ACL即Access Control List 主要的目的是提供傳統的owner,group,others的read,write,execute權限之外的具體權限設置,ACL可以針對單一用戶、單一文件或目錄來進行r,w,x的權限控制,對於需要特殊權限的使用狀況有一定幫助。如,某一個文件,不讓單一的某個用戶訪問。
ACL使用兩個命令來對其進行控制
getfacl:取得某個文件/目錄的ACL設置項目
setfacl:設置某個文件/目錄的ACL設置項目
通過-h 參數,來確認對getfacl setfacl 2個命令的使用
[root@xxx~]#
getfacl -h
getfacl 2.2.39 -- get file access control lists
Usage: getfacl [-dRLPvh] file ...
--access display the file access control list only
-d, --default display the default access control list only
--omit-header do not display the comment header
--all-effective print all effective rights
--no-effective print no effective rights
--skip-base skip files that only have the base entries
-R, --recursive recurse into subdirectories
-L, --logical logical walk, follow symbolic links
-P --physical physical walk, do not follow symbolic links
--tabular use tabular output format
--numeric print numeric user/group identifiers
--absolute-names don't strip leading '/' in pathnames
-v, --version print version and exit
-h, --help this help text
[root@xxx~]# setfacl -h
setfacl 2.2.39 -- set file access control lists
Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ...
-m, --modify=acl modify the current ACL(s) of file(s)
-M, --modify-file=file read ACL entries to modify from file
-x, --remove=acl remove entries from the ACL(s) of file(s)
-X, --remove-file=file read ACL entries to remove from file
-b, --remove-all remove all extended ACL entries
-k, --remove-default remove the default ACL
--set=acl set the ACL of file(s), replacing the current ACL
--set-file=file read ACL entries to set from file
--mask do recalculate the effective rights mask
-n, --no-mask don't recalculate the effective rights mask
-d, --default operations apply to the default ACL
-R, --recursive recurse into subdirectories
-L, --logical logical walk, follow symbolic links
-P, --physical physical walk, do not follow symbolic links
--restore=file restore ACLs (inverse of `getfacl -R')
--test test mode (ACLs are not modified)
-v, --version print version and exit
-h, --help this help text
通過測試對2個命令的使用
以root用戶創建11 目錄
mkdir 11
使用setfacl 命令進行設置
[root@xxx ]# setfacl -m u:us11:rw 11
這樣用戶us11就能正常進入這個目錄了。
查詢使用getfacl
[root@xxx us11]# getfacl 11
# file: 11
# owner: root
# group: root
user::rwx
user:us11:rw-
group::r-x
mask::rwx
other::---