使用 ACL 设置用户访问指定文件/目录的权限

当提到文件和目录的权限时，你的第一反应可能是“属主/群组/其它”权限。 这些权限可以通过 chmod、 chown 等命令来修改。

文件和目录都有属主 (文件所有者 )、群组 (所属组) 以及其它权限，这些权限构成一个集合。 然而这些权限集合有它的局限性，无法做到为不同的用户设置不同的权限。

Linux 对文件和目录有以下默认权限。

• 文件 -> 644 -> -rw-r-r- （所有者有读写权限，组成员有只读权限， 其他人也只有读权限）
• 目录 -> 755 -> drwxr-xr-x （所有者有读、写和执行权限，组成员有读和执行的权限，其他人也有读和执行的权限）

比如： 默认情况下，所有者可以访问和编辑他们自己主目录中的文件， 也可以访问相关同组人的文件，但他们不能修改这些文件，因为组成员没有写权限，而且让组成员有写权限也是不明智的。 基于同样的原因，他/她也不能修改其他人的文件。 然而在某些情况下，多个用户想要修改同一个文件， 那该怎么办呢？

假设有个名叫 magi 的用户，他想要修改 httpd.conf 文件怎么办呢？ 这个文件是归 root 用户所有的，这样如何授权呢？ 为了解决这种情况，访问控制列表Access Control List（ACL）诞生了。

什么是 ACL？

ACL 表示访问控制列表Access Control List（ACL），它为文件系统提供了附加的、更具有弹性的权限机制。 它被设计来为补充 UNIX 文件权限机制。 ACL 允许你赋予任何某用户/组访问某项资源的权限。 setfacl 与 getfacl 命令会帮助你管理 ACL 而不会有任何麻烦。

什么是 setfacl？

setfacl 用于设置文件和目录的 ACL。

什么 getfacl？

getfacl - 获取文件的 ACL 。对于每个文件， getfacl 都会显示文件名、文件所有者、所属组以及ACL。 如果目录有默认 ACL， getfacl 也会显示这个默认的 ACL。

如何确认是否启用了 ACL？

运行 tune2fs 命令来检查是否启用了 ACL。

1. <span class="com">#</span><span class="kwd">tune2fs</span><span class="pun">-</span><span class="pln">l </span><span class="pun">/</span><span class="pln">dev</span><span class="pun">/</span><span class="pln">sdb1 </span><span class="pun">|</span><span class="kwd">grep</span><span class="pln"> options</span>
2. <span class="typ">Default</span><span class="kwd">mount</span><span class="pln"> options</span><span class="pun">:</span><span class="pun">(</span><span class="pln">none</span><span class="pun">)</span>

上面的输出很明显第说明 /dev/sdb1 分区没有启用 ACL。

如果结果中没有列出 acl，则你需要在挂载选项中加上 acl。 为了让它永久生效， 修改 /etc/fstab 中 /app 这一行成这样：

1. <span class="com">#</span><span class="kwd">more</span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">fstab</span>
2. <span class="pln">UUID</span><span class="pun">=</span><span class="pln">f304277d</span><span class="pun">-</span><span class="lit">1063</span><span class="pun">-</span><span class="lit">40a2</span><span class="pun">-</span><span class="pln">b9dc</span><span class="pun">-</span><span class="lit">8bcf30466a03</span><span class="pun">/</span><span class="pln"> ext4 defaults </span><span class="lit">1</span><span class="lit">1</span>
3. <span class="pun">/</span><span class="pln">dev</span><span class="pun">/</span><span class="pln">sdb1 </span><span class="pun">/</span><span class="pln">app ext4 defaults</span><span class="pun">，</span><span class="pln">acl </span><span class="lit">1</span><span class="lit">1</span>

或者，你也可以使用下面命令将其添加道文件系统的超级块中：

1. <span class="com">#</span><span class="kwd">tune2fs</span><span class="pun">-</span><span class="pln">o </span><span class="pun">+</span><span class="pln">acl </span><span class="pun">/</span><span class="pln">dev</span><span class="pun">/</span><span class="pln">sdb1</span>

现在，通过运行以下命令来动态修改选项：

1. <span class="com">#</span><span class="kwd">mount</span><span class="pun">-</span><span class="pln">o remount</span><span class="pun">,</span><span class="pln">acl </span><span class="pun">/</span><span class="pln">app</span>

再次运行 tune2fs 命令来看选项中是否有 acl 了：

1. <span class="com">#</span><span class="kwd">tune2fs</span><span class="pun">-</span><span class="pln">l </span><span class="pun">/</span><span class="pln">dev</span><span class="pun">/</span><span class="pln">sdb1 </span><span class="pun">|</span><span class="kwd">grep</span><span class="pln"> options</span>
2. <span class="typ">Default</span><span class="kwd">mount</span><span class="pln"> options</span><span class="pun">：</span><span class="pln"> acl</span>

嗯，现在 /dev/sdb1 分区中有 ACL 选项了。

如何查看默认的 ACL 值

要查看文件和目录默认的 ACL 值，可以使用 getfacl 命令后面加上文件路径或者目录路径。 注意， 当你对非 ACL 文件/目录运行 getfacl 命令时， 则不会显示附加的 user 和 mask 参数值。

1. <span class="com">#</span><span class="pln"> getfacl </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>
2. <span class="com">#</span><span class="kwd">file</span><span class="pun">：</span><span class="pln"> etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>
3. <span class="com">#</span><span class="pln"> owner</span><span class="pun">：</span><span class="pln"> root</span>
4. <span class="com">#</span><span class="pln"> group</span><span class="pun">：</span><span class="pln"> root</span>
5. <span class="pln">user</span><span class="pun">::</span><span class="pln">rw</span><span class="pun">-</span>
6. <span class="pln">group</span><span class="pun">::</span><span class="pln">r</span><span class="pun">--</span>
7. <span class="pln">other</span><span class="pun">::</span><span class="pln">r</span><span class="pun">--</span>

如何为文件设置 ACL

以下面格式运行 setfacl 命令可以为指定文件设置 ACL。在下面的例子中，我们会给 magi 用户对 /etc/apache2/apache2.conf 文件 rwx 的权限。

1. <span class="com">#</span><span class="kwd">setfacl</span><span class="pun">-</span><span class="pln">m u</span><span class="pun">:</span><span class="pln">magi</span><span class="pun">:</span><span class="pln">rwx </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>

仔细分析起来：

• setfacl： 命令
• -m： 修改文件的当前 ACL
• u： 指明用户
• magi： 用户名
• rwx： 要设置的权限
• /etc/apache2/apache2.conf： 文件名称

再查看一次新的 ACL 值：

1. <span class="com">#</span><span class="pln"> getfacl </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>
2. <span class="com">#</span><span class="kwd">file</span><span class="pun">：</span><span class="pln"> etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>
3. <span class="com">#</span><span class="pln"> owner</span><span class="pun">：</span><span class="pln"> root</span>
4. <span class="com">#</span><span class="pln"> group</span><span class="pun">：</span><span class="pln"> root</span>
5. <span class="pln">user</span><span class="pun">::</span><span class="pln">rw</span><span class="pun">-</span>
6. <span class="pln">user</span><span class="pun">:</span><span class="pln">magi</span><span class="pun">:</span><span class="pln">rwx</span>
7. <span class="pln">group</span><span class="pun">::</span><span class="pln">r</span><span class="pun">--</span>
8. <span class="pln">mask</span><span class="pun">::</span><span class="pln">rwx</span>
9. <span class="pln">other</span><span class="pun">::</span><span class="pln">r</span><span class="pun">--</span>

注意： 若你发现文件或目录权限后面有一个加号（+），就表示设置了 ACL。

1. <span class="com">#</span><span class="kwd">ls</span><span class="pun">-</span><span class="pln">lh </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>
2. <span class="pun">-</span><span class="pln">rw</span><span class="pun">-</span><span class="pln">rwxr</span><span class="pun">--+</span><span class="lit">1</span><span class="pln"> root root </span><span class="lit">7.1K</span><span class="typ">Sep</span><span class="lit">19</span><span class="lit">14</span><span class="pun">:</span><span class="lit">58</span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>

如何为目录设置 ACL

以下面格式运行 setfacl 命令可以递归地为指定目录设置 ACL。在下面的例子中，我们会将 /etc/apache2/sites-available/ 目录中的 rwx 权限赋予 magi 用户。

1. <span class="com">#</span><span class="kwd">setfacl</span><span class="pun">-</span><span class="typ">Rm</span><span class="pln"> u</span><span class="pun">:</span><span class="pln">magi</span><span class="pun">:</span><span class="pln">rwx </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">sites</span><span class="pun">-</span><span class="pln">available</span><span class="pun">/</span>

其中：

• -R： 递归到子目录中

再次查看一下新的 ACL 值。

1. <span class="com">#</span><span class="pln"> getfacl </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">sites</span><span class="pun">-</span><span class="pln">available</span><span class="pun">/</span>
2. <span class="com">#</span><span class="kwd">file</span><span class="pun">：</span><span class="pln"> etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">sites</span><span class="pun">-</span><span class="pln">available</span><span class="pun">/</span>
3. <span class="com">#</span><span class="pln"> owner</span><span class="pun">：</span><span class="pln"> root</span>
4. <span class="com">#</span><span class="pln"> group</span><span class="pun">：</span><span class="pln"> root</span>
5. <span class="pln">user</span><span class="pun">::</span><span class="pln">rwx</span>
6. <span class="pln">user</span><span class="pun">:</span><span class="pln">magi</span><span class="pun">:</span><span class="pln">rwx</span>
7. <span class="pln">group</span><span class="pun">::</span><span class="pln">r</span><span class="pun">-</span><span class="pln">x</span>
8. <span class="pln">mask</span><span class="pun">::</span><span class="pln">rwx</span>
9. <span class="pln">other</span><span class="pun">::</span><span class="pln">r</span><span class="pun">-</span><span class="pln">x</span>

现在 /etc/apache2/sites-available/ 中的文件和目录都设置了 ACL。

1. <span class="com">#</span><span class="kwd">ls</span><span class="pun">-</span><span class="pln">lh </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">sites</span><span class="pun">-</span><span class="pln">available</span><span class="pun">/</span>
2. <span class="pln">total </span><span class="lit">20K</span>
3. <span class="pun">-</span><span class="pln">rw</span><span class="pun">-</span><span class="pln">rwxr</span><span class="pun">--+</span><span class="lit">1</span><span class="pln"> root root </span><span class="lit">1.4K</span><span class="typ">Sep</span><span class="lit">19</span><span class="lit">14</span><span class="pun">:</span><span class="lit">56</span><span class="lit">000</span><span class="pun">-</span><span class="kwd">default</span><span class="pun">.</span><span class="pln">conf</span>
4. <span class="pun">-</span><span class="pln">rw</span><span class="pun">-</span><span class="pln">rwxr</span><span class="pun">--+</span><span class="lit">1</span><span class="pln"> root root </span><span class="lit">6.2K</span><span class="typ">Sep</span><span class="lit">19</span><span class="lit">14</span><span class="pun">:</span><span class="lit">56</span><span class="kwd">default</span><span class="pun">-</span><span class="pln">ssl</span><span class="pun">.</span><span class="pln">conf</span>
5. <span class="pun">-</span><span class="pln">rw</span><span class="pun">-</span><span class="pln">rwxr</span><span class="pun">--+</span><span class="lit">1</span><span class="pln"> root root </span><span class="lit">1.4K</span><span class="typ">Dec</span><span class="lit">8</span><span class="lit">02</span><span class="pun">:</span><span class="lit">57</span><span class="pln"> mywebpage</span><span class="pun">.</span><span class="pln">com</span><span class="pun">.</span><span class="pln">conf</span>
6. <span class="pun">-</span><span class="pln">rw</span><span class="pun">-</span><span class="pln">rwxr</span><span class="pun">--+</span><span class="lit">1</span><span class="pln"> root root </span><span class="lit">1.4K</span><span class="typ">Dec</span><span class="lit">7</span><span class="lit">19</span><span class="pun">:</span><span class="lit">07</span><span class="pln"> testpage</span><span class="pun">.</span><span class="pln">com</span><span class="pun">.</span><span class="pln">conf</span>

如何为组设置 ACL

以下面格式为指定文件运行 setfacl 命令。在下面的例子中，我们会给 appdev 组赋予 /etc/apache2/apache2.conf 文件的 rwx 权限。

1. <span class="com">#</span><span class="kwd">setfacl</span><span class="pun">-</span><span class="pln">m g</span><span class="pun">:</span><span class="pln">appdev</span><span class="pun">:</span><span class="pln">rwx </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>

其中：

• g： 指明一个组

对多个用户和组授权，只需要用 逗号 区分开，就像下面这样。

1. <span class="com">#</span><span class="kwd">setfacl</span><span class="pun">-</span><span class="pln">m u</span><span class="pun">:</span><span class="pln">magi</span><span class="pun">:</span><span class="pln">rwx</span><span class="pun">,</span><span class="pln">g</span><span class="pun">:</span><span class="pln">appdev</span><span class="pun">:</span><span class="pln">rwx </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>

如何删除 ACL

以下面格式运行 setfacl 命令会删除文件对指定用户的 ACL。这只会删除用户权限而保留 mask 的值为只读。

1. <span class="com">#</span><span class="kwd">setfacl</span><span class="pun">-</span><span class="pln">x u</span><span class="pun">:</span><span class="pln">magi </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>

其中：

• -x： 从文件的 ACL 中删除

再次查看 ACL 值。在下面的输出中我们可以看到 mask 的值是读。

1. <span class="com">#</span><span class="pln"> getfacl </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>
2. <span class="com">#</span><span class="kwd">file</span><span class="pun">：</span><span class="pln"> etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>
3. <span class="com">#</span><span class="pln"> owner</span><span class="pun">：</span><span class="pln"> root</span>
4. <span class="com">#</span><span class="pln"> group</span><span class="pun">：</span><span class="pln"> root</span>
5. <span class="pln">user</span><span class="pun">::</span><span class="pln">rw</span><span class="pun">-</span>
6. <span class="pln">group</span><span class="pun">::</span><span class="pln">r</span><span class="pun">--</span>
7. <span class="pln">mask</span><span class="pun">::</span><span class="pln">r</span><span class="pun">--</span>
8. <span class="pln">other</span><span class="pun">::</span><span class="pln">r</span><span class="pun">--</span>

使用 -b 来删除文件中所有的 ACL。

1. <span class="com">#</span><span class="kwd">setfacl</span><span class="pun">-</span><span class="pln">b </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>

其中：

• -b： 删除所有的 ACL 条目

再次查看删掉后的 ACl 值就会发现所有的东西都不见了，包括 mask 的值也不见了。

1. <span class="com">#</span><span class="pln"> getfacl </span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>
2. <span class="com">#</span><span class="kwd">file</span><span class="pun">：</span><span class="pln"> etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">.</span><span class="pln">conf</span>
3. <span class="com">#</span><span class="pln"> owner</span><span class="pun">：</span><span class="pln"> root</span>
4. <span class="com">#</span><span class="pln"> group</span><span class="pun">：</span><span class="pln"> root</span>
5. <span class="pln">user</span><span class="pun">::</span><span class="pln">rw</span><span class="pun">-</span>
6. <span class="pln">group</span><span class="pun">::</span><span class="pln">r</span><span class="pun">--</span>
7. <span class="pln">other</span><span class="pun">::</span><span class="pln">r</span><span class="pun">--</span>

如何备份并还原 ACL

下面命令可以备份和还原 ACL 的值。要制作备份， 需要进入对应的目录然后这样做（假设我们要备份 sites-available 目录中的 ACL 值)。

1. <span class="com">#</span><span class="kwd">cd</span><span class="pun">/</span><span class="pln">etc</span><span class="pun">/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">sites</span><span class="pun">-</span><span class="pln">available</span><span class="pun">/</span>
2. <span class="com">#</span><span class="pln"> getfacl </span><span class="pun">-</span><span class="pln">R </span><span class="pun">*</span><span class="pun">></span><span class="pln"> acl_backup_for_folder</span>

还原的话，则运行下面命令：

1. <span class="com">#</span><span class="kwd">setfacl</span><span class="pun">--</span><span class="pln">restore</span><span class="pun">=</span><span class="str">/etc/</span><span class="pln">apache2</span><span class="pun">/</span><span class="pln">sites</span><span class="pun">-</span><span class="pln">available</span><span class="pun">/</span><span class="pln">acl_backup_for_folder</span>

via: https://www.2daygeek.com/how-to-configure-access-control-lists-acls-setfacl-getfacl-linux/

作者：Magesh Maruthamuthu 译者：lujun9972 校对：wxy

本文由 LCTT 原创编译，Linux中国 荣誉推出