定义默认ACL控制策略

1)为目录 /public/ 设置ACL策略，使用户gelin01具有rwx权限
2)在 /public/ 下创建子目录gdir1、文件gfile1，分别查看其ACL策略
3)为目录 /public/ 设置可继承权限为“用户ht02具有rwx权限”
4)在 /public/ 下创建子目录gdir2、文件gfile2，分别查看其ACL策略
5)以用户ht02登入，做以下测试：
6)对/public/目录是否有写入权限
7)对/public/下的gdir2和gfile2是否有写入权限
8)对/public/下的gdir1和gfile1是否有写入权限

ACL默认策略，是一个可以继承的ACL策略。但需注意的是默认策略对目录本身是没有生效的，对于子目录子文件才开始生效。

步骤一：为目录 /public/ 设置ACL策略，使用户gelin01具有rwx权限

[root@localhost ~]# id gelin01           //测试是否有gelin01用户
uid=501(gelin01) gid=501(gelin01) 组=501(gelin01),502(tarena)
[root@localhost ~]# mkdir /public        //创建目录
[root@localhost ~]# getfacl /public      //查看ACL策略
getfacl: Removing leading '/' from absolute path names
#file: public/
#owner: root
#group: root
user::rwx
group::r-x
other::r-x

[root@localhost ~]# setfacl -m u:gelin01:rwx /public    //设置ACL策略
[root@localhost ~]# getfacl /public                       //查看ACL策略
getfacl: Removing leading '/' from absolute path names
#file: public/
#owner: root
#group: root
user::rwx
user:gelin01:rwx
group::r-x
mask::rwx
other::r-x

步骤二：在 /public/ 下创建子目录gdir1、文件gfile1，分别查看其ACL策略

[root@localhost ~]# mkdir /public/gdir1
[root@localhost ~]# touch /public/gfile1
[root@localhost ~]# getfacl /public/gdir1/
getfacl: Removing leading '/' from absolute path names
#file: public/gdir1/
#owner: root
#group: root
user::rwx
group::r-x
other::r-x

[root@localhost ~]# getfacl /public/gfile1 
getfacl: Removing leading '/' from absolute path names
#file: public/gfile1
#owner: root
#group: root
user::rw-
group::r--
other::r--

[root@localhost ~]#

步骤三：为目录 /public/ 设置可继承权限为“用户ht02具有rwx权限”

[root@localhost ~]# id ht02        //查看ht02用户是否存在
id: ht02：无此用户
[root@localhost ~]# useradd ht02   //创建ht02用户
[root@localhost ~]# getfacl /public/
getfacl: Removing leading '/' from absolute path names
#file: public/
#owner: root
#group: root
user::rwx
user:gelin01:rwx
group::r-x
mask::rwx
other::r-x
[root@localhost ~]# setfacl -dm u:ht02:rwx /public    //设置默认可继承ACL权限
[root@localhost ~]# getfacl /public/
getfacl: Removing leading '/' from absolute path names
#file: public/
#owner: root
#group: root
user::rwx
user:gelin01:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ht02:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

[root@localhost ~]#

步骤四：在 /public/ 下创建子目录gdir2、文件gfile2，分别查看其ACL策略

[root@localhost ~]# mkdir /public/gdir2
[root@localhost ~]# touch /public/gfile2
[root@localhost ~]# getfacl /public/gdir2
getfacl: Removing leading '/' from absolute path names
#file: public/gdir2
#owner: root
#group: root
user::rwx
user:ht02:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ht02:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

[root@localhost ~]# getfacl /public/gfile2
getfacl: Removing leading '/' from absolute path names
#file: public/gfile2
#owner: root
#group: root
user::rw-
user:ht02:rwx                   #effective:rw-
group::r-x                      #effective:r--
mask::rw-
other::r--

步骤五：以用户ht02登入，测试

切换目录身份，

[root@localhost ~]# su - ht02
[ht02@localhost ~]$
对/public/目录是否有写入权限，命令操作如下所示：
[ht02@localhost ~]$ mkdir /public/htdir
mkdir: 无法创建目录"/public/htdir": 权限不够
[ht02@localhost ~]$ getfacl /public/
getfacl: Removing leading '/' from absolute path names
#file: public/
#owner: root
#group: root
user::rwx
user:gelin01:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ht02:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

[ht02@localhost ~]$

分析：从这可以看出默认权限对目录本身没有生效，对子目录才开始继承生效。
对/public/下的gdir2和gfile2是否有写入权限

[ht02@localhost ~]$ mkdir /public/gdir2/htdir
[ht02@localhost ~]$ getfacl /public/gdir2/
getfacl: Removing leading '/' from absolute path names
#file: public/gdir2/
#owner: root
#group: root
user::rwx
user:ht02:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:ht02:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

[ht02@localhost ~]$ ls -ld /public/gdir2/htdir/      //创建成功
drwxrwxr-x+ 2 ht02 ht02 4096 2月  27 16:53 /public/gdir2/htdir/
[ht02@localhost ~]$ getfacl /public/gfile2
getfacl: Removing leading '/' from absolute path names
#file: public/gfile2
#owner: root
#group: root
user::rw-
user:ht02:rwx                   #effective:rw-
group::r-x                      #effective:r--
mask::rw-
other::r--

[ht02@localhost ~]$

[ht02@localhost ~]$ echo 123456 > /public/gfile2 //测试写入

[ht02@localhost ~]$ cat /public/gfile2                
123456
对/public/下的gdir1和gfile1是否有写入权限，命令操作如下所示：
[ht02@localhost ~]$ getfacl /public/gdir1      //可以看到ht02没有呢ACL权限
getfacl: Removing leading '/' from absolute path names
#file: public/gdir1
#owner: root
#group: root
user::rwx
group::r-x
other::r-x

[ht02@localhost ~]$ mkdir /public/gdir1/htdir
mkdir: 无法创建目录"/public/gdir1/htdir": 权限不够
[ht02@localhost ~]$ getfacl /public/gfile1      //可以看到ht02没有呢ACL权限
getfacl: Removing leading '/' from absolute path names
#file: public/gfile1
#owner: root
#group: root
user::rw-
group::r--
other::r--

[ht02@localhost ~]$ echo 123456 > /public/gfile1
-bash: /public/gfile1: 权限不够
[ht02@localhost ~]$

来源：CSDN

作者：张晓峰。

链接：https://blog.csdn.net/Z_xiao_feng/article/details/90384675

标签

acl

root权限