Различия

Здесь показаны различия между двумя версиями данной страницы.

--- posix_acl:posix_acl [2018-06-21 14:12]
GreyWolf [Ссылки]
+++ posix_acl:posix_acl [2018-07-13 16:07] (текущий)
GreyWolf [setfacl]
@@ Строка 2: / Строка 2: @@
 Управление списками доступа POSIX ACL (Access Control Lists).
+http://savannah.nongnu.org/projects/acl/
 [[https://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux|Access Control Lists in Linux]]
-Использование в [[samba:samba#ntfs-acls|Samba]]
+[[samba:samba#ntfs-acls|Использование в Samba]]
-Графический интерфейс: [[Eiciel:Eiciel|Eiciel]]
+[[Eiciel:Eiciel|Графический интерфейс Eiciel]]
-<code>
+====== Порядок определения доступа ======
-ACL(5)                                            BSD File Formats Manual                                           ACL(5)
-NAME
+Может ли пользователь выполнить действие над файлом или папкой определяются следующим образом:
-     acl — Access Control Lists
+  - Используются права владельца, если пользователь им является.
+  - Используются права, указанные конкретно для этого пользователя.
+  - Если действие разрешено хотя бы для одной из группы в которую входит пользователь.
+  - Если пользователь не входит ни в одну группу описанную в ACL, то используются права для other.
-DESCRIPTION
-     This manual page describes POSIX Access Control Lists, which are used to define more fine-grained discretionary
-     access rights for files and directories.
-ACL TYPES
-     Every object can be thought of as having associated with it an ACL that governs the discretionary access to that
-     object; this ACL is referred to as an access ACL. In addition, a directory may have an associated ACL that governs
-     the initial access ACL for objects created within that directory; this ACL is referred to as a default ACL.
-ACL ENTRIES
-     An ACL consists of a set of ACL entries. An ACL entry specifies the access permissions on the associated object for
-     an individual user or a group of users as a combination of read, write and search/execute permissions.
-     An ACL entry contains an entry tag type, an optional entry tag qualifier, and a set of permissions.  We use the term
-     qualifier to denote the entry tag qualifier of an ACL entry.
-     The qualifier denotes the identifier of a user or a group, for entries with tag types of ACL_USER or ACL_GROUP,
-     respectively. Entries with tag types other than ACL_USER or ACL_GROUP have no defined qualifiers.
-     The following entry tag types are defined:
-           ACL_USER_OBJ    The ACL_USER_OBJ entry denotes access rights for the file owner.
-           ACL_USER        ACL_USER entries denote access rights for users identified by the entry's qualifier.
-           ACL_GROUP_OBJ   The ACL_GROUP_OBJ entry denotes access rights for the file group.
-           ACL_GROUP       ACL_GROUP entries denote access rights for groups identified by the entry's qualifier.
-           ACL_MASK        The ACL_MASK entry denotes the maximum access rights that can be granted by entries of type
-                           ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP.
-           ACL_OTHER       The ACL_OTHER entry denotes access rights for processes that do not match any other entry in
-                           the ACL.
-     When an access check is performed, the ACL_USER_OBJ and ACL_USER entries are tested against the effective user ID.
-     The effective group ID, as well as all supplementary group IDs are tested against the ACL_GROUP_OBJ and ACL_GROUP
-     entries.
-VALID ACLs
-     A valid ACL contains exactly one entry with each of the ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER tag types. Entries
-     with ACL_USER and ACL_GROUP tag types may appear zero or more times in an ACL. An ACL that contains entries of
-     ACL_USER or ACL_GROUP tag types must contain exactly one entry of the ACL_MASK tag type. If an ACL contains no
-     entries of ACL_USER or ACL_GROUP tag types, the ACL_MASK entry is optional.
-     All user ID qualifiers must be unique among all entries of ACL_USER tag type, and all group IDs must be unique among
-     all entries of ACL_GROUP tag type.
-       The acl_get_file() function returns an ACL with zero ACL entries as the default ACL of a directory, if the direc‐
-     tory is not associated with a default ACL. The acl_set_file() function also accepts an ACL with zero ACL entries as a
-     valid default ACL for directories, denoting that the directory shall not be associated with a default ACL. This is
-     equivalent to using the acl_delete_def_file() function.
-CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS
-     The permissions defined by ACLs are a superset of the permissions specified by the file permission bits.
-     There is a correspondence between the file owner, group, and other permissions and specific ACL entries: the owner
-     permissions correspond to the permissions of the ACL_USER_OBJ entry. If the ACL has an ACL_MASK entry, the group per‐
-     missions correspond to the permissions of the ACL_MASK entry.  Otherwise, if the ACL has no ACL_MASK entry, the group
-     permissions correspond to the permissions of the ACL_GROUP_OBJ entry.  The other permissions correspond to the per‐
-     missions of the ACL_OTHER_OBJ entry.
-     The file owner, group, and other permissions always match the permissions of the corresponding ACL entry. Modifica‐
-     tion of the file permission bits results in the modification of the associated ACL entries, and modification of these
-     ACL entries results in the modification of the file permission bits.
-OBJECT CREATION AND DEFAULT ACLs
-     The access ACL of a file object is initialized when the object is created with any of the creat(), mkdir(), mknod(),
-     mkfifo(), or open() functions. If a default ACL is associated with a directory, the mode parameter to the functions
-     creating file objects and the default ACL of the directory are used to determine the ACL of the new object:
-.   The new object inherits the default ACL of the containing directory as its access ACL.
-.   The access ACL entries corresponding to the file permission bits are modified so that they contain no permis‐
-          sions that are not contained in the permissions specified by the mode parameter.
-     If no default ACL is associated with a directory, the mode parameter to the functions creating file objects and the
-     file creation mask (see umask(2)) are used to determine the ACL of the new object:
-.   The new object is assigned an access ACL containing entries of tag types ACL_USER_OBJ, ACL_GROUP_OBJ, and
-          ACL_OTHER. The permissions of these entries are set to the permissions specified by the file creation mask.
-.   The access ACL entries corresponding to the file permission bits are modified so that they contain no permis‐
-          sions that are not contained in the permissions specified by the mode parameter.
-ACCESS CHECK ALGORITHM
-     A process may request read, write, or execute/search access to a file object protected by an ACL. The access check
-     algorithm determines whether access to the object will be granted.
-.   If the effective user ID of the process matches the user ID of the file object owner, then
-              if the ACL_USER_OBJ entry contains the requested permissions, access is granted,
-              else access is denied.
-.   else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then
-              if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted,
-              else access is denied.
-.   else if the effective group ID or any of the supplementary group IDs of the process match the file group or the
-          qualifier of any entry of type ACL_GROUP, then
-              if the ACL contains an ACL_MASK entry, then
-                  if the ACL_MASK entry and any of the matching ACL_GROUP_OBJ or ACL_GROUP entries contain  the  requested
-                  permissions, access is granted,
-                  else access is denied.
-              else (note that there can be no ACL_GROUP entries without an ACL_MASK entry)
-                  if the ACL_GROUP_OBJ entry contains the requested permissions, access is granted,
-                  else access is denied.
-.   else if the ACL_OTHER entry contains the requested permissions, access is granted.
-.   else access is denied.
-ACL TEXT FORMS
-     A long and a short text form for representing ACLs is defined. In both forms, ACL entries are represented as three
-     colon separated fields: an ACL entry tag type, an ACL entry qualifier, and the discretionary access permissions. The
-     first field contains one of the following entry tag type keywords:
-           user    A user ACL entry specifies the access granted to either the file owner (entry tag type ACL_USER_OBJ) or
-                   a specified user (entry tag type ACL_USER).
-           group   A group ACL entry specifies the access granted to either the file group (entry tag type ACL_GROUP_OBJ)
-                   or a specified group (entry tag type ACL_GROUP).
-           mask    A mask ACL entry specifies the maximum access which can be granted by any ACL entry except the user
-                   entry for the file owner and the other entry (entry tag type ACL_MASK).
-           other   An other ACL entry specifies the access granted to any process that does not match any user or group
-                   ACL entries (entry tag type ACL_OTHER).
-     The second field contains the user or group identifier of the user or group associated with the ACL entry for entries
-     of entry tag type ACL_USER or ACL_GROUP, and is empty for all other entries. A user identifier can be a user name or
-     a user ID number in decimal form. A group identifier can be a group name or a group ID number in decimal form.
-     The third field contains the discretionary access permissions. The read, write and search/execute permissions are
-     represented by the r, w, and x characters, in this order. Each of these characters is replaced by the - character to
-     denote that a permission is absent in the ACL entry.  When converting from the text form to the internal representa‐
-     tion, permissions that are absent need not be specified.
-     White space is permitted at the beginning and end of each ACL entry, and immediately before and after a field separa‐
-     tor (the colon character).
-   LONG TEXT FORM
-     The long text form contains one ACL entry per line. In addition, a number sign (#) may start a comment that extends
-     until the end of the line. If an ACL_USER, ACL_GROUP_OBJ or ACL_GROUP ACL entry contains permissions that are not
-     also contained in the ACL_MASK entry, the entry is followed by a number sign, the string “effective:”, and the effec‐
-     tive access permissions defined by that entry. This is an example of the long text form:
-           user::rw-
-           user:lisa:rw-         #effective:r--
-           group::r--
-           group:toolies:rw-     #effective:r--
-           mask::r--
-           other::r--
-   SHORT TEXT FORM
-     The short text form is a sequence of ACL entries separated by commas, and is used for input. Comments are not sup‐
-     ported. Entry tag type keywords may either appear in their full unabbreviated form, or in their single letter abbre‐
-     viated form. The abbreviation for user is u, the abbreviation for group is g, the abbreviation for mask is m, and the
-     abbreviation for other is o.  The permissions may contain at most one each of the following characters in any order:
-     r, w, x.  These are examples of the short text form:
-           u::rw-,u:lisa:rw-,g::r--,g:toolies:rw-,m::r--,o::r--
-           g:toolies:rw,u:lisa:rw,u::wr,g::r,o::r,m::r
-RATIONALE
-     IEEE 1003.1e draft 17 defines Access Control Lists that include entries of tag type ACL_MASK, and defines a mapping
-     between file permission bits that is not constant. The standard working group defined this relatively complex inter‐
-     face in order to ensure that applications that are compliant with IEEE 1003.1 (“POSIX.1”) will still function as
-     expected on systems with ACLs. The IEEE 1003.1e draft 17 contains the rationale for choosing this interface in sec‐
-     tion B.23.
-CHANGES TO THE FILE UTILITIES
-     On a system that supports ACLs, the file utilities ls(1), cp(1), and mv(1) change their behavior in the following
-     way:
-     ·   For files that have a default ACL or an access ACL that contains more than the three required ACL entries, the
-         ls(1) utility in the long form produced by ls -l displays a plus sign (+) after the permission string.
-     ·   If the -p flag is specified, the cp(1) utility also preserves ACLs.  If this is not possible, a warning is pro‐
-         duced.
-     ·     The mv(1) utility always preserves ACLs. If this is not possible, a warning is produced.
-     The effect of the chmod(1) utility, and of the chmod(2) system call, on the access ACL is described in CORRESPONDENCE
-     BETWEEN ACL ENTRIES AND FILE PERMISSION BITS.
-STANDARDS
-     The IEEE 1003.1e draft 17 (“POSIX.1e”) document describes several security extensions to the IEEE 1003.1 standard.
-     While the work on 1003.1e has been abandoned, many UNIX style systems implement parts of POSIX.1e draft 17, or of
-     earlier drafts.
-     Linux Access Control Lists implement the full set of functions and utilities defined for Access Control Lists in
-     POSIX.1e, and several extensions.  The implementation is fully compliant with POSIX.1e draft 17; extensions are
-     marked as such.  The Access Control List manipulation functions are defined in the ACL library (libacl, -lacl). The
-     POSIX compliant interfaces are declared in the <sys/acl.h> header.  Linux-specific extensions to these functions are
-     declared in the <acl/libacl.h> header.
-SEE ALSO
-     chmod(1), creat(2), getfacl(1), ls(1), mkdir(2), mkfifo(2), mknod(2), open(2), setfacl(1), stat(2), umask(1)
-   POSIX 1003.1e DRAFT 17
-     http://www.guug.de/~winni/posix.1e/download.html
-   POSIX 1003.1e FUNCTIONS BY CATEGORY
-     ACL storage management
-          acl_dup(3), acl_free(3), acl_init(3)
-     ACL entry manipulation
-          acl_copy_entry(3), acl_create_entry(3), acl_delete_entry(3), acl_get_entry(3), acl_valid(3)
-          acl_add_perm(3), acl_calc_mask(3), acl_clear_perms(3), acl_delete_perm(3), acl_get_permset(3),
-          acl_set_permset(3)
-          acl_get_qualifier(3), acl_get_tag_type(3), acl_set_qualifier(3), acl_set_tag_type(3)
-     ACL manipulation on an object
-          acl_delete_def_file(3), acl_get_fd(3), acl_get_file(3), acl_set_fd(3), acl_set_file(3)
-     ACL format translation
-          acl_copy_entry(3), acl_copy_ext(3), acl_from_text(3), acl_to_text(3), acl_size(3)
-   POSIX 1003.1e FUNCTIONS BY AVAILABILITY
-     The first group of functions is supported on most systems with POSIX-like access control lists, while the second
-     group is supported on fewer systems.  For applications that will be ported the second group is best avoided.
-     acl_delete_def_file(3), acl_dup(3), acl_free(3), acl_from_text(3), acl_get_fd(3), acl_get_file(3), acl_init(3),
-     acl_set_fd(3), acl_set_file(3), acl_to_text(3), acl_valid(3)
-     acl_add_perm(3), acl_calc_mask(3), acl_clear_perms(3), acl_copy_entry(3), acl_copy_ext(3), acl_copy_int(3),
-     acl_create_entry(3), acl_delete_entry(3), acl_delete_perm(3), acl_get_entry(3), acl_get_permset(3),
-     acl_get_qualifier(3), acl_get_tag_type(3), acl_set_permset(3), acl_set_qualifier(3), acl_set_tag_type(3), acl_size(3)
-   LINUX EXTENSIONS
-     These non-portable extensions are available on Linux systems.
-     acl_check(3), acl_cmp(3), acl_entries(3), acl_equiv_mode(3), acl_error(3), acl_extended_fd(3), acl_extended_file(3),
-     acl_extended_file_nofollow(3), acl_from_mode(3), acl_get_perm(3), acl_to_any_text(3)
-AUTHOR
-     Andreas Gruenbacher, <a.gruenbacher@bestbits.at>
-Linux ACL                                             March 23, 2002                                             Linux ACL
-</code>
 ====== Установка ======
@@ Строка 275: / Строка 28: @@
 Для того, чтобы проверить поддерживаются ли списки доступа (ACL) нужно выполнить команду:
 <code bash>
-tune2fs -l /dev/sdaX |grep acl
+tune2fs -l /dev/sdaX | grep acl
 </code>
-''/dev/sdaX'' имя устройства.
+где''/dev/sdaX'' это имя устройства.
+Для систем с [[lvm:lvm|LVM]] нужно использовать такой вариант:
+<code bash>
+tune2fs -l /dev/mapper/vg01-home | grep acl
+</code>
+где ''/dev/mapper/vg01-home'' это имя логического тома
 Если ACL поддерживаются то в выводе команды будет примерно это:
@@ Строка 287: / Строка 46: @@
 ====== setfacl ======
 Установка прав доступа
-<code>
-SETFACL(1)                                         Access Control Lists                                         SETFACL(1)
-NAME
+FIXME
-       setfacl - set file access control lists
-SYNOPSIS
+Пример:
-       setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file ...
-       setfacl --restore=file
+Рекурсивно ''-R'' удаляем существующие права ''-b'' и из файла ''-M'' заданного в ''$acl_file'' применяем права и умолчания.
-DESCRIPTION
+<code bash acl_share01.sh>
-       This  utility  sets  Access Control Lists (ACLs) of files and directories.  On the command line, a sequence of com‐
+#!/bin/bash
-       mands is followed by a sequence of files (which in turn can be followed by another sequence of commands, ...).
-       The options -m, and -x expect an ACL on the command line. Multiple ACL entries are separated  by  comma  characters
+# Путь
-       (`,').  The options -M, and -X read an ACL from a file or from standard input. The ACL entry format is described in
+path=/srv/share01
-       Section ACL ENTRIES.
-       The --set and --set-file options set the ACL of a file or a directory. The previous ACL is replaced.   ACL  entries
+# Права
-       for this operation must include permissions.
+acl_file=/tmp/tmp.acl
+cat << 'EOF' |tee $acl_file
+user::rwx
+group::rwx
+group:Group_F:rwx
+group:Group_R:r-x
+user:User_F:rwx
+user:User_R:r-x
+mask::rwx
+other::---
+default:group:Group_F:rwx
+default:group:Group_R:r-x
+default:user:User_F:rwx
+default:user:User_R:r-x
+default:mask::rwx
+default:other::---
+EOF
-       The -m (--modify) and -M (--modify-file) options modify the ACL of a file or directory.  ACL entries for this oper‐
+setfacl -b $path
-       ation must include permissions.
+setfacl -R -b -M $acl_file $path
-       The -x (--remove) and -X (--remove-file) options remove ACL entries. It is not an error to remove  an  entry  which
+rm $acl_file
-       does  not  exist.   Only  ACL entries without the perms field are accepted as parameters, unless POSIXLY_CORRECT is
-       defined.
-       When reading from files using the -M, and -X options, setfacl accepts the output getfacl  produces.   There  is  at
-       most  one  ACL  entry per line. After a Pound sign (`#'), everything up to the end of the line is treated as a com‐
-       ment.
-       If setfacl is used on a file system which does not support ACLs, setfacl operates on the file mode permission bits.
-       If  the  ACL  does  not  fit  completely  in the permission bits, setfacl modifies the file mode permission bits to
-       reflect the ACL as closely as possible, writes an error message to standard error, and returns with an exit  status
-       greater than 0.
-   PERMISSIONS
-       The  file  owner and processes capable of CAP_FOWNER are granted the right to modify ACLs of a file. This is analo‐
-       gous to the permissions required for accessing the file mode. (On current Linux systems, root is the only user with
-       the CAP_FOWNER capability.)
-OPTIONS
-       -b, --remove-all
-           Remove all extended ACL entries. The base ACL entries of the owner, group and others are retained.
-       -k, --remove-default
-           Remove the Default ACL. If no Default ACL exists, no warnings are issued.
-       -n, --no-mask
-           Do  not  recalculate  the effective rights mask. The default behavior of setfacl is to recalculate the ACL mask
-           entry, unless a mask entry was explicitly given.  The mask entry is set to the union of all permissions of  the
-           owning group, and all named user and group entries. (These are exactly the entries affected by the mask entry).
-       --mask
-           Do recalculate the effective rights mask, even if an ACL mask entry was explicitly given. (See the -n option.)
-       -d, --default
-           All  operations  apply  to  the  Default  ACL. Regular ACL entries in the input set are promoted to Default ACL
-           entries. Default ACL entries in the input set are discarded. (A warning is issued if that happens).
-       --restore=file
-           Restore a permission backup created by `getfacl -R' or similar. All permissions of a complete directory subtree
-           are  restored using this mechanism. If the input contains owner comments or group comments, setfacl attempts to
-           restore the owner and owning group. If the input contains flags comments (which define the setuid, setgid,  and
-           sticky bits), setfacl sets those three bits accordingly; otherwise, it clears them. This option cannot be mixed
-           with other options except `--test'.
-       --test
-           Test mode. Instead of changing the ACLs of any files, the resulting ACLs are listed.
-       -R, --recursive
-           Apply operations to all files and directories recursively. This option cannot be mixed with `--restore'.
-       -L, --logical
-           Logical walk, follow symbolic links to directories. The default behavior is to follow symbolic link  arguments,
-           and  skip  symbolic  links  encountered in subdirectories.  Only effective in combination with -R.  This option
-           cannot be mixed with `--restore'.
-       -P, --physical
-           Physical walk, do not follow symbolic links to directories.  This also skips  symbolic  link  arguments.   Only
-           effective in combination with -R.  This option cannot be mixed with `--restore'.
-       -v, --version
-           Print the version of setfacl and exit.
-       -h, --help
-           Print help explaining the command line options.
-       --  End  of command line options. All remaining parameters are interpreted as file names, even if they start with a
-           dash.
-       -   If the file name parameter is a single dash, setfacl reads a list of files from standard input.
-   ACL ENTRIES
-       The setfacl utility recognizes the following ACL entry formats (blanks inserted for clarity):
-       [d[efault]:] [u[ser]:]uid [:perms]
-              Permissions of a named user. Permissions of the file owner if uid is empty.
-       [d[efault]:] g[roup]:gid [:perms]
-              Permissions of a named group. Permissions of the owning group if gid is empty.
-       [d[efault]:] m[ask][:] [:perms]
-              Effective rights mask
-       [d[efault]:] o[ther][:] [:perms]
-              Permissions of others.
-       Whitespace between delimiter characters and non-delimiter characters is ignored.
-       Proper ACL entries including permissions are used in modify and set operations. (options -m, -M, --set  and  --set-
-       file).  Entries without the perms field are used for deletion of entries (options -x and -X).
-       For uid and gid you can specify either a name or a number.
-       The  perms  field  is  a combination of characters that indicate the permissions: read (r), write (w), execute (x),
-       execute only if the file is a directory or already has execute permission for some user  (X).   Alternatively,  the
-       perms field can be an octal digit (0-7).
-   AUTOMATICALLY CREATED ENTRIES
-       Initially,  files  and  directories  contain  only the three base ACL entries for the owner, the group, and others.
-       There are some rules that need to be satisfied in order for an ACL to be valid:
-       *   The three base entries cannot be removed. There must be exactly one entry of each of these base entry types.
-       *   Whenever an ACL contains named user entries or named group objects, it must also contain  an  effective  rights
-           mask.
-       *   Whenever  an  ACL  contains any Default ACL entries, the three Default ACL base entries (default owner, default
-           group, and default others) must also exist.
-       *   Whenever a Default ACL contains named user entries or named group objects,  it  must  also  contain  a  default
-           effective rights mask.
-       To help the user ensure these rules, setfacl creates entries from existing entries under the following conditions:
-       *   If  an  ACL  contains  named user or named group entries, and no mask entry exists, a mask entry containing the
-           same permissions as the group entry is created. Unless the -n option is given,  the  permissions  of  the  mask
-           entry  are  further  adjusted  to  include the union of all permissions affected by the mask entry. (See the -n
-           option description).
-       *   If a Default ACL entry is created, and the Default ACL contains no owner, owning group, or others entry, a copy
-           of the ACL owner, owning group, or others entry is added to the Default ACL.
-       *   If  a  Default  ACL  contains named user entries or named group entries, and no mask entry exists, a mask entry
-           containing the same permissions as the default Default ACL's group entry is added.  Unless  the  -n  option  is
-           given, the permissions of the mask entry are further adjusted to inclu de the union of all permissions affected
-           by the mask entry. (See the -n option description).
-EXAMPLES
-       Granting an additional user read access
-              setfacl -m u:lisa:r file
-       Revoking write access from all groups and all named users (using the effective rights mask)
-              setfacl -m m::rx file
-       Removing a named group entry from a file's ACL
-              setfacl -x g:staff file
-       Copying the ACL of one file to another
-              getfacl file1 | setfacl --set-file=- file2
-       Copying the access ACL into the Default ACL
-              getfacl --access dir | setfacl -d -M- dir
-CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17
-       If the environment variable POSIXLY_CORRECT is defined, the default behavior of setfacl  changes  as  follows:  All
-       non-standard options are disabled.  The ``default:'' prefix is disabled.  The -x and -X options also accept permis‐
-       sion fields (and ignore them).
-AUTHOR
-       Andreas Gruenbacher, <a.gruenbacher@bestbits.at>.
-       Please send your bug reports, suggested features and comments to the above address.
-SEE ALSO
-       getfacl(1), chmod(1), umask(1), acl(5)
-May 2000                                            ACL File Utilities                                          SETFACL(1)
 </code>
-Пример:
-<code bash>
-setfacl -R -b -m g:Group_F:rwx,g:Group_R:rx,default:g:Group_F:rwx,default:g:Group_R:rx,default:other:--- /srv/share01
-</code>
-Рекурсивно ''-R''  удаляем существующие права ''-b'' и добавляем заданные права, устанавливаем умолчания.
-  * ''Group_F'' полные права
-  * ''Group_R'' только чтение
-  * ''other'' = нет доступа
 ====== getfacl ======
 FIXME
-<code>
+Отображение списка контроля доступа к файлам и папкам.
-GETFACL(1)                                         Access Control Lists                                         GETFACL(1)
-NAME
+===== Сохранение списка прав в файл =====
-       getfacl - get file access control lists
-SYNOPSIS
+<code bash>
-       getfacl [-aceEsRLPtpndvh] file ...
+getfacl -R ИМЯ_ОБЪЕКТА > ИМЯ_ОБЪЕКТА.acl
-       getfacl [-aceEsRLPtpndvh] -
-DESCRIPTION
-       For  each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL). If a directory
-       has a default ACL, getfacl also displays the default ACL. Non-directories cannot have default ACLs.
-       If getfacl is used on a file system that does not support ACLs, getfacl displays the access permissions defined  by
-       the traditional file mode permission bits.
-       The output format of getfacl is as follows:
-:  # file: somedir/
-:  # owner: lisa
-:  # group: staff
-:  # flags: -s-
-:  user::rwx
-:  user:joe:rwx               #effective:r-x
-:  group::rwx                 #effective:r-x
-:  group:cool:r-x
-:  mask::r-x
-:  other::r-x
-:  default:user::rwx
-:  default:user:joe:rwx       #effective:r-x
-:  default:group::r-x
-:  default:mask::r-x
-:  default:other::---
-       Lines 1--3 indicate the file name, owner, and owning group.
-       Line 4 indicates the setuid (s), setgid (s), and sticky (t) bits: either the letter representing the bit, or else a
-       dash (-). This line is included if any of those bits is set and left out otherwise, so it will  not  be  shown  for
-       most files. (See CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17 below.)
-       Lines  5, 7 and 10 correspond to the user, group and other fields of the file mode permission bits. These three are
-       called the base ACL entries. Lines 6 and 8 are named user and named group entries. Line 9 is the  effective  rights
-       mask.  This  entry limits the effective rights granted to all groups and to named users. (The file owner and others
-       permissions are not affected by the effective rights mask; all  other  entries  are.)   Lines  11--15  display  the
-       default  ACL associated with this directory. Directories may have a default ACL. Regular files never have a default
-       ACL.
-       The default behavior for getfacl is to display both the ACL and the default ACL, and to include an effective rights
-       comment for lines where the rights of the entry differ from the effective rights.
-       If output is to a terminal, the effective rights comment is aligned to column 40. Otherwise, a single tab character
-       separates the ACL entry and the effective rights comment.
-       The ACL listings of multiple files are separated by blank lines.  The output of getfacl can also be used  as  input
-       to setfacl.
-   PERMISSIONS
-       Process  with  search access to a file (i.e., processes with read access to the containing directory of a file) are
-       also granted read access to the file's ACLs.  This is analogous to the permissions required for accessing the  file
-       mode.
-OPTIONS
-       -a, --access
-           Display the file access control list.
-       -d, --default
-           Display the default access control list.
-       -c, --omit-header
-           Do not display the comment header (the first three lines of each file's output).
-       -e, --all-effective
-           Print all effective rights comments, even if identical to the rights defined by the ACL entry.
-       -E, --no-effective
-           Do not print effective rights comments.
-       -s, --skip-base
-           Skip files that only have the base ACL entries (owner, group, others).
-       -R, --recursive
-           List the ACLs of all files and directories recursively.
-       -L, --logical
-           Logical  walk, follow symbolic links to directories. The default behavior is to follow symbolic link arguments,
-           and skip symbolic links encountered in subdirectories.  Only effective in combination with -R.
-       -P, --physical
-           Physical walk, do not follow symbolic links to directories. This also  skips  symbolic  link  arguments.   Only
-           effective in combination with -R.
-       -t, --tabular
-           Use  an  alternative tabular output format. The ACL and the default ACL are displayed side by side. Permissions
-           that are ineffective due to the ACL mask  entry  are  displayed  capitalized.  The  entry  tag  names  for  the
-           ACL_USER_OBJ  and  ACL_GROUP_OBJ  entries  are also displayed in capital letters, which helps in spotting those
-           entries.
-       -p, --absolute-names
-           Do not strip leading slash characters (`/'). The default behavior is to strip leading slash characters.
-       -n, --numeric
-           List numeric user and group IDs
-       -v, --version
-           Print the version of getfacl and exit.
-       -h, --help
-           Print help explaining the command line options.
-       --  End of command line options. All remaining parameters are interpreted as file names, even if they start with  a
-           dash character.
-       -   If the file name parameter is a single dash character, getfacl reads a list of files from standard input.
-CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17
-       If  the  environment  variable POSIXLY_CORRECT is defined, the default behavior of getfacl changes in the following
-       ways: Unless otherwise specified, only the ACL is printed. The default ACL is only printed  if  the  -d  option  is
-       given. If no command line parameter is given, getfacl behaves as if it was invoked as ``getfacl -''.  No flags com‐
-       ments indicating the setuid, setgit, and sticky bits are generated.
-AUTHOR
-       Andreas Gruenbacher, <a.gruenbacher@bestbits.at>.
-       Please send your bug reports and comments to the above address.
-SEE ALSO
-       setfacl(1), acl(5)
-May 2000                                            ACL File Utilities                                          GETFACL(1)
 </code>
+====== Ссылки ======
+**[[http://help.ubuntu.ru/wiki/access_control_list|Access Control List - списки контроля доступа]]**
-====== Ссылки ======
 [[http://www.calculate-linux.org/main/ru/setting_filesystem_acl|Настройка прав доступа ACL]]
-[[http://help.ubuntu.ru/wiki/access_control_list|Access Control List - списки контроля доступа]]
 [[https://help.ubuntu.com/community/FilePermissionsACLs|File Permissions ACLs]]

Мозаика системного администрирования

Инструменты пользователя

Инструменты сайта

Различия

Инструменты страницы