You can see the setting permissions, testu1 already has execute permission, but the Group also testg1 gained permission to read the contents of the file.
Perhaps some people have noticed two issues: first, the set of permissions from file1 r--become a rw-. Secondly, mask? why it change? we will start with the mask. If the acl of a higher priority than the UGO, then mask is a worthy of the last line of Defense. It determines a user/group can get maximum permissions. So we do not undermine the existing ACL defined on the basis of a temporary increase or reduce the available security levels: root @ FC3-vm mnt] # setfacl-mmask:: rile1root @ FC3-vm mnt] # getfaclile1 # file: ile1 # owner: root # group: rootuser:: rw-user: testu1: rwx # effective: r--group:: r--group: testg1: r--mask:: r--other:: r--root @ FC3-vm mnt] # ls-lile1-rw-r--r--+ 1rootroot7Dec1100: 28file1 in testu1 ACL entries that correspond to the emergence of effective behind words, this is the actual testu1 resulting permission. Mask only on the other user and group permissions, the owner and other permissions do not have any influence. The results of executing ls also show UGO settings also have a corresponding change. Because the ACL in uses, permission to display the group is the current mask. Usually we put mask set to rwx, to prevent any single ACL entries. * Note that each time you modify or add a user or group in an ACL entry mask of time, are also modified to make the latest modifications to truly come into force. So if you need a more stringent mask, you may need to reset every time your mask. Experience of other functions: 2-ACL delete and overwrite we take a look at other ACL operation. First of all how to delete an existing ACL entries? root @ FC3-vm mnt] # setfacl-xg: testg1ile1root @ FC3-vm mnt] # getfaclile1 # file: ile1 # owner: root # group: rootuser:: rw-user: testu1: rwxgroup:: r--mask:: rwxother:: r--we see testg1 permissions have been removed. If you need to get rid of all of the ACL can use the-b option. All of the ACL entries are removed. Root @ FC3-vm mnt] # setfacl-bile1root @ FC3-vm mnt] # getfaclile1 # file: ile1 # owner: root # group: rootuser:: rw-group:: r--other:: r--we can use the--set to set some new ACL entries and put the original ACL entries are overwritten. And-m, the-m option only modify an existing profile or a new number. --Set option to the existing ACL entries are deleted and replaced with new, note must contain UGO, cannot like-m just add ACL on it. For example, the following paragraph: root @ FC3-vm mnt] # setfacl--setu:: rw, u:testu1: rw, g:: r, o::-ile1root @ FC3-vm mnt] # getfaclile1 # file: ile1 # owner: root # group: rootuser:: rw-user: testu1: rw-group:: r--mask:: rw-other::-o::-is another note. In fact, the complete wording of the other::---, as u:: complete wording is rw user:: rw-. Usually we can omit the "-", but when the permission bits only contains "-", must have at least one. If you write o::, an error occurs. If you want to all subdirectories of the directory are set the same ACL, you can use the-R parameter: root @ FC3-vm mnt] # setfacl--setu:: rw, u:testu1: rw, g:: r, o::-dir1 if you want to be able to read from a file and modify the ACL, the current file's ACL, you can use the-M parameter: root @ FC3-vm mnt] # cattest.acluser: testu1: rw-user: testu2: rw-group: testg1: r--group: testg2: r--mask:: rw-other::---
No comments:
Post a Comment