Здесь показаны различия между двумя версиями данной страницы.
Предыдущая версия справа и слева Предыдущая версия Следующая версия | Предыдущая версия | ||
posix_acl:posix_acl [2018-06-21 14:00] GreyWolf [getfacl] |
posix_acl:posix_acl [2018-07-13 16:07] (текущий) GreyWolf [setfacl] |
||
---|---|---|---|
Строка 2: | Строка 2: | ||
Управление списками доступа POSIX ACL (Access Control Lists). | Управление списками доступа POSIX ACL (Access Control Lists). | ||
+ | |||
+ | http://savannah.nongnu.org/projects/acl/ | ||
[[https://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux|Access Control Lists in Linux]] | [[https://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux|Access Control Lists in Linux]] | ||
- | Использование в [[samba:samba#ntfs-acls|Samba]] | + | [[samba:samba#ntfs-acls|Использование в Samba]] |
+ | |||
+ | [[Eiciel:Eiciel|Графический интерфейс Eiciel]] | ||
+ | |||
+ | ====== Порядок определения доступа ====== | ||
- | Графический интерфейс: [[Eiciel:Eiciel|Eiciel]] | + | Может ли пользователь выполнить действие над файлом или папкой определяются следующим образом: |
+ | - Используются права владельца, если пользователь им является. | ||
+ | - Используются права, указанные конкретно для этого пользователя. | ||
+ | - Если действие разрешено хотя бы для одной из группы в которую входит пользователь. | ||
+ | - Если пользователь не входит ни в одну группу описанную в ACL, то используются права для other. | ||
Строка 18: | Строка 28: | ||
Для того, чтобы проверить поддерживаются ли списки доступа (ACL) нужно выполнить команду: | Для того, чтобы проверить поддерживаются ли списки доступа (ACL) нужно выполнить команду: | ||
<code bash> | <code bash> | ||
- | tune2fs -l /dev/sdaX |grep acl | + | tune2fs -l /dev/sdaX | grep acl |
</code> | </code> | ||
- | ''/dev/sdaX'' имя устройства. | + | где''/dev/sdaX'' это имя устройства. |
+ | |||
+ | Для систем с [[lvm:lvm|LVM]] нужно использовать такой вариант: | ||
+ | <code bash> | ||
+ | tune2fs -l /dev/mapper/vg01-home | grep acl | ||
+ | </code> | ||
+ | где ''/dev/mapper/vg01-home'' это имя логического тома | ||
Если ACL поддерживаются то в выводе команды будет примерно это: | Если ACL поддерживаются то в выводе команды будет примерно это: | ||
Строка 30: | Строка 46: | ||
====== setfacl ====== | ====== setfacl ====== | ||
Установка прав доступа | Установка прав доступа | ||
- | <code> | ||
- | Usage: setfacl [-bkndRLP] { -m|-M|-x|-X ... } file ... | ||
- | -m, --modify=acl modify the current ACL(s) of file(s) | ||
- | -M, --modify-file=file read ACL entries to modify from file | ||
- | -x, --remove=acl remove entries from the ACL(s) of file(s) | ||
- | -X, --remove-file=file read ACL entries to remove from file | ||
- | -b, --remove-all remove all extended ACL entries | ||
- | -k, --remove-default remove the default ACL | ||
- | --set=acl set the ACL of file(s), replacing the current ACL | ||
- | --set-file=file read ACL entries to set from file | ||
- | --mask do recalculate the effective rights mask | ||
- | -n, --no-mask don't recalculate the effective rights mask | ||
- | -d, --default operations apply to the default ACL | ||
- | -R, --recursive recurse into subdirectories | ||
- | -L, --logical logical walk, follow symbolic links | ||
- | -P, --physical physical walk, do not follow symbolic links | ||
- | --restore=file restore ACLs (inverse of `getfacl -R') | ||
- | --test test mode (ACLs are not modified) | ||
- | -v, --version print version and exit | ||
- | -h, --help this help text | ||
- | </code> | ||
- | Пример: | ||
- | <code bash> | ||
- | setfacl -R -b -m g:Group_F:rwx,g:Group_R:rx,default:g:Group_F:rwx,default:g:Group_R:rx,default:other:--- /srv/share01 | ||
- | </code> | ||
- | Рекурсивно ''-R'' удаляем существующие права ''-b'' и добавляем заданные права, устанавливаем умолчания. | ||
- | * ''Group_F'' полные права | ||
- | * ''Group_R'' только чтение | ||
- | * ''other'' = нет доступа | ||
- | |||
- | ====== getfacl ====== | ||
FIXME | FIXME | ||
- | <code> | + | Пример: |
- | GETFACL(1) Access Control Lists GETFACL(1) | + | |
- | NAME | + | Рекурсивно ''-R'' удаляем существующие права ''-b'' и из файла ''-M'' заданного в ''$acl_file'' применяем права и умолчания. |
- | getfacl - get file access control lists | + | |
- | SYNOPSIS | + | <code bash acl_share01.sh> |
- | getfacl [-aceEsRLPtpndvh] file ... | + | #!/bin/bash |
- | getfacl [-aceEsRLPtpndvh] - | + | # Путь |
+ | path=/srv/share01 | ||
- | DESCRIPTION | + | # Права |
- | For each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL). If a directory | + | acl_file=/tmp/tmp.acl |
- | has a default ACL, getfacl also displays the default ACL. Non-directories cannot have default ACLs. | + | cat << 'EOF' |tee $acl_file |
+ | user::rwx | ||
+ | group::rwx | ||
+ | group:Group_F:rwx | ||
+ | group:Group_R:r-x | ||
+ | user:User_F:rwx | ||
+ | user:User_R:r-x | ||
+ | mask::rwx | ||
+ | other::--- | ||
+ | default:group:Group_F:rwx | ||
+ | default:group:Group_R:r-x | ||
+ | default:user:User_F:rwx | ||
+ | default:user:User_R:r-x | ||
+ | default:mask::rwx | ||
+ | default:other::--- | ||
+ | EOF | ||
- | If getfacl is used on a file system that does not support ACLs, getfacl displays the access permissions defined by | + | setfacl -b $path |
- | the traditional file mode permission bits. | + | setfacl -R -b -M $acl_file $path |
- | The output format of getfacl is as follows: | + | rm $acl_file |
- | 1: # file: somedir/ | + | </code> |
- | 2: # owner: lisa | + | |
- | 3: # group: staff | + | |
- | 4: # flags: -s- | + | |
- | 5: user::rwx | + | |
- | 6: user:joe:rwx #effective:r-x | + | |
- | 7: group::rwx #effective:r-x | + | |
- | 8: group:cool:r-x | + | |
- | 9: mask::r-x | + | |
- | 10: other::r-x | + | |
- | 11: default:user::rwx | + | |
- | 12: default:user:joe:rwx #effective:r-x | + | |
- | 13: default:group::r-x | + | |
- | 14: default:mask::r-x | + | |
- | 15: default:other::--- | + | |
- | Lines 1--3 indicate the file name, owner, and owning group. | + | ====== getfacl ====== |
+ | FIXME | ||
- | Line 4 indicates the setuid (s), setgid (s), and sticky (t) bits: either the letter representing the bit, or else a | + | Отображение списка контроля доступа к файлам и папкам. |
- | dash (-). This line is included if any of those bits is set and left out otherwise, so it will not be shown for | + | |
- | most files. (See CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17 below.) | + | |
- | Lines 5, 7 and 10 correspond to the user, group and other fields of the file mode permission bits. These three are | + | ===== Сохранение списка прав в файл ===== |
- | called the base ACL entries. Lines 6 and 8 are named user and named group entries. Line 9 is the effective rights | + | |
- | mask. This entry limits the effective rights granted to all groups and to named users. (The file owner and others | + | |
- | permissions are not affected by the effective rights mask; all other entries are.) Lines 11--15 display the | + | |
- | default ACL associated with this directory. Directories may have a default ACL. Regular files never have a default | + | |
- | ACL. | + | |
- | The default behavior for getfacl is to display both the ACL and the default ACL, and to include an effective rights | + | <code bash> |
- | comment for lines where the rights of the entry differ from the effective rights. | + | getfacl -R ИМЯ_ОБЪЕКТА > ИМЯ_ОБЪЕКТА.acl |
- | + | ||
- | If output is to a terminal, the effective rights comment is aligned to column 40. Otherwise, a single tab character | + | |
- | separates the ACL entry and the effective rights comment. | + | |
- | + | ||
- | The ACL listings of multiple files are separated by blank lines. The output of getfacl can also be used as input | + | |
- | to setfacl. | + | |
- | + | ||
- | PERMISSIONS | + | |
- | Process with search access to a file (i.e., processes with read access to the containing directory of a file) are | + | |
- | also granted read access to the file's ACLs. This is analogous to the permissions required for accessing the file | + | |
- | mode. | + | |
- | + | ||
- | OPTIONS | + | |
- | -a, --access | + | |
- | Display the file access control list. | + | |
- | + | ||
- | -d, --default | + | |
- | Display the default access control list. | + | |
- | + | ||
- | -c, --omit-header | + | |
- | Do not display the comment header (the first three lines of each file's output). | + | |
- | + | ||
- | -e, --all-effective | + | |
- | Print all effective rights comments, even if identical to the rights defined by the ACL entry. | + | |
- | + | ||
- | -E, --no-effective | + | |
- | Do not print effective rights comments. | + | |
- | + | ||
- | -s, --skip-base | + | |
- | Skip files that only have the base ACL entries (owner, group, others). | + | |
- | + | ||
- | -R, --recursive | + | |
- | List the ACLs of all files and directories recursively. | + | |
- | + | ||
- | -L, --logical | + | |
- | Logical walk, follow symbolic links to directories. The default behavior is to follow symbolic link arguments, | + | |
- | and skip symbolic links encountered in subdirectories. Only effective in combination with -R. | + | |
- | + | ||
- | -P, --physical | + | |
- | Physical walk, do not follow symbolic links to directories. This also skips symbolic link arguments. Only | + | |
- | effective in combination with -R. | + | |
- | + | ||
- | -t, --tabular | + | |
- | Use an alternative tabular output format. The ACL and the default ACL are displayed side by side. Permissions | + | |
- | that are ineffective due to the ACL mask entry are displayed capitalized. The entry tag names for the | + | |
- | ACL_USER_OBJ and ACL_GROUP_OBJ entries are also displayed in capital letters, which helps in spotting those | + | |
- | entries. | + | |
- | + | ||
- | -p, --absolute-names | + | |
- | Do not strip leading slash characters (`/'). The default behavior is to strip leading slash characters. | + | |
- | + | ||
- | -n, --numeric | + | |
- | List numeric user and group IDs | + | |
- | + | ||
- | -v, --version | + | |
- | Print the version of getfacl and exit. | + | |
- | + | ||
- | -h, --help | + | |
- | Print help explaining the command line options. | + | |
- | + | ||
- | -- End of command line options. All remaining parameters are interpreted as file names, even if they start with a | + | |
- | dash character. | + | |
- | + | ||
- | - If the file name parameter is a single dash character, getfacl reads a list of files from standard input. | + | |
- | + | ||
- | CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17 | + | |
- | If the environment variable POSIXLY_CORRECT is defined, the default behavior of getfacl changes in the following | + | |
- | ways: Unless otherwise specified, only the ACL is printed. The default ACL is only printed if the -d option is | + | |
- | given. If no command line parameter is given, getfacl behaves as if it was invoked as ``getfacl -''. No flags com‐ | + | |
- | ments indicating the setuid, setgit, and sticky bits are generated. | + | |
- | + | ||
- | AUTHOR | + | |
- | Andreas Gruenbacher, <a.gruenbacher@bestbits.at>. | + | |
- | + | ||
- | Please send your bug reports and comments to the above address. | + | |
- | + | ||
- | SEE ALSO | + | |
- | setfacl(1), acl(5) | + | |
- | + | ||
- | May 2000 ACL File Utilities GETFACL(1) | + | |
</code> | </code> | ||
+ | ====== Ссылки ====== | ||
+ | **[[http://help.ubuntu.ru/wiki/access_control_list|Access Control List - списки контроля доступа]]** | ||
- | ====== Ссылки ====== | ||
[[http://www.calculate-linux.org/main/ru/setting_filesystem_acl|Настройка прав доступа ACL]] | [[http://www.calculate-linux.org/main/ru/setting_filesystem_acl|Настройка прав доступа ACL]] | ||
- | |||
- | [[http://help.ubuntu.ru/wiki/access_control_list|Access Control List - списки контроля доступа]] | ||
[[https://help.ubuntu.com/community/FilePermissionsACLs|File Permissions ACLs]] | [[https://help.ubuntu.com/community/FilePermissionsACLs|File Permissions ACLs]] | ||
[[http://rus-linux.net/MyLDP/BOOKS/Linux_Foundations/32/ch32.html|Библиотека сайта rus-linux.net: Фундаментальные основы Linux. Часть VIII. Механизмы безопасной работы с файлами]] | [[http://rus-linux.net/MyLDP/BOOKS/Linux_Foundations/32/ch32.html|Библиотека сайта rus-linux.net: Фундаментальные основы Linux. Часть VIII. Механизмы безопасной работы с файлами]] | ||
+ | |||
+ | [[https://www.computerhope.com/unix/ugetfacl.htm|Linux getfacl command]] | ||
+ | |||
+ | [[https://www.computerhope.com/unix/usetfacl.htm|Linux setfacl command]] | ||
{{tag>Admin Linux Debian}} | {{tag>Admin Linux Debian}} | ||