis-

sions. For example, entry_type can be user (the

owner of a file) or mask (the ACL mask).

uid or gid

User name or user identification number. Or,

group name or group identification number.

perms Represents the permissions that are set on

entry_type. perms can be indicated by the sym-

bolic characters rwx or a number (the same per-

missions numbers used with the chmod command).

The following table shows the valid ACL entries (default

entries may only be specified for directories):

ACL Entry Description

u[ser]::perms File owner permissions.

g[roup]::perms File group owner permissions.

o[ther]:perms Permissions for users other than

the file owner or members of file

group owner.

m[ask]:perms The ACL mask. The mask entry indi-

cates the maximum permissions

allowed for users (other than the

owner) and for groups. The mask is

a quick way to change permissions

on all the users and groups.

u[ser]:uid:perms Permissions for a specific user.

For uid, you can specify either a

user name or a numeric UID.

g[roup]:gid:perms Permissions for a specific group.

For gid, you can specify either a

group name or a numeric GID.

d[efault]:u[ser]::perms Default file owner permissions.

d[efault]:g[roup]::perms Default file group owner permis-

sions.

d[efault]:o[ther]:perms Default permissions for users other

than the file owner or members of

the file group owner.

d[efault]:m[ask]:perms Default ACL mask.

d[efault]:u[ser]:uid:perms Default permissions for a specific

user. For uid, you can specify

either a user name or a numeric

UID.

d[efault]:g[roup]:gid:perms Default permissions for a specific

group. For gid, you can specify

either a group name or a numeric

GID.

For the -d option, acl_entries are one or more comma-

separated ACL entries without permissions. Note that the

entries for file owner, file group owner, ACL mask, and oth-

ers may not be deleted.

OPTIONS The options have the following meaning:

-s acl_entries

Set a file's ACL. All old ACL entries are removed and

replaced with the newly specified ACL. The entries

need not be in any specific order. They will be sorted

by the command before being applied to the file.

Required entries:

o Exactly one user entry specified for the file

owner.

o Exactly one group entry for the file group

owner.

o Exactly one other entry specified.

If there are additional user and group entries:

o Exactly one mask entry specified for the ACL

mask that indicates the maximum permissions

allowed for users (other than the owner) and

groups.

o Must not be duplicate user entries with the same

uid.

o Must not be duplicate group entries with the

same gid.

If file is a directory, the following default ACL entries

may be specified:

o Exactly one default user entry for the file

owner.

o Exactly one default group entry for the file

group owner.

o Exactly one default mask entry for the ACL mask.

o Exactly one default other entry.

There may be additional default user entries and addi-

tional default group entries specified, but there may

not be duplicate additional default user entries with

the same uid, or duplicate default group entries with

the same gid.

-m acl_entries

Add one or more new ACL entries to the file, and/or

modify one or more existing ACL entries on the file.

If an entry already exists for a specified uid or gid,

the specified permissions will replace the current

permissions. If an entry does not exist for the speci-

fied uid or gid, an entry will be created.

-d acl_entries

Delete one or more entries from the file. The entries

for the file owner, the file group owner, and others

may not be deleted from the ACL. Note that deleting an

entry does not necessarily have the same effect as

removing all permissions from the entry.

-f acl_file

Set a file's ACL with the ACL entries contained in the

file named acl_file. The same constraints on specified

entries hold as with the -s option. The entries are

not required to be in any specific order in the file.

Also, if you specify a dash '-' for acl_file, standard

input is used to set the file's ACL.

The character "#" in acl_file may be used to indicate

a comment. All characters, starting with the "#" until

the end of the line, will be ignored. Note that if the

acl_file has been created as the output of the get-

facl(1) command, any effective permissions, which will

follow a "#", will be ignored.

-r Recalculate the permissions for the ACL mask entry.

The permissions specified in the ACL mask entry are

ignored and replaced by the maximum permissions neces-

sary to grant the access to all additional user, file

group owner, and additional group entries in the ACL.

The permissions in the additional user, file group

owner, and additional group entries are left

unchanged.

EXAMPLES Example 1: Adding read permission only

The following example adds one ACL entry to file abc, which

gives user shea read permission only.

setfacl -m user:shea:r-- abc

Example 2: Replacing a file's entire ACL

The following example replaces the entire ACL for the file

abc, which gives shea read access, the file owner all

access, the file group owner read access only, the ACL mask

read/write access, and others no access.

setfacl -s user:shea:rwx,user::rwx,group::rw-,mask:r--,other:--- abc

Note that after this command, the file permission bits are

rwxr-----. Even though the file group owner was set with

read/write permissions, the ACL mask entry limits it to have

only read permissions. The mask entry also specifies the

maximum permissions available to all additional user and

group ACL entries. Once again, even though the user shea was

set with all access, the mask limits it to have only read

permissions. The ACL mask entry is a quick way to limit or

open access to all the user and group entries in an ACL. For

example, by changing the mask entry to read/write, both the

file group owner and user shea would be given read/write

access.

Example 3: Setting the same ACL on two files

The following example sets the same ACL on file abc as the

file xyz.

getfacl xyz | setfacl -f - abc

其实Linux系统中有许多功能我还没有用到,因为没有这个需求,呵呵

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有