Content #
文件系统支持 #
检查文件系统是否支持:
❯ sudo tune2fs -l /dev/nvme0n1p5 | grep acl
Default mount options: user_xattr acl
若没有acl属性,可重新挂载:
mount -o remount,acl /dev/sda1
基本操作 #
-
添加ACL
setfacl -m u:gavin:rw,g:test:r acl_test -
删除ACL 删除指定用户对文件的访问权限
setfacl -x u:gavin: acl_test删除文件或目录的所有ACL规则
setfacl -b acl_test -
覆盖原有的ACL规则
setfacl --set u::rw,g::rw,o::r,u:gavin:rwx,g:test:rx acl_test -
为目录创建默认ACL
setfacl -d -m g:test:r test
mask #
Default ACL是指对于一个目录进行Default ACL设置,并且在此目录下建立的文件都将继承此目录的ACL。 mask决定了可授予给ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP的权限。 ACL_USER_OBJ The ACL_USER_OBJ entry denotes access rights for the file owner. ACL_USER ACL_USER entries denote access rights for users identified by the entry’s qualifier. ACL_GROUP_OBJ The ACL_GROUP_OBJ entry denotes access rights for the file group. ACL_GROUP ACL_GROUP entries denote access rights for groups identified by the entry’s qualifier. ACL_MASK The ACL_MASK entry denotes the maximum access rights that can be granted by entries of type ACL_USER, ACL_GROUP_OBJ, or ACL_GROUP. ACL_OTHER The ACL_OTHER entry denotes access rights for processes that do not match any other entry in the ACL. ACL条目中如果包含了ACL_USER和ACL_GROUP,那么必须要有ACL_MASK。没有ACL_USER和ACL_GROUP的情况下,ACL_MASK是可选的。 There is a correspondence between the file owner, group, and other permissions and specific ACL entries: the owner permissions correspond to the permissions of the ACL_USER_OBJ entry. If the ACL has an ACL_MASK entry, the group permissions correspond to the permissions of the ACL_MASK entry. Otherwise, if the ACL has no ACL_MASK entry, the group permissions correspond to the permissions of the ACL_GROUP_OBJ entry. The other permissions correspond to the permissions of the ACL_OTHER_OBJ entry. 除了文件所有者外,用setfacl添加的用户权限最大不会超过group的权限,group的权限会成为setfacl添加的用户的权限的mask。