Здесь показаны различия между двумя версиями данной страницы.
Предыдущая версия справа и слева Предыдущая версия Следующая версия | Предыдущая версия | ||
posix_acl:posix_acl [2018-06-21 14:12] GreyWolf [Ссылки] |
posix_acl:posix_acl [2018-07-13 16:07] (текущий) GreyWolf [setfacl] |
||
---|---|---|---|
Строка 2: | Строка 2: | ||
Управление списками доступа POSIX ACL (Access Control Lists). | Управление списками доступа POSIX ACL (Access Control Lists). | ||
+ | |||
+ | http://savannah.nongnu.org/projects/acl/ | ||
[[https://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux|Access Control Lists in Linux]] | [[https://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux|Access Control Lists in Linux]] | ||
- | Использование в [[samba:samba#ntfs-acls|Samba]] | + | [[samba:samba#ntfs-acls|Использование в Samba]] |
- | Графический интерфейс: [[Eiciel:Eiciel|Eiciel]] | + | [[Eiciel:Eiciel|Графический интерфейс Eiciel]] |
- | <code> | + | ====== Порядок определения доступа ====== |
- | ACL(5) BSD File Formats Manual ACL(5) | + | |
- | NAME | + | Может ли пользователь выполнить действие над файлом или папкой определяются следующим образом: |
- | acl — Access Control Lists | + | - Используются права владельца, если пользователь им является. |
+ | - Используются права, указанные конкретно для этого пользователя. | ||
+ | - Если действие разрешено хотя бы для одной из группы в которую входит пользователь. | ||
+ | - Если пользователь не входит ни в одну группу описанную в ACL, то используются права для other. | ||
- | DESCRIPTION | ||
- | This manual page describes POSIX Access Control Lists, which are used to define more fine-grained discretionary | ||
- | access rights for files and directories. | ||
- | ACL TYPES | ||
- | Every object can be thought of as having associated with it an ACL that governs the discretionary access to that | ||
- | object; this ACL is referred to as an access ACL. In addition, a directory may have an associated ACL that governs | ||
- | the initial access ACL for objects created within that directory; this ACL is referred to as a default ACL. | ||
- | |||
- | ACL ENTRIES | ||
- | An ACL consists of a set of ACL entries. An ACL entry specifies the access permissions on the associated object for | ||
- | an individual user or a group of users as a combination of read, write and search/execute permissions. | ||
- | |||
- | An ACL entry contains an entry tag type, an optional entry tag qualifier, and a set of permissions. We use the term | ||
- | qualifier to denote the entry tag qualifier of an ACL entry. | ||
- | |||
- | The qualifier denotes the identifier of a user or a group, for entries with tag types of ACL_USER or ACL_GROUP, | ||
- | respectively. Entries with tag types other than ACL_USER or ACL_GROUP have no defined qualifiers. | ||
- | |||
- | The following entry tag types are defined: | ||
- | |||
- | ACL_USER_OBJ The ACL_USER_OBJ entry denotes access rights for the file owner. | ||
- | |||
- | ACL_USER ACL_USER entries denote access rights for users identified by the entry's qualifier. | ||
- | |||
- | ACL_GROUP_OBJ The ACL_GROUP_OBJ entry denotes access rights for the file group. | ||
- | |||
- | ACL_GROUP ACL_GROUP entries denote access rights for groups identified by the entry's qualifier. | ||
- | |||
- | ACL_MASK The ACL_MASK entry denotes the maximum access rights that can be granted by entries of type | ||
- | ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP. | ||
- | |||
- | ACL_OTHER The ACL_OTHER entry denotes access rights for processes that do not match any other entry in | ||
- | the ACL. | ||
- | |||
- | When an access check is performed, the ACL_USER_OBJ and ACL_USER entries are tested against the effective user ID. | ||
- | The effective group ID, as well as all supplementary group IDs are tested against the ACL_GROUP_OBJ and ACL_GROUP | ||
- | entries. | ||
- | |||
- | VALID ACLs | ||
- | A valid ACL contains exactly one entry with each of the ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER tag types. Entries | ||
- | with ACL_USER and ACL_GROUP tag types may appear zero or more times in an ACL. An ACL that contains entries of | ||
- | ACL_USER or ACL_GROUP tag types must contain exactly one entry of the ACL_MASK tag type. If an ACL contains no | ||
- | entries of ACL_USER or ACL_GROUP tag types, the ACL_MASK entry is optional. | ||
- | |||
- | All user ID qualifiers must be unique among all entries of ACL_USER tag type, and all group IDs must be unique among | ||
- | all entries of ACL_GROUP tag type. | ||
- | |||
- | The acl_get_file() function returns an ACL with zero ACL entries as the default ACL of a directory, if the direc‐ | ||
- | tory is not associated with a default ACL. The acl_set_file() function also accepts an ACL with zero ACL entries as a | ||
- | valid default ACL for directories, denoting that the directory shall not be associated with a default ACL. This is | ||
- | equivalent to using the acl_delete_def_file() function. | ||
- | |||
- | CORRESPONDENCE BETWEEN ACL ENTRIES AND FILE PERMISSION BITS | ||
- | The permissions defined by ACLs are a superset of the permissions specified by the file permission bits. | ||
- | |||
- | There is a correspondence between the file owner, group, and other permissions and specific ACL entries: the owner | ||
- | permissions correspond to the permissions of the ACL_USER_OBJ entry. If the ACL has an ACL_MASK entry, the group per‐ | ||
- | missions correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has no ACL_MASK entry, the group | ||
- | permissions correspond to the permissions of the ACL_GROUP_OBJ entry. The other permissions correspond to the per‐ | ||
- | missions of the ACL_OTHER_OBJ entry. | ||
- | |||
- | The file owner, group, and other permissions always match the permissions of the corresponding ACL entry. Modifica‐ | ||
- | tion of the file permission bits results in the modification of the associated ACL entries, and modification of these | ||
- | ACL entries results in the modification of the file permission bits. | ||
- | |||
- | OBJECT CREATION AND DEFAULT ACLs | ||
- | The access ACL of a file object is initialized when the object is created with any of the creat(), mkdir(), mknod(), | ||
- | mkfifo(), or open() functions. If a default ACL is associated with a directory, the mode parameter to the functions | ||
- | creating file objects and the default ACL of the directory are used to determine the ACL of the new object: | ||
- | |||
- | 1. The new object inherits the default ACL of the containing directory as its access ACL. | ||
- | |||
- | 2. The access ACL entries corresponding to the file permission bits are modified so that they contain no permis‐ | ||
- | sions that are not contained in the permissions specified by the mode parameter. | ||
- | |||
- | If no default ACL is associated with a directory, the mode parameter to the functions creating file objects and the | ||
- | file creation mask (see umask(2)) are used to determine the ACL of the new object: | ||
- | |||
- | 1. The new object is assigned an access ACL containing entries of tag types ACL_USER_OBJ, ACL_GROUP_OBJ, and | ||
- | ACL_OTHER. The permissions of these entries are set to the permissions specified by the file creation mask. | ||
- | |||
- | 2. The access ACL entries corresponding to the file permission bits are modified so that they contain no permis‐ | ||
- | sions that are not contained in the permissions specified by the mode parameter. | ||
- | |||
- | ACCESS CHECK ALGORITHM | ||
- | A process may request read, write, or execute/search access to a file object protected by an ACL. The access check | ||
- | algorithm determines whether access to the object will be granted. | ||
- | |||
- | 1. If the effective user ID of the process matches the user ID of the file object owner, then | ||
- | |||
- | if the ACL_USER_OBJ entry contains the requested permissions, access is granted, | ||
- | |||
- | else access is denied. | ||
- | |||
- | 2. else if the effective user ID of the process matches the qualifier of any entry of type ACL_USER, then | ||
- | |||
- | if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted, | ||
- | |||
- | else access is denied. | ||
- | |||
- | 3. else if the effective group ID or any of the supplementary group IDs of the process match the file group or the | ||
- | qualifier of any entry of type ACL_GROUP, then | ||
- | |||
- | if the ACL contains an ACL_MASK entry, then | ||
- | |||
- | if the ACL_MASK entry and any of the matching ACL_GROUP_OBJ or ACL_GROUP entries contain the requested | ||
- | permissions, access is granted, | ||
- | |||
- | else access is denied. | ||
- | |||
- | else (note that there can be no ACL_GROUP entries without an ACL_MASK entry) | ||
- | |||
- | if the ACL_GROUP_OBJ entry contains the requested permissions, access is granted, | ||
- | |||
- | else access is denied. | ||
- | |||
- | 4. else if the ACL_OTHER entry contains the requested permissions, access is granted. | ||
- | |||
- | 5. else access is denied. | ||
- | |||
- | ACL TEXT FORMS | ||
- | A long and a short text form for representing ACLs is defined. In both forms, ACL entries are represented as three | ||
- | colon separated fields: an ACL entry tag type, an ACL entry qualifier, and the discretionary access permissions. The | ||
- | first field contains one of the following entry tag type keywords: | ||
- | |||
- | user A user ACL entry specifies the access granted to either the file owner (entry tag type ACL_USER_OBJ) or | ||
- | a specified user (entry tag type ACL_USER). | ||
- | |||
- | group A group ACL entry specifies the access granted to either the file group (entry tag type ACL_GROUP_OBJ) | ||
- | or a specified group (entry tag type ACL_GROUP). | ||
- | |||
- | mask A mask ACL entry specifies the maximum access which can be granted by any ACL entry except the user | ||
- | entry for the file owner and the other entry (entry tag type ACL_MASK). | ||
- | |||
- | other An other ACL entry specifies the access granted to any process that does not match any user or group | ||
- | ACL entries (entry tag type ACL_OTHER). | ||
- | |||
- | The second field contains the user or group identifier of the user or group associated with the ACL entry for entries | ||
- | of entry tag type ACL_USER or ACL_GROUP, and is empty for all other entries. A user identifier can be a user name or | ||
- | a user ID number in decimal form. A group identifier can be a group name or a group ID number in decimal form. | ||
- | |||
- | The third field contains the discretionary access permissions. The read, write and search/execute permissions are | ||
- | represented by the r, w, and x characters, in this order. Each of these characters is replaced by the - character to | ||
- | denote that a permission is absent in the ACL entry. When converting from the text form to the internal representa‐ | ||
- | tion, permissions that are absent need not be specified. | ||
- | |||
- | White space is permitted at the beginning and end of each ACL entry, and immediately before and after a field separa‐ | ||
- | tor (the colon character). | ||
- | |||
- | LONG TEXT FORM | ||
- | The long text form contains one ACL entry per line. In addition, a number sign (#) may start a comment that extends | ||
- | until the end of the line. If an ACL_USER, ACL_GROUP_OBJ or ACL_GROUP ACL entry contains permissions that are not | ||
- | also contained in the ACL_MASK entry, the entry is followed by a number sign, the string “effective:”, and the effec‐ | ||
- | tive access permissions defined by that entry. This is an example of the long text form: | ||
- | |||
- | user::rw- | ||
- | user:lisa:rw- #effective:r-- | ||
- | group::r-- | ||
- | group:toolies:rw- #effective:r-- | ||
- | mask::r-- | ||
- | other::r-- | ||
- | |||
- | SHORT TEXT FORM | ||
- | The short text form is a sequence of ACL entries separated by commas, and is used for input. Comments are not sup‐ | ||
- | ported. Entry tag type keywords may either appear in their full unabbreviated form, or in their single letter abbre‐ | ||
- | viated form. The abbreviation for user is u, the abbreviation for group is g, the abbreviation for mask is m, and the | ||
- | abbreviation for other is o. The permissions may contain at most one each of the following characters in any order: | ||
- | r, w, x. These are examples of the short text form: | ||
- | |||
- | u::rw-,u:lisa:rw-,g::r--,g:toolies:rw-,m::r--,o::r-- | ||
- | g:toolies:rw,u:lisa:rw,u::wr,g::r,o::r,m::r | ||
- | |||
- | RATIONALE | ||
- | IEEE 1003.1e draft 17 defines Access Control Lists that include entries of tag type ACL_MASK, and defines a mapping | ||
- | between file permission bits that is not constant. The standard working group defined this relatively complex inter‐ | ||
- | face in order to ensure that applications that are compliant with IEEE 1003.1 (“POSIX.1”) will still function as | ||
- | expected on systems with ACLs. The IEEE 1003.1e draft 17 contains the rationale for choosing this interface in sec‐ | ||
- | tion B.23. | ||
- | |||
- | CHANGES TO THE FILE UTILITIES | ||
- | On a system that supports ACLs, the file utilities ls(1), cp(1), and mv(1) change their behavior in the following | ||
- | way: | ||
- | |||
- | · For files that have a default ACL or an access ACL that contains more than the three required ACL entries, the | ||
- | ls(1) utility in the long form produced by ls -l displays a plus sign (+) after the permission string. | ||
- | |||
- | · If the -p flag is specified, the cp(1) utility also preserves ACLs. If this is not possible, a warning is pro‐ | ||
- | duced. | ||
- | |||
- | · The mv(1) utility always preserves ACLs. If this is not possible, a warning is produced. | ||
- | |||
- | The effect of the chmod(1) utility, and of the chmod(2) system call, on the access ACL is described in CORRESPONDENCE | ||
- | BETWEEN ACL ENTRIES AND FILE PERMISSION BITS. | ||
- | |||
- | STANDARDS | ||
- | The IEEE 1003.1e draft 17 (“POSIX.1e”) document describes several security extensions to the IEEE 1003.1 standard. | ||
- | While the work on 1003.1e has been abandoned, many UNIX style systems implement parts of POSIX.1e draft 17, or of | ||
- | earlier drafts. | ||
- | |||
- | Linux Access Control Lists implement the full set of functions and utilities defined for Access Control Lists in | ||
- | POSIX.1e, and several extensions. The implementation is fully compliant with POSIX.1e draft 17; extensions are | ||
- | marked as such. The Access Control List manipulation functions are defined in the ACL library (libacl, -lacl). The | ||
- | POSIX compliant interfaces are declared in the <sys/acl.h> header. Linux-specific extensions to these functions are | ||
- | declared in the <acl/libacl.h> header. | ||
- | |||
- | SEE ALSO | ||
- | chmod(1), creat(2), getfacl(1), ls(1), mkdir(2), mkfifo(2), mknod(2), open(2), setfacl(1), stat(2), umask(1) | ||
- | |||
- | POSIX 1003.1e DRAFT 17 | ||
- | http://www.guug.de/~winni/posix.1e/download.html | ||
- | |||
- | POSIX 1003.1e FUNCTIONS BY CATEGORY | ||
- | ACL storage management | ||
- | acl_dup(3), acl_free(3), acl_init(3) | ||
- | |||
- | ACL entry manipulation | ||
- | acl_copy_entry(3), acl_create_entry(3), acl_delete_entry(3), acl_get_entry(3), acl_valid(3) | ||
- | |||
- | acl_add_perm(3), acl_calc_mask(3), acl_clear_perms(3), acl_delete_perm(3), acl_get_permset(3), | ||
- | acl_set_permset(3) | ||
- | |||
- | acl_get_qualifier(3), acl_get_tag_type(3), acl_set_qualifier(3), acl_set_tag_type(3) | ||
- | |||
- | ACL manipulation on an object | ||
- | acl_delete_def_file(3), acl_get_fd(3), acl_get_file(3), acl_set_fd(3), acl_set_file(3) | ||
- | |||
- | ACL format translation | ||
- | acl_copy_entry(3), acl_copy_ext(3), acl_from_text(3), acl_to_text(3), acl_size(3) | ||
- | |||
- | POSIX 1003.1e FUNCTIONS BY AVAILABILITY | ||
- | The first group of functions is supported on most systems with POSIX-like access control lists, while the second | ||
- | group is supported on fewer systems. For applications that will be ported the second group is best avoided. | ||
- | |||
- | acl_delete_def_file(3), acl_dup(3), acl_free(3), acl_from_text(3), acl_get_fd(3), acl_get_file(3), acl_init(3), | ||
- | acl_set_fd(3), acl_set_file(3), acl_to_text(3), acl_valid(3) | ||
- | |||
- | acl_add_perm(3), acl_calc_mask(3), acl_clear_perms(3), acl_copy_entry(3), acl_copy_ext(3), acl_copy_int(3), | ||
- | acl_create_entry(3), acl_delete_entry(3), acl_delete_perm(3), acl_get_entry(3), acl_get_permset(3), | ||
- | acl_get_qualifier(3), acl_get_tag_type(3), acl_set_permset(3), acl_set_qualifier(3), acl_set_tag_type(3), acl_size(3) | ||
- | |||
- | LINUX EXTENSIONS | ||
- | These non-portable extensions are available on Linux systems. | ||
- | |||
- | acl_check(3), acl_cmp(3), acl_entries(3), acl_equiv_mode(3), acl_error(3), acl_extended_fd(3), acl_extended_file(3), | ||
- | acl_extended_file_nofollow(3), acl_from_mode(3), acl_get_perm(3), acl_to_any_text(3) | ||
- | |||
- | AUTHOR | ||
- | Andreas Gruenbacher, <a.gruenbacher@bestbits.at> | ||
- | |||
- | Linux ACL March 23, 2002 Linux ACL | ||
- | </code> | ||
====== Установка ====== | ====== Установка ====== | ||
Строка 275: | Строка 28: | ||
Для того, чтобы проверить поддерживаются ли списки доступа (ACL) нужно выполнить команду: | Для того, чтобы проверить поддерживаются ли списки доступа (ACL) нужно выполнить команду: | ||
<code bash> | <code bash> | ||
- | tune2fs -l /dev/sdaX |grep acl | + | tune2fs -l /dev/sdaX | grep acl |
</code> | </code> | ||
- | ''/dev/sdaX'' имя устройства. | + | где''/dev/sdaX'' это имя устройства. |
+ | |||
+ | Для систем с [[lvm:lvm|LVM]] нужно использовать такой вариант: | ||
+ | <code bash> | ||
+ | tune2fs -l /dev/mapper/vg01-home | grep acl | ||
+ | </code> | ||
+ | где ''/dev/mapper/vg01-home'' это имя логического тома | ||
Если ACL поддерживаются то в выводе команды будет примерно это: | Если ACL поддерживаются то в выводе команды будет примерно это: | ||
Строка 287: | Строка 46: | ||
====== setfacl ====== | ====== setfacl ====== | ||
Установка прав доступа | Установка прав доступа | ||
- | <code> | ||
- | SETFACL(1) Access Control Lists SETFACL(1) | ||
- | NAME | + | FIXME |
- | setfacl - set file access control lists | + | |
- | SYNOPSIS | + | Пример: |
- | setfacl [-bkndRLPvh] [{-m|-x} acl_spec] [{-M|-X} acl_file] file ... | + | |
- | setfacl --restore=file | + | Рекурсивно ''-R'' удаляем существующие права ''-b'' и из файла ''-M'' заданного в ''$acl_file'' применяем права и умолчания. |
- | DESCRIPTION | + | <code bash acl_share01.sh> |
- | This utility sets Access Control Lists (ACLs) of files and directories. On the command line, a sequence of com‐ | + | #!/bin/bash |
- | mands is followed by a sequence of files (which in turn can be followed by another sequence of commands, ...). | + | |
- | The options -m, and -x expect an ACL on the command line. Multiple ACL entries are separated by comma characters | + | # Путь |
- | (`,'). The options -M, and -X read an ACL from a file or from standard input. The ACL entry format is described in | + | path=/srv/share01 |
- | Section ACL ENTRIES. | + | |
- | The --set and --set-file options set the ACL of a file or a directory. The previous ACL is replaced. ACL entries | + | # Права |
- | for this operation must include permissions. | + | acl_file=/tmp/tmp.acl |
+ | cat << 'EOF' |tee $acl_file | ||
+ | user::rwx | ||
+ | group::rwx | ||
+ | group:Group_F:rwx | ||
+ | group:Group_R:r-x | ||
+ | user:User_F:rwx | ||
+ | user:User_R:r-x | ||
+ | mask::rwx | ||
+ | other::--- | ||
+ | default:group:Group_F:rwx | ||
+ | default:group:Group_R:r-x | ||
+ | default:user:User_F:rwx | ||
+ | default:user:User_R:r-x | ||
+ | default:mask::rwx | ||
+ | default:other::--- | ||
+ | EOF | ||
- | The -m (--modify) and -M (--modify-file) options modify the ACL of a file or directory. ACL entries for this oper‐ | + | setfacl -b $path |
- | ation must include permissions. | + | setfacl -R -b -M $acl_file $path |
- | The -x (--remove) and -X (--remove-file) options remove ACL entries. It is not an error to remove an entry which | + | rm $acl_file |
- | does not exist. Only ACL entries without the perms field are accepted as parameters, unless POSIXLY_CORRECT is | + | |
- | defined. | + | |
- | + | ||
- | When reading from files using the -M, and -X options, setfacl accepts the output getfacl produces. There is at | + | |
- | most one ACL entry per line. After a Pound sign (`#'), everything up to the end of the line is treated as a com‐ | + | |
- | ment. | + | |
- | + | ||
- | If setfacl is used on a file system which does not support ACLs, setfacl operates on the file mode permission bits. | + | |
- | If the ACL does not fit completely in the permission bits, setfacl modifies the file mode permission bits to | + | |
- | reflect the ACL as closely as possible, writes an error message to standard error, and returns with an exit status | + | |
- | greater than 0. | + | |
- | + | ||
- | PERMISSIONS | + | |
- | The file owner and processes capable of CAP_FOWNER are granted the right to modify ACLs of a file. This is analo‐ | + | |
- | gous to the permissions required for accessing the file mode. (On current Linux systems, root is the only user with | + | |
- | the CAP_FOWNER capability.) | + | |
- | + | ||
- | OPTIONS | + | |
- | -b, --remove-all | + | |
- | Remove all extended ACL entries. The base ACL entries of the owner, group and others are retained. | + | |
- | + | ||
- | -k, --remove-default | + | |
- | Remove the Default ACL. If no Default ACL exists, no warnings are issued. | + | |
- | + | ||
- | -n, --no-mask | + | |
- | Do not recalculate the effective rights mask. The default behavior of setfacl is to recalculate the ACL mask | + | |
- | entry, unless a mask entry was explicitly given. The mask entry is set to the union of all permissions of the | + | |
- | owning group, and all named user and group entries. (These are exactly the entries affected by the mask entry). | + | |
- | + | ||
- | --mask | + | |
- | Do recalculate the effective rights mask, even if an ACL mask entry was explicitly given. (See the -n option.) | + | |
- | + | ||
- | -d, --default | + | |
- | All operations apply to the Default ACL. Regular ACL entries in the input set are promoted to Default ACL | + | |
- | entries. Default ACL entries in the input set are discarded. (A warning is issued if that happens). | + | |
- | + | ||
- | --restore=file | + | |
- | Restore a permission backup created by `getfacl -R' or similar. All permissions of a complete directory subtree | + | |
- | are restored using this mechanism. If the input contains owner comments or group comments, setfacl attempts to | + | |
- | restore the owner and owning group. If the input contains flags comments (which define the setuid, setgid, and | + | |
- | sticky bits), setfacl sets those three bits accordingly; otherwise, it clears them. This option cannot be mixed | + | |
- | with other options except `--test'. | + | |
- | + | ||
- | --test | + | |
- | Test mode. Instead of changing the ACLs of any files, the resulting ACLs are listed. | + | |
- | + | ||
- | -R, --recursive | + | |
- | Apply operations to all files and directories recursively. This option cannot be mixed with `--restore'. | + | |
- | + | ||
- | -L, --logical | + | |
- | Logical walk, follow symbolic links to directories. The default behavior is to follow symbolic link arguments, | + | |
- | and skip symbolic links encountered in subdirectories. Only effective in combination with -R. This option | + | |
- | cannot be mixed with `--restore'. | + | |
- | + | ||
- | -P, --physical | + | |
- | Physical walk, do not follow symbolic links to directories. This also skips symbolic link arguments. Only | + | |
- | effective in combination with -R. This option cannot be mixed with `--restore'. | + | |
- | + | ||
- | -v, --version | + | |
- | Print the version of setfacl and exit. | + | |
- | + | ||
- | -h, --help | + | |
- | Print help explaining the command line options. | + | |
- | + | ||
- | -- End of command line options. All remaining parameters are interpreted as file names, even if they start with a | + | |
- | dash. | + | |
- | + | ||
- | - If the file name parameter is a single dash, setfacl reads a list of files from standard input. | + | |
- | + | ||
- | ACL ENTRIES | + | |
- | The setfacl utility recognizes the following ACL entry formats (blanks inserted for clarity): | + | |
- | + | ||
- | [d[efault]:] [u[ser]:]uid [:perms] | + | |
- | Permissions of a named user. Permissions of the file owner if uid is empty. | + | |
- | + | ||
- | [d[efault]:] g[roup]:gid [:perms] | + | |
- | Permissions of a named group. Permissions of the owning group if gid is empty. | + | |
- | + | ||
- | [d[efault]:] m[ask][:] [:perms] | + | |
- | Effective rights mask | + | |
- | + | ||
- | [d[efault]:] o[ther][:] [:perms] | + | |
- | Permissions of others. | + | |
- | + | ||
- | Whitespace between delimiter characters and non-delimiter characters is ignored. | + | |
- | + | ||
- | Proper ACL entries including permissions are used in modify and set operations. (options -m, -M, --set and --set- | + | |
- | file). Entries without the perms field are used for deletion of entries (options -x and -X). | + | |
- | + | ||
- | For uid and gid you can specify either a name or a number. | + | |
- | + | ||
- | The perms field is a combination of characters that indicate the permissions: read (r), write (w), execute (x), | + | |
- | execute only if the file is a directory or already has execute permission for some user (X). Alternatively, the | + | |
- | perms field can be an octal digit (0-7). | + | |
- | + | ||
- | AUTOMATICALLY CREATED ENTRIES | + | |
- | Initially, files and directories contain only the three base ACL entries for the owner, the group, and others. | + | |
- | There are some rules that need to be satisfied in order for an ACL to be valid: | + | |
- | + | ||
- | * The three base entries cannot be removed. There must be exactly one entry of each of these base entry types. | + | |
- | + | ||
- | * Whenever an ACL contains named user entries or named group objects, it must also contain an effective rights | + | |
- | mask. | + | |
- | + | ||
- | * Whenever an ACL contains any Default ACL entries, the three Default ACL base entries (default owner, default | + | |
- | group, and default others) must also exist. | + | |
- | + | ||
- | * Whenever a Default ACL contains named user entries or named group objects, it must also contain a default | + | |
- | effective rights mask. | + | |
- | + | ||
- | To help the user ensure these rules, setfacl creates entries from existing entries under the following conditions: | + | |
- | + | ||
- | * If an ACL contains named user or named group entries, and no mask entry exists, a mask entry containing the | + | |
- | same permissions as the group entry is created. Unless the -n option is given, the permissions of the mask | + | |
- | entry are further adjusted to include the union of all permissions affected by the mask entry. (See the -n | + | |
- | option description). | + | |
- | + | ||
- | * If a Default ACL entry is created, and the Default ACL contains no owner, owning group, or others entry, a copy | + | |
- | of the ACL owner, owning group, or others entry is added to the Default ACL. | + | |
- | + | ||
- | * If a Default ACL contains named user entries or named group entries, and no mask entry exists, a mask entry | + | |
- | containing the same permissions as the default Default ACL's group entry is added. Unless the -n option is | + | |
- | given, the permissions of the mask entry are further adjusted to inclu de the union of all permissions affected | + | |
- | by the mask entry. (See the -n option description). | + | |
- | + | ||
- | EXAMPLES | + | |
- | Granting an additional user read access | + | |
- | setfacl -m u:lisa:r file | + | |
- | + | ||
- | Revoking write access from all groups and all named users (using the effective rights mask) | + | |
- | setfacl -m m::rx file | + | |
- | + | ||
- | Removing a named group entry from a file's ACL | + | |
- | setfacl -x g:staff file | + | |
- | + | ||
- | Copying the ACL of one file to another | + | |
- | getfacl file1 | setfacl --set-file=- file2 | + | |
- | + | ||
- | Copying the access ACL into the Default ACL | + | |
- | getfacl --access dir | setfacl -d -M- dir | + | |
- | + | ||
- | CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17 | + | |
- | If the environment variable POSIXLY_CORRECT is defined, the default behavior of setfacl changes as follows: All | + | |
- | non-standard options are disabled. The ``default:'' prefix is disabled. The -x and -X options also accept permis‐ | + | |
- | sion fields (and ignore them). | + | |
- | + | ||
- | AUTHOR | + | |
- | Andreas Gruenbacher, <a.gruenbacher@bestbits.at>. | + | |
- | + | ||
- | Please send your bug reports, suggested features and comments to the above address. | + | |
- | + | ||
- | SEE ALSO | + | |
- | getfacl(1), chmod(1), umask(1), acl(5) | + | |
- | + | ||
- | May 2000 ACL File Utilities SETFACL(1) | + | |
</code> | </code> | ||
- | |||
- | Пример: | ||
- | <code bash> | ||
- | setfacl -R -b -m g:Group_F:rwx,g:Group_R:rx,default:g:Group_F:rwx,default:g:Group_R:rx,default:other:--- /srv/share01 | ||
- | </code> | ||
- | Рекурсивно ''-R'' удаляем существующие права ''-b'' и добавляем заданные права, устанавливаем умолчания. | ||
- | * ''Group_F'' полные права | ||
- | * ''Group_R'' только чтение | ||
- | * ''other'' = нет доступа | ||
====== getfacl ====== | ====== getfacl ====== | ||
- | |||
FIXME | FIXME | ||
- | <code> | + | Отображение списка контроля доступа к файлам и папкам. |
- | GETFACL(1) Access Control Lists GETFACL(1) | + | |
- | NAME | + | ===== Сохранение списка прав в файл ===== |
- | getfacl - get file access control lists | + | |
- | SYNOPSIS | + | <code bash> |
- | getfacl [-aceEsRLPtpndvh] file ... | + | getfacl -R ИМЯ_ОБЪЕКТА > ИМЯ_ОБЪЕКТА.acl |
- | + | ||
- | getfacl [-aceEsRLPtpndvh] - | + | |
- | + | ||
- | DESCRIPTION | + | |
- | For each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL). If a directory | + | |
- | has a default ACL, getfacl also displays the default ACL. Non-directories cannot have default ACLs. | + | |
- | + | ||
- | If getfacl is used on a file system that does not support ACLs, getfacl displays the access permissions defined by | + | |
- | the traditional file mode permission bits. | + | |
- | + | ||
- | The output format of getfacl is as follows: | + | |
- | 1: # file: somedir/ | + | |
- | 2: # owner: lisa | + | |
- | 3: # group: staff | + | |
- | 4: # flags: -s- | + | |
- | 5: user::rwx | + | |
- | 6: user:joe:rwx #effective:r-x | + | |
- | 7: group::rwx #effective:r-x | + | |
- | 8: group:cool:r-x | + | |
- | 9: mask::r-x | + | |
- | 10: other::r-x | + | |
- | 11: default:user::rwx | + | |
- | 12: default:user:joe:rwx #effective:r-x | + | |
- | 13: default:group::r-x | + | |
- | 14: default:mask::r-x | + | |
- | 15: default:other::--- | + | |
- | + | ||
- | Lines 1--3 indicate the file name, owner, and owning group. | + | |
- | + | ||
- | Line 4 indicates the setuid (s), setgid (s), and sticky (t) bits: either the letter representing the bit, or else a | + | |
- | dash (-). This line is included if any of those bits is set and left out otherwise, so it will not be shown for | + | |
- | most files. (See CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17 below.) | + | |
- | + | ||
- | Lines 5, 7 and 10 correspond to the user, group and other fields of the file mode permission bits. These three are | + | |
- | called the base ACL entries. Lines 6 and 8 are named user and named group entries. Line 9 is the effective rights | + | |
- | mask. This entry limits the effective rights granted to all groups and to named users. (The file owner and others | + | |
- | permissions are not affected by the effective rights mask; all other entries are.) Lines 11--15 display the | + | |
- | default ACL associated with this directory. Directories may have a default ACL. Regular files never have a default | + | |
- | ACL. | + | |
- | + | ||
- | The default behavior for getfacl is to display both the ACL and the default ACL, and to include an effective rights | + | |
- | comment for lines where the rights of the entry differ from the effective rights. | + | |
- | + | ||
- | If output is to a terminal, the effective rights comment is aligned to column 40. Otherwise, a single tab character | + | |
- | separates the ACL entry and the effective rights comment. | + | |
- | + | ||
- | The ACL listings of multiple files are separated by blank lines. The output of getfacl can also be used as input | + | |
- | to setfacl. | + | |
- | + | ||
- | PERMISSIONS | + | |
- | Process with search access to a file (i.e., processes with read access to the containing directory of a file) are | + | |
- | also granted read access to the file's ACLs. This is analogous to the permissions required for accessing the file | + | |
- | mode. | + | |
- | + | ||
- | OPTIONS | + | |
- | -a, --access | + | |
- | Display the file access control list. | + | |
- | + | ||
- | -d, --default | + | |
- | Display the default access control list. | + | |
- | + | ||
- | -c, --omit-header | + | |
- | Do not display the comment header (the first three lines of each file's output). | + | |
- | + | ||
- | -e, --all-effective | + | |
- | Print all effective rights comments, even if identical to the rights defined by the ACL entry. | + | |
- | + | ||
- | -E, --no-effective | + | |
- | Do not print effective rights comments. | + | |
- | + | ||
- | -s, --skip-base | + | |
- | Skip files that only have the base ACL entries (owner, group, others). | + | |
- | + | ||
- | -R, --recursive | + | |
- | List the ACLs of all files and directories recursively. | + | |
- | + | ||
- | -L, --logical | + | |
- | Logical walk, follow symbolic links to directories. The default behavior is to follow symbolic link arguments, | + | |
- | and skip symbolic links encountered in subdirectories. Only effective in combination with -R. | + | |
- | + | ||
- | -P, --physical | + | |
- | Physical walk, do not follow symbolic links to directories. This also skips symbolic link arguments. Only | + | |
- | effective in combination with -R. | + | |
- | + | ||
- | -t, --tabular | + | |
- | Use an alternative tabular output format. The ACL and the default ACL are displayed side by side. Permissions | + | |
- | that are ineffective due to the ACL mask entry are displayed capitalized. The entry tag names for the | + | |
- | ACL_USER_OBJ and ACL_GROUP_OBJ entries are also displayed in capital letters, which helps in spotting those | + | |
- | entries. | + | |
- | + | ||
- | -p, --absolute-names | + | |
- | Do not strip leading slash characters (`/'). The default behavior is to strip leading slash characters. | + | |
- | + | ||
- | -n, --numeric | + | |
- | List numeric user and group IDs | + | |
- | + | ||
- | -v, --version | + | |
- | Print the version of getfacl and exit. | + | |
- | + | ||
- | -h, --help | + | |
- | Print help explaining the command line options. | + | |
- | + | ||
- | -- End of command line options. All remaining parameters are interpreted as file names, even if they start with a | + | |
- | dash character. | + | |
- | + | ||
- | - If the file name parameter is a single dash character, getfacl reads a list of files from standard input. | + | |
- | + | ||
- | CONFORMANCE TO POSIX 1003.1e DRAFT STANDARD 17 | + | |
- | If the environment variable POSIXLY_CORRECT is defined, the default behavior of getfacl changes in the following | + | |
- | ways: Unless otherwise specified, only the ACL is printed. The default ACL is only printed if the -d option is | + | |
- | given. If no command line parameter is given, getfacl behaves as if it was invoked as ``getfacl -''. No flags com‐ | + | |
- | ments indicating the setuid, setgit, and sticky bits are generated. | + | |
- | + | ||
- | AUTHOR | + | |
- | Andreas Gruenbacher, <a.gruenbacher@bestbits.at>. | + | |
- | + | ||
- | Please send your bug reports and comments to the above address. | + | |
- | + | ||
- | SEE ALSO | + | |
- | setfacl(1), acl(5) | + | |
- | + | ||
- | May 2000 ACL File Utilities GETFACL(1) | + | |
</code> | </code> | ||
+ | ====== Ссылки ====== | ||
+ | **[[http://help.ubuntu.ru/wiki/access_control_list|Access Control List - списки контроля доступа]]** | ||
- | ====== Ссылки ====== | ||
[[http://www.calculate-linux.org/main/ru/setting_filesystem_acl|Настройка прав доступа ACL]] | [[http://www.calculate-linux.org/main/ru/setting_filesystem_acl|Настройка прав доступа ACL]] | ||
- | |||
- | [[http://help.ubuntu.ru/wiki/access_control_list|Access Control List - списки контроля доступа]] | ||
[[https://help.ubuntu.com/community/FilePermissionsACLs|File Permissions ACLs]] | [[https://help.ubuntu.com/community/FilePermissionsACLs|File Permissions ACLs]] |