mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-26 21:30:55 +08:00
translated
This commit is contained in:
Vic___
parent
c4b8f3ca9b
commit
f2e1318107
@ -1,120 +1,119 @@
|
||||
Vic020
|
||||
|
||||
How to configure Access Control Lists (ACLs) on Linux
|
||||
配置Linux访问控制列表(ACL)
|
||||
================================================================================
|
||||
Working with permissions on Linux is rather a simple task. You can define permissions for users, groups or others. This works really well when you work on a desktop PC or a virtual Linux instance which typically doesn't have a lot of users, or when users don't share files among themselves. However, what if you are a big organization where you operate NFS or Samba servers for diverse users. Then you will need to be neat picky and set up more complex configurations and permissions to meet the requirements of your organization.
|
||||
使用拥有权限控制的Liunx,工作是一件轻松的任务。它可以定义任何user,group和other的权限。无论是在桌面电脑或者不会有很多用户的虚拟Linux实例,或者当用户不愿意分享他们之间的文件时,这样的工作是很棒的。然而,如果你是在一个大型组织,你运行了NFS或者Samba服务给不同的用户。然后你将会需要灵活的挑选并设置很多复杂的配置和权限去满足你的组织不同的需求。
|
||||
|
||||
Linux (and other Unixes, that are POSIX compliant) has so-called Access Control Lists (ACLs), which are a way to assign permissions beyond the common paradigm. For example, by default you apply three permission groups: owner, group, and others. With ACLs, you can add permissions for other users or groups that are not simple "others" or any other group that the owner is not part of it. You can allow particular users A, B and C to have write permissions without letting their whole group to have writing permission.
|
||||
Linux(和其他Unix,兼容POSIX的)所以拥有访问控制列表(ACL),它是一种分配权限之外的普遍范式。例如,默认情况下你需要确认3个权限组:owner,group和other。使用ACL,你可以增加权限给其他用户或组别,而不单只是简单的"other"或者是拥有者不存在的组别。可以允许指定的用户A、B、C拥有写权限而不再是让他们整个组拥有写权限。
|
||||
|
||||
ACLs are available for a variety of Linux filesystems including ext2, ext3, ext4, XFS, Btfrs, etc. If you are not sure if the filesystem you are using supports ACLs, just read the documentation.
|
||||
ACL支持多种Linux文件系统,包括ext2, ext3, ext4, XFS, Btfrs, 等。如果你不确定你的文件系统是否支持ACL,请参考文档。
|
||||
|
||||
### Enable ACLs on your Filesystem ###
|
||||
### 在文件系统使ACL生效 ###
|
||||
|
||||
First of all, we need to install the tools to manage ACLs.
|
||||
首先,我们需要安装工具来管理ACL。
|
||||
|
||||
On Ubuntu/Debian:
|
||||
Ubuntu/Debian 中:
|
||||
|
||||
$ sudo apt-get install acl
|
||||
|
||||
On CentOS/Fedora/RHEL:
|
||||
CentOS/Fedora/RHEL 中:
|
||||
|
||||
# yum -y install acl
|
||||
|
||||
On Archlinux:
|
||||
Archlinux 中:
|
||||
|
||||
# pacman -S acl
|
||||
|
||||
For demonstration purpose, I will use Ubuntu server, but other distributions should work the same.
|
||||
出于演示目的,我将使用ubuntu server版本,其他版本类似。
|
||||
|
||||
After installing ACL tools, it is necessary to enable ACL feature on our disk partitions so that we can start using it.
|
||||
安装ACL完成后,需要激活我们磁盘分区的ACL功能,这样我们才能使用它。
|
||||
|
||||
First, we can check if ACL feature is already enabled:
|
||||
首先,我们检查ACL功能是否已经开启。
|
||||
|
||||
$ mount
|
||||
|
||||
|
||||
|
||||
As you noticed, my root partition has the ACL attribute enabled. In case yours doesn't, you need to edit your /etc/fstab file. Add acl flag in front of your options for the partition you want to enable ACL.
|
||||
你可以注意到,我的root分区中ACL属性已经开启。万一你没有开启,你需要编辑/etc/fstab文件。增加acl标记,在你需要开启ACL的分区之前。
|
||||
|
||||
|
||||
|
||||
Now we need to re-mount the partition (I prefer to reboot completely, because I don't like losing data). If you enabled ACL for any other partitions, you have to remount them as well.
|
||||
现在我们需要重新挂载分区(我喜欢完全重启,因为我不想丢掉数据),如果你对任何分区开启ACL,你必须也重新挂载它。
|
||||
|
||||
$ sudo mount / -o remount
|
||||
|
||||
Awesome! Now that we have enable ACL in our system, let's start to work with it.
|
||||
令人敬佩!现在我们已经在我们的系统中开启ACL,让我们开始和它一起工作。
|
||||
|
||||
### ACL Examples ###
|
||||
### ACL 范例 ###
|
||||
|
||||
Basically ACLs are managed by two commands: **setfacl** which is used to add or modify ACLs, and getfacl which shows assigned ACLs. Let's do some testing.
|
||||
基础ACL通过两条命令管理:**setfacl**用于增加或者修改ACL,**getfacl**用于显示分配完的ACL。让我们来做一些测试。
|
||||
|
||||
I created a directory /shared owned by a hypothetical user named freeuser.
|
||||
我创建一个目录/shared给一个假设的用户,名叫freeuser
|
||||
|
||||
$ ls -lh /
|
||||
|
||||
|
||||
|
||||
I want to share this directory with two other users test and test2, one with full permissions and the other with just read permission.
|
||||
我想要分享这个目录给其他两个用户test和test2,一个拥有完整权限,另一个只有读权限。
|
||||
|
||||
First, to set ACLs for user test:
|
||||
首先,为用户test设置ACL:
|
||||
|
||||
$ sudo setfacl -m u:test:rwx /shared
|
||||
|
||||
Now user test can create directories, files, and access anything under /shared directory.
|
||||
现在用户test可以随意创建文件夹,文件和访问在/shared目录下的任何地方。
|
||||
|
||||
|
||||
|
||||
Now we will add read-only permission for user test2:
|
||||
现在我们增加只读权限给用户test2:
|
||||
|
||||
$ sudo setfacl -m u:test2:rx /shared
|
||||
|
||||
Note that execution permission is necessary so test2 can read directories.
|
||||
注意test2读取目录需要执行(x)权限
|
||||
|
||||
|
||||
|
||||
Let me explain the syntax of setfacl command:
|
||||
让我来解释下setfacl命令格式:
|
||||
|
||||
- **-m** means modify ACL. You can add new, or modify existing ACLs.
|
||||
- **u:** means user. You can use **g** to set group permissions.
|
||||
- **test** is the name of the user.
|
||||
- **:rwx** represents permissions you want to set.
|
||||
- **-m** 表示修改ACL。你可以增加新的,或修改存在的ACL
|
||||
- **u:** 表示用户。你可以使用 **g** 来设置组权限
|
||||
- **test** 用户名
|
||||
- **:rwx** 需要设置的权限。
|
||||
|
||||
Now let me show you how to read ACLs.
|
||||
现在让我向你展示如何读取ACL:
|
||||
|
||||
$ ls -lh /shared
|
||||
|
||||
|
||||
|
||||
As you noticed, there is a + (plus) sign after normal permissions. It means that there are ACLs set up. To actually read ACLs, we need to run:
|
||||
你可以注意到,正常权限后多一个+标记。这表示ACL已经设置成功。为了真正读取ACL,我们需要运行:
|
||||
|
||||
$ sudo getfacl /shared
|
||||
|
||||
|
||||
|
||||
Finally if you want to remove ACL:
|
||||
最后,如果你需要移除ACL:
|
||||
|
||||
$ sudo setfacl -x u:test /shared
|
||||
|
||||
|
||||
|
||||
If you want to wipe out all ACL entries at once:
|
||||
如果你想要立即擦除所有ACL条目:
|
||||
|
||||
$ sudo setfacl -b /shared
|
||||
|
||||
|
||||
|
||||
One last thing. The commands cp and mv can change their behavior when they work over files or directories with ACLs. In the case of cp, you need to add the '-p' parameter to copy ACLs. If this is not posible, it will show you a warning. mv will always move the ACLs, and also if it is not posible, it will show you a warning.
|
||||
最后一件事。在设置了ACL文件或目录工作时,cp和mv命令会改变这些设置。在cp的情况下,需要添加“p”参数来复制ACL设置。如果这不可行,它将会展示一个警告。mv默认移动ACL设置,如果这也不可行,它也会向您展示一个警告。
|
||||
|
||||
### Conclusion ###
|
||||
### 总结 ###
|
||||
|
||||
Using ACLs gives you a tremendous power and control over files you want to share, especially on NFS/Samba servers. Moreover, if you administer shared hosting, this tool is a must have.
|
||||
使用ACL给了在你想要分享的文件上巨大的权利和控制,特别是在NFS/Samba服务。此外,如果你的主管共享主机,这个工具是必备的。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://xmodulo.com/2014/08/configure-access-control-lists-acls-linux.html
|
||||
|
||||
作者:[Christopher Valerio][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
译者:[VicYu](http://www.vicyu.net)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
Loading…
Reference in New Issue
Block a user