- 论坛徽章:
- 0
|
文件和目录对于文件的属主,文件联合的用户组,和其他所有的用户有一套许可设置。但是,这些许可有
限制。比如,不同的许可不能授予不用的用户。因此,访问控制列表被实现。
rhel4 内核提供对ext3文件系统和nfs文件系统的支持,当然通过samba的ext3文件系统也是被认可的。
随同在内核支持,对于要acl的实现,acl rpm包是必须的,它包含了一些实用工具例如增加,修改,移除和取回acl信息。
cp 和mv 命令会拷贝和移动文件和目录的所有acl信息。
Chapter 14. Access Control Lists
Files and directories have permission sets for the owner of the file, the group associated with the file, and all other users for the system. However, these permission sets have limitations. For example, different permissions cannot be configured for different users. Thus, Access Control Lists (ACLs) were implemented.
The Red Hat Enterprise Linux 4 kernel provides ACL support for the ext3 file system and NFS-exported file systems. ACLs are also recognized on ext3 file systems accessed via Samba.
Along with support in the kernel, the acl package is required to implement ACLs. It contains the utilities used to add, modify, remove, and retrieve ACL information.
The cp and mv commands copy or move any ACLs associated with files and directories.
14.1. Mounting File Systems
Before using ACLs for a file or directory, the partition for the file or directory must be mounted with ACL support. If it is a local ext3 file system, it can mounted with the following command:
mount -t ext3 -o acl
For example:
mount -t ext3 -o acl /dev/VolGroup00/LogVol02 /work
Alternatively, if the partition is listed in the /etc/fstab file, the entry for the partition can include the acl option:
LABEL=/work /work ext3 acl 1 2
If an ext3 file system is accessed via Samba and ACLs have been enabled for it, the ACLs are recognized because Samba has been compiled with the --with-acl-support option. No special flags are required when accessing or mounting a Samba share.
14.1.1. NFS
By default, if the file system being exported by an NFS server supports ACLs and the NFS client can read ACLs, ACLs are utilized by the client system.
To disable ACLs on NFS shares when configuring the server, include the no_acl option in the /etc/exports file. To disable ACLs on an NFS share when mounting it on a client, mount it with the no_acl option via the command line or the /etc/fstab file.
14.2. Setting Access ACLs
There are two types of ACLs: access ACLs and default ACLs. An access ACL is the access control list for a specific file or directory. A default ACL can only be associated with a directory; if a file within the directory does not have an access ACL, it uses the rules of the default ACL for the directory. Default ACLs are optional.
ACLs can be configured:
Per user
Per group
Via the effective rights mask
For users not in the user group for the file
The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:
setfacl -m
Rules () must be specified in the following formats. Multiple rules can be specified in the same command if they are separated by commas.
u::
Sets the access ACL for a user. The user name or UID may be specified. The user may be any valid user on the system.
g::
Sets the access ACL for a group. The group name or GID may be specified. The group may be any valid group on the system.
m:
Sets the effective rights mask. The mask is the union of all permissions of the owning group and all of the user and group entries.
o:
Sets the access ACL for users other than the ones in the group for the file.
White space is ignored. Permissions () must be a combination of the characters r, w, and x for read, write, and execute.
If a file or directory already has an ACL, and the setfacl command is used, the additional rules are added to the existing ACL or the existing rule is modified.
For example, to give read and write permissions to user andrius:
setfacl -m u:andrius:rw /project/somefile
To remove all the permissions for a user, group, or others, use the -x option and do not specify any permissions:
setfacl -x
For example, to remove all permissions from the user with UID 500:
setfacl -x u:500 /project/somefile
14.3. Setting Default ACLs
To set a default ACL, add d: before the rule and specify a directory instead of a file name.
For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
setfacl -m d:o:rx /share
14.4. Retrieving ACLs
To determine the existing ACLs for a file or directory, use the getfacl command:
getfacl
It returns output similar to the following:
# file: file
# owner: andrius
# group: andrius
user::rw-
user:smoore:r--
group::r--
mask::r--
other::r--
If a directory is specified, and it has a default ACL, the default ACL is also displayed such as:
# file: file
# owner: andrius
# group: andrius
user::rw-
user:smoore:r--
group::r--
mask::r--
other::r--
default:user::rwx
default:user:andrius:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
14.5. Archiving File Systems With ACLs
Warning
The tar and dump commands do not backup ACLs.
The star utility is similar to the tar utility in that it can be used to generate archives of files; however, some of its options are different. Refer to
Table 14-1
for a listing of more commonly used options. For all available options, refer to the star man page. The star package is required to use this utility.
Option
Description
-c
Creates an archive file.
-n
Do not extract the files; use in conjunction with -x to show what extracting the files does.
-r
Replaces files in the archive. The files are written to the end of the archive file, replacing any files with the same path and file name.
-t
Displays the contents of the archive file.
-u
Updates the archive file. The files are written to the end of the archive if they do not exist in the archive or if the files are newer than the files of the same name in the archive. This option only work if the archive is a file or an unblocked tape that may backspace.
-x
Extracts the files from the archive. If used with -U and a file in the archive is older than the corresponding file on the file system, the file is not extracted.
-help
Displays the most important options.
-xhelp
Displays the least important options.
-/
Do not strip leading slashes from file names when extracting the files from an archive. By default, they are striped when files are extracted.
-acl
When creating or extracting, archive or restore any ACLs associated with the files and directories.
Table 14-1. Command Line Options for star
14.6. Compatibility with Older Systems
If an ACL has been set on any file on a given file system, that file system has the ext_attr attribute. This attribute can be seen using the following command:
tune2fs -l
A file system that has acquired the ext_attr attribute can be mounted with older kernels, but those kernels do not enforce any ACLs which have been set.
Versions of the e2fsck utility included in version 1.22 and higher of the e2fsprogs package (including the versions in Red Hat Enterprise Linux 2.1 and 4) can check a file system with the ext_attr attribute. Older versions refuse to check it.
14.7. Additional Resources
Refer to the follow resources for more information.
14.7.1. Installed Documentation
acl man page — Description of ACLs
getfacl man page — Discusses how to get file access control lists
setfacl man page — Explains how to set file access control lists
star man page — Explains more about the star utility and its many options
14.7.2. Useful Websites
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/7198/showart_94474.html |
|