使用 ACL 权限而不允许其他组访问目录?

tag-icon tag-icon permissions acl
使用 ACL 权限而不允许其他组访问目录?

0.将用户bkupusr添加到extbk组中

leeand00@hostname:/home/leeand00/$ sudo groupadd extbk
leeand00@hostname:/home/leeand00/$ sudo usermod -G extbk bkupusr

1.创建的目录结构:

leeand00@hostname:/home/leeand00/$ mkdir appdir2
leeand00@hostname:/home/leeand00/$ mkdir appdir2/appuser1
leeand00@hostname:/home/leeand00/$ mkdir appdir2/appuser2

2.为我们之后在此处创建的任何其他内容设置默认权限(现有内容不递归)

leeand00@hostname:/home/leeand00/$ setfacl -dm g:extbk:r ./appdir2

3.创建目录和文件:

leeand00@hostname:/home/leeand00/$ cd appdir2
leeand00@hostname:/home/leeand00/appdir2/$ touch file1
leeand00@hostname:/home/leeand00/appdir2/$ mkdir dir1
leeand00@hostname:/home/leeand00/appdir2/$ echo "Hi" >> file1

4. 阻止其他组读取和执行appdir2

leeand00@hostname:/home/leeand00/appdir2/$ cd ..
leeand00@hostname:/home/leeand00/$ chmod o-xr ./appdir2

5. 尝试从extbk组中的用户访问

bkuser@hostname:/home/leeand00/$ cd ./appdir2
bash: cd: appdir2: Permission denied

bkuser@hostname:/home/leeand00/$ cat ./appdir2/file1
cat: appdir2/file1: Permission denied

但是,如果我按如下方式更改其他权限:

leeand00@hostname:/home/leeand00/$ chmod o+x ./appdir2

然后我就可以再次访问该文件。

bkuser@hostname:/home/leeand00/$ cd ./appdir2
bkuser@hostname:/home/leeand00/$ cat ./appdir2/file1
hi

但是另一个组中的其他人也可以...那么有没有办法只允许访问 ACL 中的组(以及组和所有者)而不允许访问其他组?

答案1

与文件夹关联的 FACL 规则集./appuser2:文件夹本身的 FACL 规则./appuser2,以及第二组 FACL 规则,指定应用于在文件夹 内创建的文件和文件夹的默认 FACL 规则./appuser2

您上面概述的步骤设置了应用于在 中创建的文件和文件夹的“默认”FACL 规则./appuser2,但您尚未为文件夹./appuser2本身定义 FACL 规则集。这是该组成员extbk无法访问其内容的部分原因./appuser2

另一个需要纠正的错误配置问题是:任何需要访问文件夹的用户都./appuser2必须被授予对该目录的执行“x”权限。如 chmod(1) 手册中所述,对于文件夹,执行“x”权限授予用户对该文件夹的搜索权限,即授予用户对文件夹执行更改目录操作以访问文件夹内容的权限。

以下是基于您的原始评论的示例,供您考虑:

清单 1:FACL 权限示例

sudo su -
mkdir -p /opt/appdir2/{appuser1,appuser2}
setfacl -bR /opt/appdir2/
chmod 750 /opt/appdir2/appuser2/
find /opt/appdir2/ -ls
    1049001    4 drwxr-xr-x   4 root     root         4096 Jul 26 22:02 /opt/appdir2/
    1049051    4 drwxr-xr-x   2 root     root         4096 Jul 26 22:02 /opt/appdir2/appuser1
    1049053    4 drwxr-x---   2 root     root         4096 Jul 26 22:02 /opt/appdir2/appuser2

getfacl -p /opt/appdir2/appuser2/
    # file: /opt/appdir2/appuser2/
    # owner: root
    # group: root
    user::rwx
    group::r-x
    other::---

#==========================================================
# FACL rules for folder `/opt/appdir2/appuser2/'.

setfacl -m g:extbk:r-x /opt/appdir2/appuser2/

getfacl -p /opt/appdir2/appuser2/
    # file: /opt/appdir2/appuser2/
    # owner: root
    # group: root
    user::rwx
    group::r-x
    group:extbk:r-x
    mask::r-x
    other::---

#==========================================================
# FACL rules for files and folders created
# within folder `/opt/appdir2/appuser2/'.

setfacl -dm g:extbk:r-x /opt/appdir2/appuser2/

getfacl -p /opt/appdir2/appuser2/
    # file: /opt/appdir2/appuser2/
    # owner: root
    # group: root
    user::rwx
    group::r-x
    group:extbk:r-x
    mask::r-x
    other::---
    default:user::rwx
    default:group::r-x
    default:group:extbk:r-x
    default:mask::r-x
    default:other::---

echo "Hello" >/opt/appdir2/file1
echo "World" >/opt/appdir2/appuser2/file2

find /opt/appdir2/ -ls
    1049001    4 drwxr-xr-x   4 root     root         4096 Jul 26 22:13 /opt/appdir2/
    1049051    4 drwxr-xr-x   2 root     root         4096 Jul 26 22:02 /opt/appdir2/appuser1
    1049053    8 drwxr-x---   2 root     root         4096 Jul 26 22:13 /opt/appdir2/appuser2
    1049071    4 -rw-r-----   1 root     root            6 Jul 26 22:13 /opt/appdir2/appuser2/file2
    1049055    4 -rw-r--r--   1 root     root            6 Jul 26 22:13 /opt/appdir2/file1

getfacl -p /opt/appdir2/appuser2/file2
    # file: /opt/appdir2/appuser2/file2
    # owner: root
    # group: root
    user::rw-
    group::r-x                      #effective:r--
    group:extbk:r-x                 #effective:r--
    mask::r--
    other::---


#==========================================================
# Ensure users who are members of the group `extbk'
# are granted access to folder /opt/appdir2/appuser2/ 
# and its contents.

usermod -a -G extbk deleteme
su - deleteme

[deleteme]$ find /opt/appdir2/ -ls
    1049001    4 drwxr-xr-x   4 root     root         4096 Jul 26 22:13 /opt/appdir2/
    1049051    4 drwxr-xr-x   2 root     root         4096 Jul 26 22:02 /opt/appdir2/appuser1
    1049053    8 drwxr-x---   2 root     root         4096 Jul 26 22:13 /opt/appdir2/appuser2
    1049071    4 -rw-r-----   1 root     root            6 Jul 26 22:13 /opt/appdir2/appuser2/file2
    1049055    4 -rw-r--r--   1 root     root            6 Jul 26 22:13 /opt/appdir2/file1

[deleteme]$ cat /opt/appdir2/appuser2/file2
    World

[deleteme]$ exit

#==========================================================
# Ensure users who are NOT members of the group `extbk'
# are denied access to folder /opt/appdir2/appuser2/ 
# and its contents.

gpasswd -d deleteme extbk
su - deleteme

[deleteme]$ find /opt/appdir2/ -ls
    1049001    4 drwxr-xr-x   4 root     root         4096 Jul 26 22:13 /opt/appdir2/
    1049051    4 drwxr-xr-x   2 root     root         4096 Jul 26 22:02 /opt/appdir2/appuser1
    1049053    8 drwxr-x---   2 root     root         4096 Jul 26 22:13 /opt/appdir2/appuser2
    find: '/opt/appdir2/appuser2': Permission denied
    1049055    4 -rw-r--r--   1 root     root            6 Jul 26 22:13 /opt/appdir2/file1

[deleteme]$ cat /opt/appdir2/appuser2/file2
    cat: /opt/appdir2/appuser2/file2: Permission denied

[deleteme]$ exit

相关内容