UbuntuHelp:UbuntuLTSP/ACLSupport

文章出处:

https://help.ubuntu.com/community/UbuntuLTSP/ACLSupport

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

If you find this information applicable to additional versions/releases, please edit this page and modify this header to reflect that. Please also include any necessary modifications for this information to apply to the additional versions.

Video tutorial available at http://www.youtube.com/watch?v=6piQXXHTmqk ACLs (Access Control Lists) are a great way to give file and directory access to any number of specific users and groups, without having to mess with the standard *nix owner/group/other limitations. A great example of ACL usage is in a school environment, where there are many students, teachers, technicians, and other users/groups that want varying access to a certain file and/or directory. It's very hard to do this with the traditional owner/group/other scheme - this is where ACLs come in. Installing ACL support in Ubuntu is easy, because most of the steps are already done for you. All you have to do is enable acl support in the partitions you want to have it in, remount said partitions, and start ACLing your heart away!

• Just in case it's not already installed (it should be though), install ACL:

sudo apt-get install acl

• Now that we know ACL support is installed, let's modify our /etc/fstab to add the acl flag to each partition we want activated. Use the below example *as an example* - pay attention only to the addition of the acl flag. Do not copy/paste as this is one of my own servers and not yours. :p

/etc/fstab:

...
# /dev/cciss/c0d0p1
UUID=2b226dff-bd46-450f-b431-0e35t23a76af /               ext3    defaults,errors=remount-ro,acl         0       1

• Now let's re-mount the partition(s) to activate ACL. You must do this for each partition you are enabling ACL support for.Warning: I have remounted my root partition without issue multiple times using this method, but YMMV. Do so at your own risk.

sudo mount / -o remount

• Awesome. Now we have ACL support! Let's do some testing. Let's change to our home directory and create some files/directories, as well as set the normal Unix permission bits so only the owner can access them:

cd ~
mkdir -p test1/test2
touch test1/file1 test1/test2/file2
chmod -R 700 test1

• Let's take a look at the ACL permissions as they are right now using the getfacl command:

getfacl -R test1/
# file: test1
# owner: root
# group: root
user::rwx
group::---
other::---

# file: test1/test2
# owner: root
# group: root
user::rwx
group::---
other::---

# file: test1/test2/file2
# owner: root
# group: root
user::rwx
group::---
other::---

# file: test1/file1
# owner: root
# group: root
user::rwx
group::---
other::---

• Look good? Now let's apply some ACLs to add new users and/or groups to the list so they can access them as well as the owner/group/other permissions. Make sure you modify the example below to fit your users/groups. What we're doing below is "m"odifying ACLs for the test1 directory so user1 has r-x access. We are also "R"ecursively "m"odifying the "d"efault ACL for test1, to give group1 rwx access to test1 all files/directories underneath test1. Default ACLs are useful for making sure default ACL permissions are applied to any file/directory created inside the directory you're applying it to. We're also "R"ecursively "m"odifying the ACLs for test1 so group1 gets rwx access to all existing files/directories. This is different than Default ACLs in that they are the actual permissions for the existing files/directories rather than dictating how new files/directories will apply ACLs.

man setfacl for more information on the setfacl command. Here we go:

setfacl -m u:user1:rx test1
setfacl -Rdm g:group1:rwx test1
setfacl -Rm g:group1:rwx test1

• We can now verify these ACLs by using getfacl command. Again, man getfacl for more information.

getfacl -R test1/
# file: test1
# owner: root
# group: root
user::rwx
user:user1:r-x
group::---
group:group1:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:group1:rwx
default:mask::rwx
default:other::---

# file: test1/test2
# owner: root
# group: root
user::rwx
group::---
group:group1:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:group1:rwx
default:mask::rwx
default:other::---

# file: test1/test2/file2
# owner: root
# group: root
user::rwx
group::---
group:group1:rwx
mask::rwx
other::---

# file: test1/file1
# owner: root
# group: root
user::rwx
group::---
group:group1:rwx
mask::rwx
other::---

As you see,

• user1 now has r-x access to test1 directory
• group1 has rwx access to all directories and files, as well as having Default ACL set as rwx in each directory so any new files that are created by any user will inherit those ACLs. Note that new directories that are created within a directory with Default ACLs will also apply these Default ACLs to it. For example, if we create test3 directory underneath test2...

cd test1/test2/
mkdir test3
getfacl test3/

# file: test3
# owner: root
# group: root
user::rwx
group::---
group:group1:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:group1:rwx
default:mask::rwx
default:other::---

Have fun with ACLs!

Thanks to http://tlug.dnho.net/?q=node/171 for teaching me the basics of ACLs and enabling me to write this page!