2. 软件开发
    3. LINUX定义默认ACL控制策略

    LINUX定义默认ACL控制策略

    xiaoxiao2022-07-03  126

    问题 1)为目录 /public/ 设置ACL策略,使用户gelin01具有rwx权限 2)在 /public/ 下创建子目录gdir1、文件gfile1,分别查看其ACL策略 3)为目录 /public/ 设置可继承权限为“用户ht02具有rwx权限” 4)在 /public/ 下创建子目录gdir2、文件gfile2,分别查看其ACL策略 5)以用户ht02登入,做以下测试: 6)对/public/目录是否有写入权限 7)对/public/下的gdir2和gfile2是否有写入权限 8)对/public/下的gdir1和gfile1是否有写入权限 方案 ACL默认策略,是一个可以继承的ACL策略。但需注意的是默认策略对目录本身是没有生效的,对于子目录子文件才开始生效。 步骤 实现此案例需要按照如下步骤进行。 步骤一:为目录 /public/ 设置ACL策略,使用户gelin01具有rwx权限 命令操作如下所示:

    [root@localhost ~]# id gelin01 //测试是否有gelin01用户 uid=501(gelin01) gid=501(gelin01) 组=501(gelin01),502(tarena) [root@localhost ~]# mkdir /public //创建目录 [root@localhost ~]# getfacl /public //查看ACL策略 getfacl: Removing leading '/' from absolute path names # file: public/ # owner: root # group: root user::rwx group::r-x other::r-x [root@localhost ~]# setfacl -m u:gelin01:rwx /public //设置ACL策略 [root@localhost ~]# getfacl /public //查看ACL策略 getfacl: Removing leading '/' from absolute path names # file: public/ # owner: root # group: root user::rwx user:gelin01:rwx group::r-x mask::rwx other::r-x

    步骤二:在 /public/ 下创建子目录gdir1、文件gfile1,分别查看其ACL策略 命令操作如下所示:

    [root@localhost ~]# mkdir /public/gdir1 [root@localhost ~]# touch /public/gfile1 [root@localhost ~]# getfacl /public/gdir1/ getfacl: Removing leading '/' from absolute path names # file: public/gdir1/ # owner: root # group: root user::rwx group::r-x other::r-x [root@localhost ~]# getfacl /public/gfile1 getfacl: Removing leading '/' from absolute path names # file: public/gfile1 # owner: root # group: root user::rw- group::r-- other::r-- [root@localhost ~]#

    步骤三:为目录 /public/ 设置可继承权限为“用户ht02具有rwx权限” 命令操作如下所示:

    [root@localhost ~]# id ht02 //查看ht02用户是否存在 id: ht02:无此用户 [root@localhost ~]# useradd ht02 //创建ht02用户 [root@localhost ~]# getfacl /public/ getfacl: Removing leading '/' from absolute path names # file: public/ # owner: root # group: root user::rwx user:gelin01:rwx group::r-x mask::rwx other::r-x [root@localhost ~]# setfacl -dm u:ht02:rwx /public //设置默认可继承ACL权限 [root@localhost ~]# getfacl /public/ getfacl: Removing leading '/' from absolute path names # file: public/ # owner: root # group: root user::rwx user:gelin01:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:ht02:rwx default:group::r-x default:mask::rwx default:other::r-x [root@localhost ~]#

    步骤四:在 /public/ 下创建子目录gdir2、文件gfile2,分别查看其ACL策略 命令操作如下所示:

    [root@localhost ~]# mkdir /public/gdir2 [root@localhost ~]# touch /public/gfile2 [root@localhost ~]# getfacl /public/gdir2 getfacl: Removing leading '/' from absolute path names # file: public/gdir2 # owner: root # group: root user::rwx user:ht02:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:ht02:rwx default:group::r-x default:mask::rwx default:other::r-x [root@localhost ~]# getfacl /public/gfile2 getfacl: Removing leading '/' from absolute path names # file: public/gfile2 # owner: root # group: root user::rw- user:ht02:rwx #effective:rw- group::r-x #effective:r-- mask::rw- other::r--

    步骤五:以用户ht02登入,测试 切换目录身份,命令操作如下所示:

    [root@localhost ~]# su - ht02 [ht02@localhost ~]$

    对/public/目录是否有写入权限,命令操作如下所示:

    [ht02@localhost ~]$ mkdir /public/htdir mkdir: 无法创建目录"/public/htdir": 权限不够 [ht02@localhost ~]$ getfacl /public/ getfacl: Removing leading '/' from absolute path names # file: public/ # owner: root # group: root user::rwx user:gelin01:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:ht02:rwx default:group::r-x default:mask::rwx default:other::r-x [ht02@localhost ~]$

    分析: 从这可以看出默认权限对目录本身没有生效,对子目录才开始继承生效。 对/public/下的gdir2和gfile2是否有写入权限,命令操作如下所示:

    [ht02@localhost ~]$ mkdir /public/gdir2/htdir [ht02@localhost ~]$ getfacl /public/gdir2/ getfacl: Removing leading '/' from absolute path names # file: public/gdir2/ # owner: root # group: root user::rwx user:ht02:rwx group::r-x mask::rwx other::r-x default:user::rwx default:user:ht02:rwx default:group::r-x default:mask::rwx default:other::r-x [ht02@localhost ~]$ ls -ld /public/gdir2/htdir/ //创建成功 drwxrwxr-x+ 2 ht02 ht02 4096 2月 27 16:53 /public/gdir2/htdir/ [ht02@localhost ~]$ getfacl /public/gfile2 getfacl: Removing leading '/' from absolute path names # file: public/gfile2 # owner: root # group: root user::rw- user:ht02:rwx #effective:rw- group::r-x #effective:r-- mask::rw- other::r-- [ht02@localhost ~]$ [ht02@localhost ~]$ echo 123456 > /public/gfile2 //测试写入 [ht02@localhost ~]$ cat /public/gfile2 123456

    对/public/下的gdir1和gfile1是否有写入权限,命令操作如下所示:

    [ht02@localhost ~]$ getfacl /public/gdir1 //可以看到ht02没有呢ACL权限 getfacl: Removing leading '/' from absolute path names # file: public/gdir1 # owner: root # group: root user::rwx group::r-x other::r-x [ht02@localhost ~]$ mkdir /public/gdir1/htdir mkdir: 无法创建目录"/public/gdir1/htdir": 权限不够 [ht02@localhost ~]$ getfacl /public/gfile1 //可以看到ht02没有呢ACL权限 getfacl: Removing leading '/' from absolute path names # file: public/gfile1 # owner: root # group: root user::rw- group::r-- other::r-- [ht02@localhost ~]$ echo 123456 > /public/gfile1 -bash: /public/gfile1: 权限不够 [ht02@localhost ~]$
    最新回复(0)