document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-16 22:42:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6655 from lujun9972/translate-MjAxNzEyMTMgSG93IFRvIEFsbG93LVBlcm1pdCBVc2VyIFRvIEFjY2VzcyBBIFNwZWNpZmljIEZpbGUgb3IgRm9sZGVyIEluIExpbnV4IFVzaW5nIEFDTC5tZAo=

Browse Source 
翻译完毕
This commit is contained in:
Xingyu.Wang 2017-12-15 23:45:46 +08:00 committed by GitHub
commit 591c713b35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 259 additions and 265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

265
sources/tech/20171213 How To Allow-Permit User To Access A Specific File or Folder In Linux Using ACL.md
View File

@ -1,265 +0,0 @@
tranlating by lujun9972
How To Allow/Permit User To Access A Specific File or Folder In Linux Using ACL
======
When you are come to file or folder permission part, you may first look owner/group/others permission. This can be done through chmod, chown, etc., commands.
Files and directories have permission sets such as owner (owner or user of the file), group (associated group) and others. However, these permission sets have limitations and doesn't allow users to set different permissions to different users.
By default Linux has following permission set for files & folders.
`Files` -> 644 -> -rw-r-r- (User has Read & Write access, Group has Read only access, and Others also has Read only access)
`Folders` -> 755 -> drwxr-xr-x (User has Read, Write & Execute access, Group has Read & Execute access, and Others also has the same access)
For example: By default users can access & edit their own home directory files, also can access associated group files but they can't modify those since group doesn't has write access and it's not advisable to permit group level. Also he/she can't access other users files. In some case multiple users want to access the same file, what will be the solution?
I have user called `magi` and he wants to modify `httpd.conf` file? how to grant since it's owned by root user. Thus, Access Control Lists (ACLs) were implemented.
### What Is ACL?
ACL stands for Access Control List (ACL) provides an additional, more flexible permission mechanism for file systems. It is designed to assist with UNIX file permissions. ACL allows you to give permissions for any user or group to any disc resource. setfacl & getfacl commands help you to manage AcL without any trouble.
### What Is setfacl?
setfacl is used to sets Access Control Lists (ACLs) of files and directories.
### What Is getfacl?
getfacl - get file access control lists. For each file, getfacl displays the file name, owner, the group, and the Access Control List (ACL). If a directory has a default ACL, getfacl also displays the default ACL.
### How to check whether ACL is enabled or not?
Run `tune2fs` command to Check whether ACL is enabled or not.
```
# tune2fs -l /dev/sdb1 | grep options
Default mount options: (none)
```
The above output clearly shows that ACL is not enabled for `/dev/sdb1` partition.
If acl is not listed then you will need to add acl as a mount option. To do so persistently, change the `/etc/fstab` line for `/app` to look like this.
```
# more /etc/fstab
UUID=f304277d-1063-40a2-b9dc-8bcf30466a03 / ext4 defaults 1 1
/dev/sdb1 /app ext4 defaults,acl 1 1
```
Or alternatively, you can add this to the filesystem superblock by using the following command.
```
# tune2fs -o +acl /dev/sdb1
```
Now, change the option in the current run-time without interruption by running the following command.
```
# mount -o remount,acl /app
```
Then run the tune2fs command again to see acl as an option.
```
# tune2fs -l /dev/sdb1 | grep options
Default mount options: acl
```
Yes, now i can see the ACLs option on `/dev/sdb1` partition.
### How to check default ACL values
To check the default ACL values for a file or directory, use the `getfacl` command followed by `/path to file` or `/path to folder`. Make a note, when you run getfacl command on non ACLs file or folder, it wont shows additional user and mask parameter values.
```
# getfacl /etc/apache2/apache2.conf
# file: etc/apache2/apache2.conf
# owner: root
# group: root
user::rw-
group::r--
other::r--
```
### How to Set ACL for files
Run the setfacl command with below format to set ACL on the given file. In the below example we are going to give a `rwx` access to `magi` user on the `/etc/apache2/apache2.conf` file.
```
# setfacl -m u:magi:rwx /etc/apache2/apache2.conf
```
**Details :**
* **`setfacl:`** Command
* **`-m:`** modify the current ACL(s) of file(s)
* **`u:`** Indicate a user
* **`magi:`** Name of the user
* **`rwx:`** Permissions which you want to set
* **`/etc/apache2/apache2.conf:`** Name of the file
Run the command once again to view the new ACL values.
```
# getfacl /etc/apache2/apache2.conf
# file: etc/apache2/apache2.conf
# owner: root
# group: root
user::rw-
user:magi:rwx
group::r--
mask::rwx
other::r--
```
Make a note : If you noticed a plus (+) sign after the file or folder permissions then it's ACL setup.
```
# ls -lh /etc/apache2/apache2.conf
-rw-rwxr--+ 1 root root 7.1K Sep 19 14:58 /etc/apache2/apache2.conf
```
### How to Set ACL for folders
Run the setfacl command with below format to set ACL on the given folder recursively. In the below example we are going to give a `rwx` access to `magi` user on the `/etc/apache2/sites-available/` folder.
```
# setfacl -Rm u:magi:rwx /etc/apache2/sites-available/
```
**Details :**
* **`-R:`** Recurse into sub directories
Run the command once again to view the new ACL values.
```
# getfacl /etc/apache2/sites-available/
# file: etc/apache2/sites-available/
# owner: root
# group: root
user::rwx
user:magi:rwx
group::r-x
mask::rwx
other::r-x
```
Now, all the files and folders having ACLs values under `/etc/apache2/sites-available/` folder.
```
# ls -lh /etc/apache2/sites-available/
total 20K
-rw-rwxr--+ 1 root root 1.4K Sep 19 14:56 000-default.conf
-rw-rwxr--+ 1 root root 6.2K Sep 19 14:56 default-ssl.conf
-rw-rwxr--+ 1 root root 1.4K Dec 8 02:57 mywebpage.com.conf
-rw-rwxr--+ 1 root root 1.4K Dec 7 19:07 testpage.com.conf
```
### How to Set ACL for group
Run the setfacl command with below format to set ACL on the given file. In the below example we are going to give a `rwx` access to `appdev` group on the `/etc/apache2/apache2.conf` file.
```
# setfacl -m g:appdev:rwx /etc/apache2/apache2.conf
```
**Details :**
* **`g:`** Indicate a group
For multiple users and groups, just add `comma` between the users or group like below.
```
# setfacl -m u:magi:rwx,g:appdev:rwx /etc/apache2/apache2.conf
```
### How to remove ACL
Run the setfacl command with below format to remove ACL for the given user on the file. This will remove only user permissions and keep `mask` values as read.
```
# setfacl -x u:magi /etc/apache2/apache2.conf
```
**Details :**
* **`-x:`** Remove entries from the ACL(s) of file(s)
Run the command once again to view the removed ACL values. In the below output i can see the `mask` values as read.
```
# getfacl /etc/apache2/apache2.conf
# file: etc/apache2/apache2.conf
# owner: root
# group: root
user::rw-
group::r--
mask::r--
other::r--
```
Use `-b` option to remove all ACLs associated to a file.
```
# setfacl -b /etc/apache2/apache2.conf
```
**Details :**
* **`-b:`** Remove all extended ACL entries
Run the command once again to view the removed ACL values. Here everything is gone and there is no mask value also.
```
# getfacl /etc/apache2/apache2.conf
# file: etc/apache2/apache2.conf
# owner: root
# group: root
user::rw-
group::r--
other::r--
```
### How to Backup and Restore ACL
Run the following command to backup and restore ACLs values. To take a backup, navigate to corresponding directory and do it.
We are going to take a backup of `sites-available` folder. So, you have to do like below.
```
# cd /etc/apache2/sites-available/
# getfacl -R 20171202 docker - Use multi-stage builds.md comic core.md Dict.md lctt2014.md lctt2016.md LCTT翻译规范.md LICENSE published README.md sign.md sources translated 选题模板.txt 中文排版指北.md > acl_backup_for_folder
```
To resote, run the following command.
```
# setfacl --restore=/etc/apache2/sites-available/acl_backup_for_folder
```
--------------------------------------------------------------------------------
via: https://www.2daygeek.com/how-to-configure-access-control-lists-acls-setfacl-getfacl-linux/
作者:[Magesh Maruthamuthu;Steven M. Dupuis][a]
译者:[lujun9972](https://github.com/lujun9972)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.2daygeek.com

259
translated/tech/20171213 How To Allow-Permit User To Access A Specific File or Folder In Linux Using ACL.md Normal file
View File

@ -0,0 +1,259 @@
使用ACL设置用户访问指定文件/目录的权限
======
当提到文件和目录的权限时,你的第一反应可能是 owner/group/others 权限。 这些权限可以通过 chmod chown 等命令来修改。
文件和目录都有 owner (文件所有者 )group (所属组) 以及 others 权限,这些权限构成一个集合。 然而这些权限集合有它的局限性,无法做到为不同的用户设置不同的权限。
Linux 对文件和目录有以下默认权限。
`文件` -> 644 -> -rw-r-r- (所有者有读写权限,组成员有只读权限, 其他人也只有读权限)
`目录` -> 755 -> drwxr-xr-x (所有者有读,写和执行权限, 组成员有读和执行的权限, 其他人也有读和执行的权限)
比如: 默认情况下,所有者可以访问和编辑他们自己用户主目录中的文件, 也可以访问相关同组人的文件,但他们不能修改这些文件,因为组成员没有写权限,而且让组成员有写权限也是不明智的。 基于同样的原因,他/她也不能修改其他人的文件。 然而在某些情况下,多个用户想要修改同一个文件, 那该怎么办呢?
假设有个名叫 `magi` 的用户,他想要修改 `httpd.conf` 文件怎么办呢? 这个文件是归 root 用户所有的,这样如何授权呢? 为了解决这种情况, Access Control Lists (ACLs) 诞生了。
### 什么是 ACL
ACL 表示 Access Control List (ACL),它为文件系统提供了附加的,更具有弹性的权限机制。 它被设计来为补充 UNIX 文件权限机制。 ACL 允许你赋予任何某用户/组访问某项资源的权限。 setfacl 与 getfacl 命令会帮助你管理 ACL 而不会有任何麻烦。
### 什么是 setfacl
setfacl 用于设置文件和目录的访问控制列表 (Access Control Lists) (ACLs)。
### 什么 getfacl
getfacl - 获取文件访问控制列表。对于每个文件, getfacl 都会显示文件名, 文件所有者, 所属组, 以及访问控制列表 (ACL)。 如果一个目录有一个默认的 ACL getfacl 也会显示这个默认的 ACL。
### 如何确认是否启用了 ACL
运行 `tune2fs` 命令来检查是否启用了 ACL。
```
# tune2fs -l /dev/sdb1 | grep options
Default mount options (none)
```
上面的输出很明显第说明 `/dev/sdb1` 分区没有启用 ACL。
如果结果中没有列出 acl则你需要在挂载选项中加上 acl。 为了让它永久生效, 修改 `/etc/fstab``/app` 这一行成这样:
```
# more /etc/fstab
UUID=f304277d-1063-40a2-b9dc-8bcf30466a03 / ext4 defaults 1 1
/dev/sdb1 /app ext4 defaultsacl 1 1
```
或者,你也可以使用下面命令将 acl 添加道文件系统的超级块中:
```
# tune2fs -o +acl /dev/sdb1
```
现在,通过运行以下命令来动态修改选项:
```
# mount -o remountacl /app
```
再次运行 tune2fs 命令来看选项中是否有 acl 了
```
# tune2fs -l /dev/sdb1 | grep options
Default mount options acl
```
嗯,现在 `/dev/sdb1` 分区中有 ACL 选项了。
### 如何查看默认的 ACL 值
要查看文件和目录默认的 ACL 值,可以使用 `getfacl` 命令后面加上 `文件路径` 或者 `目录路径`。 注意, 当你对非 ACL 文件/目录运行 getfacl 命令时, 则不会显示附加的 user 和 mask 参数值。
```
# getfacl /etc/apache2/apache2.conf
# file etc/apache2/apache2.conf
# owner root
# group root
user::rw-
group::r--
other::r--
```
### 如何为文件设置 ACL
以下面格式运行 setfacl 命令可以为指定文件设置 ACL。在下面的例子中我们会给 `magi` 用户对 `/etc/apache2/apache2.conf` 文件 `rwx` 的权限。
```
# setfacl -m u:magi:rwx /etc/apache2/apache2.conf
```
**仔细分析起来:**
* **`setfacl:`** 命令
* **`-m:`** 修改文件的当前 ACL(s)
* **`u:`** 指明用户
* **`magi:`** 用户名称
* **`rwx:`** 想设置的权限
* **`/etc/apache2/apache2.conf:`** 文件名称
再查看一次新的 ACL 值:
```
# getfacl /etc/apache2/apache2.conf
# file etc/apache2/apache2.conf
# owner root
# group root
user::rw-
user:magi:rwx
group::r--
mask::rwx
other::r--
```
注意: 若你发现文件或目录权限后面有一个加号 (+),就表示设置了 ACL。
```
# ls -lh /etc/apache2/apache2.conf
-rw-rwxr--+ 1 root root 7.1K Sep 19 14:58 /etc/apache2/apache2.conf
```
### 如何为目录设置 ACL
以下面格式运行 setfacl 命令可以递归第为指定目录设置 ACL。在下面的例子中我们会将 `/etc/apache2/sites-available/` 目录中的 `rwx` 权限赋予 `magi` 用户。
```
# setfacl -Rm u:magi:rwx /etc/apache2/sites-available/
```
**其中 :**
* **`-R:`** 递归到子目录中
再次查看一下新的 ACL 值。
```
# getfacl /etc/apache2/sites-available/
# file etc/apache2/sites-available/
# owner root
# group root
user::rwx
user:magi:rwx
group::r-x
mask::rwx
other::r-x
```
现在 `/etc/apache2/sites-available/` 中的文件和目录都设置了 ACL。
```
# ls -lh /etc/apache2/sites-available/
total 20K
-rw-rwxr--+ 1 root root 1.4K Sep 19 14:56 000-default.conf
-rw-rwxr--+ 1 root root 6.2K Sep 19 14:56 default-ssl.conf
-rw-rwxr--+ 1 root root 1.4K Dec 8 02:57 mywebpage.com.conf
-rw-rwxr--+ 1 root root 1.4K Dec 7 19:07 testpage.com.conf
```
### 如何为组设置 ACL
以下面格式为指定文件运行 setfacl 命令。在下面的例子中,我们会给 `appdev` 组赋予 `/etc/apache2/apache2.conf` 文件的 `rwx` 权限。
```
# setfacl -m g:appdev:rwx /etc/apache2/apache2.conf
```
**其中:**
* **`g:`** 指明一个组
对多个用户和组授权,只需要用 `逗号` 区分开,就像下面这样。
```
# setfacl -m u:magi:rwxg:appdev:rwx /etc/apache2/apache2.conf
```
### 如何删除 ACL
以下面格式运行 setfacl 命令会删除文件对指定用户的 ACL。这只会删除用户权限而保留 `mask` 的值为只读。
```
# setfacl -x u:magi /etc/apache2/apache2.conf
```
**其中:**
* **`-x:`** 从文件的 ACL(s) 中删除
再次查看 ACl 值。在下面的输出中我们可以看到 `mask` 的值还是只读。
```
# getfacl /etc/apache2/apache2.conf
# file etc/apache2/apache2.conf
# owner root
# group root
user::rw-
group::r--
mask::r--
other::r--
```
使用 `-b` 来删除文件中所有的 ACLs。
```
# setfacl -b /etc/apache2/apache2.conf
```
**其中:**
* **`-b:`** 删除所有的 ACL 条目
再次查看删掉后的 ACl 值就会发现所有的东西都不见了,包括 mask 的值也不见了。
```
# getfacl /etc/apache2/apache2.conf
# file etc/apache2/apache2.conf
# owner root
# group root
user::rw-
group::r--
other::r--
```
### 如何备份并还原 ACL
下面命令可以备份和还原 ACL 的值。要制作备份, 需要进入对应的目录然后这样做(假设我们要备份 `sites-available` 目录中的 ACL 值)。
```
# cd /etc/apache2/sites-available/
# getfacl -R * > acl_backup_for_folder
```
还原的话,则运行下面命令
```
# setfacl --restore=/etc/apache2/sites-available/acl_backup_for_folder
```
--------------------------------------------------------------------------------
via: https://www.2daygeek.com/how-to-configure-access-control-lists-acls-setfacl-getfacl-linux/
作者:[Magesh Maruthamuthu;Steven M. Dupuis][a]
译者:[lujun9972](https://github.com/lujun9972)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:https://www.2daygeek.com