使用 setfacl/getfacl 恢复 ACL?

发布于 2024-09-26 15:36:57 字数 136 浏览 6 评论 0原文

我最近删除了 ACL,因为我的教授需要复制某些文件。现在我知道我应该授予他的用户权限,而不是使用“setfacl -b”将其全部删除。在我的主目录中。

所以问题是如何使用 setfacl/getfacl 恢复或设置新的 ACL 到我的主目录?

I recently removed my ACL because my professor needed to copy certain files. Now I know I should have just granted his user permissions instead of removing it all using 'setfacl -b .' on my home directory.

So the question is how do I recover or set a new ACL to my home directory using setfacl/getfacl?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

北城半夏 2024-10-03 15:36:57

您无法“恢复”通过 ACL 方式丢弃的内容。如果您知道之前设置的内容,则可以小心地重新恢复那些记住的 ACL。

基本权限

在 Unix 系统上,对您来说最重要的标准是组和其他标准 - 它们不受 ACL 直接影响,但它们控制不受 ACL 控制的访问,您也必须确保它们正确。您需要决定什么适合您的环境。对于许多公司设置,允许组和其他人对文件进行读取访问、对程序执行以及对目录进行读取和搜索(执行)是适当的:

chmod 644 file
chmod 755 program
chmod 755 directory

如果您不应该让其他人借用您的课程作业,那么您应该将事情明确下来,以便该团体和其他人根本不允许进入:

chmod 600 file
chmod 700 program
chmod 700 directory

或者你可以混合搭配;允许灵活性并开放对您的主目录的访问,但限制该目录下的人员。在某些情况下,您可能只允许组或其他人对目录执行权限(并且只对文件进行读取)。那么其他人除非知道文件名,否则无法访问该文件,并且只能读取该文件,而不能修改该文件或保存该文件的目录。

不要忘记使用适当的 umask 设置,以便默认情况下使用正确的权限创建文件。对于很多人来说,umask 022 是合适的;组成员和其他人都不能写入文件或目录,但可以读取文件或执行程序。

使用 ACL

这些都不需要 ACL。如果您想为某些组或用户而不是其他组或用户提供受控访问权限,那么您需要确保您具有适当的基本级别权限集,然后您可以为选定的用户或组有效地添加对您的文件或目录的权限。选择。

setfacl 的 Solaris 10 手册页显示命令语法为:

 setfacl [-r] -s acl_entries 文件
 setfacl [-r] -md acl_entries 文件
 setfacl [-r] -f acl_file 文件

这没有提到问题中提到的“-b”选项,因此您可能使用不同的平台。请注意,ACL 控件将是 POSIX 1e,但实际上从未标准化,因此不同的平台在命令上实现略有不同的变体。

Solaris 10 手册页接着解释了如何设置描述的“acl_entries”部分,并指出默认部分只能应用于目录,但默认值将用于目录中的文件。

 ACL Entry                     Description
 u[ser]::perms                 File owner permissions.
 g[roup]::perms                File group owner permissions.
 o[ther]:perms                 Permissions for  users  other  than
                               the  file  owner or members of file
                               group owner.
 m[ask]:perms                  The ACL mask. The mask entry  indi-
                               cates   the   maximum   permissions
                               allowed for users (other  than  the
                               owner)  and for groups. The mask is
                               a quick way to  change  permissions
                               on all the users and groups.
 u[ser]:uid:perms              Permissions for  a  specific  user.
                               For  uid,  you can specify either a
                               user name or a numeric UID.
 g[roup]:gid:perms             Permissions for a  specific  group.
                               For  gid,  you can specify either a
                               group name or a numeric GID.
 d[efault]:u[ser]::perms       Default file owner permissions.
 d[efault]:g[roup]::perms      Default file  group  owner  permis-
                               sions.
 d[efault]:o[ther]:perms       Default permissions for users other
                               than  the  file owner or members of
                               the file group owner.
 d[efault]:m[ask]:perms        Default ACL mask.
 d[efault]:u[ser]:uid:perms    Default permissions for a  specific
                               user.  For  uid,  you  can  specify
                               either a user  name  or  a  numeric
                               UID.
 d[efault]:g[roup]:gid:perms   Default permissions for a  specific
                               group.  For  gid,  you  can specify
                               either a group name  or  a  numeric
                               GID.

您需要决定除了您的教授之外还有谁需要访问文件。也许你的实验室合作伙伴会这样做;也许助教会这样做;也许是你的一整年(但不是你下面的年份 - 那些高于你的年份可能已经知道你所知道的)。但如果没有更多关于您的保护要求的信息,没有人可以为您提供更多帮助。一般来说,ACL 很容易出现错误 - 如果有的话,请谨慎使用,并使用标准 Unix 权限作为主要访问控制。

下次,我建议简单地通过添加(而不是删除)ACL 来允许您的教授加入 - 或者询问他希望您将文件复制到哪里(让他负责解决权限问题),或者将文件复制到一个目录,例如 $HOME/tmp/prof.jones,该目录的权限为 711,文件的权限为 644,并告诉他那里有哪些文件可供他复制。

You can't 'recover' what you discarded in the way of ACLs. If you know what you had set previously, you can reinstate those remembered ACLs anew, carefully.

Basic Permissions

On a Unix system, the most important criteria for you are the group and other ones - they are not directly affected by ACLs, but they control the access not governed by ACLs, and you must get them right too. You need to decide what is appropriate in your environment. For many corporate settings, allowing group and others read access on files, execute on programs, and read and search (execute) on directories is appropriate:

chmod 644 file
chmod 755 program
chmod 755 directory

If you are not supposed to let other people borrow your course work, you would nail things down so that group and others are not allowed in at all:

chmod 600 file
chmod 700 program
chmod 700 directory

Or you can mix and match; allow flexibility and open access to your home directory, but restrict people underneath that. In some circumstances, you might allow group or other only execute permission on a directory (and only read on a file). Then other people cannot access the file unless they know its name, and they can only read the file, not modify it or the directory that holds it.

Don't forget to use an appropriate umask setting so files are created with the correct permissions by default. For many people, a umask of 022 is appropriate; neither group members nor others can write to the file or directory, but they can read files or execute programs.

Using ACLs

None of this requires ACLs. If you want to provide controlled access to certain groups or users and not to others, then you need to ensure you have the appropriate base-level permissions set, and you can then effectively add permissions for selected users or groups on the files or directories you choose.

The Solaris 10 man page for setfacl says that the command syntax is:

 setfacl [-r] -s acl_entries file
 setfacl [-r] -md acl_entries file
 setfacl [-r] -f acl_file file

This does not mention the '-b' option mentioned in the question, so you may be using a different platform. Note that the ACL controls was going to be POSIX 1e, but was never actually standardized, so different platforms implement slightly different variants on the commands.

The Solaris 10 man page then goes on to explain how to set the 'acl_entries' part of the description, with a note that the default part can only be applied to a directory, but the default values will be used for files in the directory.

 ACL Entry                     Description
 u[ser]::perms                 File owner permissions.
 g[roup]::perms                File group owner permissions.
 o[ther]:perms                 Permissions for  users  other  than
                               the  file  owner or members of file
                               group owner.
 m[ask]:perms                  The ACL mask. The mask entry  indi-
                               cates   the   maximum   permissions
                               allowed for users (other  than  the
                               owner)  and for groups. The mask is
                               a quick way to  change  permissions
                               on all the users and groups.
 u[ser]:uid:perms              Permissions for  a  specific  user.
                               For  uid,  you can specify either a
                               user name or a numeric UID.
 g[roup]:gid:perms             Permissions for a  specific  group.
                               For  gid,  you can specify either a
                               group name or a numeric GID.
 d[efault]:u[ser]::perms       Default file owner permissions.
 d[efault]:g[roup]::perms      Default file  group  owner  permis-
                               sions.
 d[efault]:o[ther]:perms       Default permissions for users other
                               than  the  file owner or members of
                               the file group owner.
 d[efault]:m[ask]:perms        Default ACL mask.
 d[efault]:u[ser]:uid:perms    Default permissions for a  specific
                               user.  For  uid,  you  can  specify
                               either a user  name  or  a  numeric
                               UID.
 d[efault]:g[roup]:gid:perms   Default permissions for a  specific
                               group.  For  gid,  you  can specify
                               either a group name  or  a  numeric
                               GID.

You will need to decide who, apart from your professor, needs access to files. Maybe your lab partner does; maybe the teaching assistants do; maybe your whole year (but not the years below you - those above you probably already know what you know). But without any more information about your requirements for protection, no-one can help you more. And generally, it is easy to get the ACLs wrong - use sparingly, if at all, and use the standard Unix permissions as your main access control.

And next time, I suggest simply allowing your professor in by adding (not erasing) ACLs - or asking him where he wants you to copy the files to (putting the onus on him to sort out the permissions issues), or copying the files into a directory such as $HOME/tmp/prof.jones with 711 permission on the directory, 644 permissions on the files, and tell him which files are there for him to copy.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文