0.将用户bkupusr添加到extbk组中
leeand00@hostname:/home/leeand00/$ sudo groupadd extbk
leeand00@hostname:/home/leeand00/$ sudo usermod -G extbk bkupusr
1.创建的目录结构:
leeand00@hostname:/home/leeand00/$ mkdir appdir2
leeand00@hostname:/home/leeand00/$ mkdir appdir2/appuser1
leeand00@hostname:/home/leeand00/$ mkdir appdir2/appuser2
2.为我们之后在此处创建的任何其他内容设置默认权限(现有内容不递归)
leeand00@hostname:/home/leeand00/$ setfacl -dm g:extbk:r ./appdir2
3.创建目录和文件:
leeand00@hostname:/home/leeand00/$ cd appdir2
leeand00@hostname:/home/leeand00/appdir2/$ touch file1
leeand00@hostname:/home/leeand00/appdir2/$ mkdir dir1
leeand00@hostname:/home/leeand00/appdir2/$ echo "Hi" >> file1
4. 阻止其他组读取和执行appdir2
leeand00@hostname:/home/leeand00/appdir2/$ cd ..
leeand00@hostname:/home/leeand00/$ chmod o-xr ./appdir2
5. 尝试从extbk组中的用户访问
bkuser@hostname:/home/leeand00/$ cd ./appdir2
bash: cd: appdir2: Permission denied
bkuser@hostname:/home/leeand00/$ cat ./appdir2/file1
cat: appdir2/file1: Permission denied
但是,如果我按如下方式更改其他权限:
leeand00@hostname:/home/leeand00/$ chmod o+x ./appdir2
然后我就可以再次访问该文件。
bkuser@hostname:/home/leeand00/$ cd ./appdir2
bkuser@hostname:/home/leeand00/$ cat ./appdir2/file1
hi
但是另一个组中的其他人也可以...那么有没有办法只允许访问 ACL 中的组(以及组和所有者)而不允许访问其他组?
答案1
有二与文件夹关联的 FACL 规则集./appuser2
:文件夹本身的 FACL 规则./appuser2
,以及第二组 FACL 规则,指定应用于在文件夹 内创建的文件和文件夹的默认 FACL 规则./appuser2
。
您上面概述的步骤设置了应用于在 中创建的文件和文件夹的“默认”FACL 规则./appuser2
,但您尚未为文件夹./appuser2
本身定义 FACL 规则集。这是该组成员extbk
无法访问其内容的部分原因./appuser2
。
另一个需要纠正的错误配置问题是:任何需要访问文件夹的用户都./appuser2
必须被授予对该目录的执行“x”权限。如 chmod(1) 手册中所述,对于文件夹,执行“x”权限授予用户对该文件夹的搜索权限,即授予用户对文件夹执行更改目录操作以访问文件夹内容的权限。
以下是基于您的原始评论的示例,供您考虑:
清单 1:FACL 权限示例
sudo su -
mkdir -p /opt/appdir2/{appuser1,appuser2}
setfacl -bR /opt/appdir2/
chmod 750 /opt/appdir2/appuser2/
find /opt/appdir2/ -ls
1049001 4 drwxr-xr-x 4 root root 4096 Jul 26 22:02 /opt/appdir2/
1049051 4 drwxr-xr-x 2 root root 4096 Jul 26 22:02 /opt/appdir2/appuser1
1049053 4 drwxr-x--- 2 root root 4096 Jul 26 22:02 /opt/appdir2/appuser2
getfacl -p /opt/appdir2/appuser2/
# file: /opt/appdir2/appuser2/
# owner: root
# group: root
user::rwx
group::r-x
other::---
#==========================================================
# FACL rules for folder `/opt/appdir2/appuser2/'.
setfacl -m g:extbk:r-x /opt/appdir2/appuser2/
getfacl -p /opt/appdir2/appuser2/
# file: /opt/appdir2/appuser2/
# owner: root
# group: root
user::rwx
group::r-x
group:extbk:r-x
mask::r-x
other::---
#==========================================================
# FACL rules for files and folders created
# within folder `/opt/appdir2/appuser2/'.
setfacl -dm g:extbk:r-x /opt/appdir2/appuser2/
getfacl -p /opt/appdir2/appuser2/
# file: /opt/appdir2/appuser2/
# owner: root
# group: root
user::rwx
group::r-x
group:extbk:r-x
mask::r-x
other::---
default:user::rwx
default:group::r-x
default:group:extbk:r-x
default:mask::r-x
default:other::---
echo "Hello" >/opt/appdir2/file1
echo "World" >/opt/appdir2/appuser2/file2
find /opt/appdir2/ -ls
1049001 4 drwxr-xr-x 4 root root 4096 Jul 26 22:13 /opt/appdir2/
1049051 4 drwxr-xr-x 2 root root 4096 Jul 26 22:02 /opt/appdir2/appuser1
1049053 8 drwxr-x--- 2 root root 4096 Jul 26 22:13 /opt/appdir2/appuser2
1049071 4 -rw-r----- 1 root root 6 Jul 26 22:13 /opt/appdir2/appuser2/file2
1049055 4 -rw-r--r-- 1 root root 6 Jul 26 22:13 /opt/appdir2/file1
getfacl -p /opt/appdir2/appuser2/file2
# file: /opt/appdir2/appuser2/file2
# owner: root
# group: root
user::rw-
group::r-x #effective:r--
group:extbk:r-x #effective:r--
mask::r--
other::---
#==========================================================
# Ensure users who are members of the group `extbk'
# are granted access to folder /opt/appdir2/appuser2/
# and its contents.
usermod -a -G extbk deleteme
su - deleteme
[deleteme]$ find /opt/appdir2/ -ls
1049001 4 drwxr-xr-x 4 root root 4096 Jul 26 22:13 /opt/appdir2/
1049051 4 drwxr-xr-x 2 root root 4096 Jul 26 22:02 /opt/appdir2/appuser1
1049053 8 drwxr-x--- 2 root root 4096 Jul 26 22:13 /opt/appdir2/appuser2
1049071 4 -rw-r----- 1 root root 6 Jul 26 22:13 /opt/appdir2/appuser2/file2
1049055 4 -rw-r--r-- 1 root root 6 Jul 26 22:13 /opt/appdir2/file1
[deleteme]$ cat /opt/appdir2/appuser2/file2
World
[deleteme]$ exit
#==========================================================
# Ensure users who are NOT members of the group `extbk'
# are denied access to folder /opt/appdir2/appuser2/
# and its contents.
gpasswd -d deleteme extbk
su - deleteme
[deleteme]$ find /opt/appdir2/ -ls
1049001 4 drwxr-xr-x 4 root root 4096 Jul 26 22:13 /opt/appdir2/
1049051 4 drwxr-xr-x 2 root root 4096 Jul 26 22:02 /opt/appdir2/appuser1
1049053 8 drwxr-x--- 2 root root 4096 Jul 26 22:13 /opt/appdir2/appuser2
find: '/opt/appdir2/appuser2': Permission denied
1049055 4 -rw-r--r-- 1 root root 6 Jul 26 22:13 /opt/appdir2/file1
[deleteme]$ cat /opt/appdir2/appuser2/file2
cat: /opt/appdir2/appuser2/file2: Permission denied
[deleteme]$ exit