Linux
5/11 접근제어리스트(ACL) 설정 관리
띠요옹
2021. 5. 11. 11:00
접근제어리스트(ACL)
default ACL 설정되어 있으면 하위디렉토리가 상속받음.
접근제어리스트 적용유무확인
#ls -l /root/acl/file-name
접근제어리스트 정보 확인
getfacel file-name
접근제어리스트 설정
setfac1 [option] ENTRY:NAME:PERMS file-name
접근제어리스트 제거
setfacl -x ENTRY:NAME file-name (NAME까지만 입력하고 PERMS는 지정하지 않음)
setfacl [ {-b | -k} ] file-name
접근제어리스트 재귀적사용
setfacl -Rm ENTRY:NAME:PERMS file-name
예제)file: roster.txt
group:controllet
user:james:----
user:1005:rwx
group:sodor:r--
group:2210:rwx
mask: :rw-
effective:rw-
effective:rw-
effective:rw-
student@student-B85M-DS3H-A:~$ touch fileA
student@student-B85M-DS3H-A:~$ ls -al fileA
-rw-rw-r-- 1 student student 0 5월 11 09:57 fileA
student@student-B85M-DS3H-A:~$ chmod 777
chmod: missing operand after ‘777’
Try 'chmod --help' for more information.
student@student-B85M-DS3H-A:~$ chmod 777 fileA
student@student-B85M-DS3H-A:~$ ls -al fileA
-rwxrwxrwx 1 student student 0 5월 11 09:57 fileA
student@student-B85M-DS3H-A:~$ getfacl fileA
# file: fileA
# owner: student
# group: student
user::rwx
group::rwx
other::rwx
student@student-B85M-DS3H-A:~$ sudo useradd user01
[sudo] password for student:
student@student-B85M-DS3H-A:~$ setfacl -m u:user01:r fileA
student@student-B85M-DS3H-A:~$ getfacl fileA
# file: fileA
# owner: student
# group: student
user::rwx
user:user01:r--
group::rwx
mask::rwx
other::rwx
student@student-B85M-DS3H-A:~$ setfacl -m u:user01:wx fileA
student@student-B85M-DS3H-A:~$ getfacl fileA
# file: fileA
# owner: student
# group: student
user::rwx
user:user01:-wx
group::rwx
mask::rwx
other::rwx
student@student-B85M-DS3H-A:~$ chmod 555 fileA
student@student-B85M-DS3H-A:~$ getfacl fileA
# file: fileA
# owner: student
# group: student
user::r-x
user:user01:-wx #effective:--x
group::rwx #effective:r-x
mask::r-x
other::r-x
student@student-B85M-DS3H-A:~$ setfacl -x u:user01:wx fileA
setfacl: Option -x: Invalid argument near character 10
student@student-B85M-DS3H-A:~$ setfacl -x user01 fileA
student@student-B85M-DS3H-A:~$ getfacl fileA
# file: fileA
# owner: student
# group: student
user::r-x
group::rwx
mask::rwx
other::r-x
student@student-B85M-DS3H-A:~$ ls -al fileA
-r-xrwxr-x+ 1 student student 0 5월 11 09:57 fileA
student@student-B85M-DS3H-A:~$ touch roster.txt
student@student-B85M-DS3H-A:~$ ls -al roster.txt
-rw-rw-r-- 1 student student 0 5월 11 10:06 roster.txt
student@student-B85M-DS3H-A:~$ chmod 777 roster.txt
student@student-B85M-DS3H-A:~$ ls -al roster.txt
-rwxrwxrwx 1 student student 0 5월 11 10:06 roster.txt
student@student-B85M-DS3H-A:~$ getfacl roster.txt
# file: roster.txt
# owner: student
# group: student
user::rwx
group::rwx
other::rwx
student@student-B85M-DS3H-A:~$ sudo useradd sodor
[sudo] password for student:
student@student-B85M-DS3H-A:~$ sudo setfacl -m g:sodor:r roster.txt
student@student-B85M-DS3H-A:~$ sudo useradd james
student@student-B85M-DS3H-A:~$ getfacl roster.txt
# file: roster.txt
# owner: student
# group: student
user::rwx
group::rwx
group:sodor:r--
mask::rwx
other::rwx
student@student-B85M-DS3H-A:~$ sudo setfacl -m u:james:0 roster.txt
student@student-B85M-DS3H-A:~$ getfacl roster.txt
# file: roster.txt
# owner: student
# group: student
user::rwx
user:james:---
group::rwx
group:sodor:r--
mask::rwx
other::rwx
student@student-B85M-DS3H-A:~$ sudo chmod 770 roster.txt
student@student-B85M-DS3H-A:~$ getfacl roster.txt
udent@student-B85M-DS3H-A:~$ sudo useradd 2210 ->이 숫자는 UID라서 계정으로 만들면 안됨. 틀린것임
student@student-B85M-DS3H-A:~$ sudo setfacl -m g:2210:rwx roster.txt
student@student-B85M-DS3H-A:~$ getfacl roster.txt 됨
# file: roster.txt
# owner: student
# group: student
user::rwx
user:james:---
group::rwx
group:sodor:r--
group:2210:rwx
mask::rwx
other::rwx
student@student-B85M-DS3H-A:~$ sudo setfacl -m u:1005:rwx roster.txt
student@student-B85M-DS3H-A:~$ getfacl roster.txt
# file: roster.txt
# owner: student
# group: student
user::rwx
user:james:---
user:1005:rwx
group::rwx
group:sodor:r--
group:2210:rwx
mask::rwx
other::rwx
student@student-B85M-DS3H-A:~$ sudo setfacl -m m::rw roster.txt
student@student-B85M-DS3H-A:~$ getfacl roster.txt
# file: roster.txt
# owner: student
# group: student
user::rwx
user:james:---
user:1005:rwx #effective:rw-
group::rwx #effective:rw-
group:sodor:r--
group:2210:rwx #effective:rw-
mask::rw-
other::rwx
student@student-B85M-DS3H-A:~$ sudo groupadd controller
-> 문자로 된건 무조건 ~add로 만들어주고 sudo chown~해줘야함
(숫자로 된거는 UID라서 add로 생성안하고 바로 sudo chown~으로 넘버 써주면 바로 바뀜)
student@student-B85M-DS3H-A:~$ sudo chown :controller roster.txt
-> 한번에 user랑 group을 바꿀려면 sudo chown USER-NAME:GROUP-NAME File-name
이런 형식으로 바로 입력하면됨
student@student-B85M-DS3H-A:~$ getfacl roster.txt
# file: roster.txt
# owner: student
# group: controller
user::rwx
user:james:---
user:1005:rwx #effective:rw-
group::rwx #effective:rw-
group:sodor:r--
group:2210:rwx #effective:rw-
mask::rw-
other::rwx
student@student-B85M-DS3H-A:~$
예제 정답)
chmod 7777 fileA
chmod 0777 fileA
95 touch fileA
96 ls -al fileA
97 chmod 777 fileA
98 ls -al fileA
99 getfacl fileA
100 sudo useradd user01
101 setfacl -m u:user01:r fileA
102 getfacl fileA
103 setfacl -m u:user01:wx fileA
104 getfacl fileA
106 chmod 555 fileA
107 getfacl fileA
108 setfacl -x u:user01:wx fileA
109 setfacl -x user01 fileA
110 getfacl fileA
111 ls -al fileA
30 분까지 쉬는시간
----------------------------------------------
실습1
113 touch roster.txt
114 sudo useradd student
115 sudo useradd james
116 sudo groupadd controller
117 sudo groupadd sodor
118 ls -al roster.txt
119 getfacl roster.txt
120 chown student roster.txt
121 sudo chown student roster.txt
122 getfacl roster.txt
123 sudo chown :controller roster.txt
124 ls -al roster.txt
125 getfacl roster.txt
126 sudo chmod 770 roster.txt
127 getfacl roster.txt
128 sudo setfacl -m u:james:0 roster.txt
129 getfacl roster.txt
130 sudo setfacl -m u:1005:rwx roster.txt
131 sudo setfacl -m g:sodor:r roster.txt
132 sudo setfacl -m g:2210:rwx roster.txt
133 getfacl roster.txt
134 ls -al roster.txt
135 sudo setfacl -m m::rw roster.txt
136 getfacl roster.txt
137 ls -al roster.txt
138 history
student@student-B85M-DS3H-A:~$ sudo groupadd aclgroup
student@student-B85M-DS3H-A:~$ sudo useradd user02 -g aclgroup
student@student-B85M-DS3H-A:~$ sudo mkdir /ptest
student@student-B85M-DS3H-A:~$ sudo chmod 777 /ptest
student@student-B85M-DS3H-A:~$ sudo mkdir /ptest/dir02
student@student-B85M-DS3H-A:~$ sudo setfacl -m u:user03:0 /ptest/dir02
student@student-B85M-DS3H-A:~$ sudo touch /ptest/dir02/file01
student@student-B85M-DS3H-A:~$ sudo setfacl -m u:user01:rw, g:aclgroup:w /ptest/dir02/file01
student@student-B85M-DS3H-A:~$
student@student-B85M-DS3H-A:~$ sudo mkdir /ptest/dir02/dir04
student@student-B85M-DS3H-A:~$ sudo chmod 000 /ptest/dir02/dir04
student@student-B85M-DS3H-A:~$ sudo setfacl -m u:user04:7 /ptest/dir02/dir04