Posix acls linux là gì
Among the challenges of administering Linux in the modern business environment is the expectation that we can and should manage who has access to what information. Once upon a time, the only folks who needed access to Linux filesystems could be categorized in a general way: through Linux filesystem permissions. Reviewing the basicsThe Linux filesystem gives us three types of permissions. Here is a simplified review:
With these permissions, we can grant three (actually five, but we’ll get to that in a minute) types of access:
These levels of access are often adequate in many cases. Say that you have a directory where files from the accounting department live. You might set these permissions to:
The accounting service user (the user owner) can read and write to the directory, and members of the [ Also popular: Linux sysadmin basics: User account management ] So, we might change the permissions to this:
Note: You can also use special permissions to control settings like who actually owns new files created in that directory, as well as the sticky bit which controls whether members of the group can delete each other's files. However, that's outside the scope of this discussion. Viewing the current ACLWhat if you have an accounting
intern (Kenny) who needs to be able to read certain files (or even just the files owned by Fred, his manager)? Or maybe people in the sales department also need access to the ACLs allow us to apply a more specific set of permissions to a file or directory without (necessarily) changing the base ownership and permissions. They let us "tack on" access for other users or groups. We can view the current ACL using the
We can see that right now, there are no ACLs on this directory because the only permissions listed are for the user, group, and other. In this case, that's to be expected, because I just created this directory in the lab and haven't done anything other than assigning ownership. So, let's start by adding a default ACL: Setting an ACLThe syntax for setting an ACL looks like this:
The 'action' would be
After which we can now see the default ACL info for that directory:
What if Fred creates a file in that directory?
What happens if Kenny tries to create a file? You may be able to guess that because
So far so good. But what if we don’t want this user to create files in the [ Related article: Linux sysadmin basics: User account management with UIDs and GIDs ] We can set Kenny’s access on the
Now we make Kenny his own folder, give him ownership, and then make the
You've created a folder within the
Note that because the folder is owned by
the
What if we didn’t want anyone to see what Kenny is working on?
Note: When we want to set a group ACL, we need to specify this by putting We still have to remove the base permissions for the group owner so that the rest of the accounting team can’t snoop into Kenny’s reports:
Now we can manage who else can see or write to Kenny’s folder without changing the ownership. Let’s give the CEO (Lisa, who is not a member of the accounting team, and won’t have access to the rest of the folder) access to Kenny’s stuff:
Note again that the group owner permissions remain wide open, but the accounting group (which is still the owner), no longer has access to that folder. So, who owns it?
This part is tricky. It’s useful to know that we can take away the owner’s permissions without changing ownership, but you might want to consider whether this is the result you want. ConclusionSo these are the basics. ACLs can be confusing, so I encourage
you to give the man pages for [ Want to try out Red Hat Enterprise Linux? Download it now for free. ] |