ACL linux 的意外行为
unexpected behaviour of ACL linux
发现使用 d
开关使用 acl 时最奇怪的行为:
在 setfacl 命令中使用 d:
进行测试
create directory: mkdir /var/tmp/tester
create three users: useradd userA -d /tmp etc…
remove the other permission of the directory: chmod 750 /var/tmp/tester
grant acl permissions for userA: # file: setfacl -md:u:userA:rwx var/tmp/tester/
grant acl permissions for userB: setfacl -m d:u:userB:rx /var/tmp/tester
grant acl permissions for userC(not really needed): setfacl -m d:u:userC:rwx /var/tmp/tester
list the acl of the directory: getfacl /var/tmp/tester
# owner: root
# group: root
user::rwx
group::r-x
other::---
default:user::rwx
default:user:userA:rwx
default:user:userB:r-x
default:user:userC:---
default:group::r-x
default:mask::rwx
default:other::---
Become userA and navigate to the tester dir: ''su - userA cd /var/tmp''/tester
结果:-bash: cd: /var/tmp/tester: 权限被拒绝
现在进行同样的测试,但在我的 acl setfacl 命令
中不使用 d:
create directory: mkdir /var/tmp/tester
create three users: useradd userA -d /tmp etc…
remove the other permission of the directory: chmod 750 /var/tmp/tester
grant acl permissions for userA: # file: setfacl -m u:userA:rwx var/tmp/tester/
grant acl permissions for userB: setfacl -m u:userB:rx /var/tmp/tester
grant acl permissions for userC(not really needed): setfacl -m u:userC:rwx /var/tmp/tester
list the acl of the directory: getfacl /var/tmp/tester
# owner: root
# group: root
user::rwx
group::r-x
other::---
default:user::rwx
default:user:userA:rwx
default:user:userB:r-x
default:user:userC:---
default:group::r-x
default:mask::rwx
default:other::---
Become userA and navigate to the tester dir: ''su - userA cd /var/tmp''/tester
结果:成功!?
这是预期的行为吗?
为什么 getfacl 在测试中没有显示任何差异?
d:
是 default:
的缩写,指定目录的 默认 ACL,而不是真正的 ACL。来自 man 5 acl
:
OBJECT CREATION AND DEFAULT ACLs
The access ACL of a file object is initialized when the object is created
with any of the creat(), mkdir(), mknod(), mkfifo(), or open() functions.
If a default ACL is associated with a directory, the mode parameter to
the functions creating file objects and the default ACL of the directory
are used to determine the ACL of the new object:
1. The new object inherits the default ACL of the containing directory
as its access ACL.
2. The access ACL entries corresponding to the file permission bits are
modified so that they contain no permissions that are not contained
in the permissions specified by the mode parameter.
所以,是的:当(不)使用 d:
.
时,您观察到不同的行为是正常的
但是请注意,您发布的 getfacl
的输出是错误的:在第二种情况下(当不使用 d:
时)您应该有一些前缀为 user:userA
的行,user:userB
, user:userC
而不是前缀为 default:
的行。这是一个更简单的例子:
$ mkdir a b
$ setfacl -m u:nobody:rx a
$ setfacl -m d:u:nobody:rx b
$ diff -u <(getfacl a) <(getfacl b)
--- /dev/fd/63 2016-03-12 11:10:20.032239216 +0100
+++ /dev/fd/62 2016-03-12 11:10:20.024239117 +0100
@@ -1,9 +1,12 @@
-# file: a
+# file: b
# owner: andrea
# group: andrea
user::rwx
-user:nobody:r-x
group::rwx
-mask::rwx
other::r-x
+default:user::rwx
+default:user:nobody:r-x
+default:group::rwx
+default:mask::rwx
+default:other::r-x
发现使用 d
开关使用 acl 时最奇怪的行为:
在 setfacl 命令中使用 d:
进行测试
create directory: mkdir /var/tmp/tester
create three users: useradd userA -d /tmp etc…
remove the other permission of the directory: chmod 750 /var/tmp/tester
grant acl permissions for userA: # file: setfacl -md:u:userA:rwx var/tmp/tester/
grant acl permissions for userB: setfacl -m d:u:userB:rx /var/tmp/tester
grant acl permissions for userC(not really needed): setfacl -m d:u:userC:rwx /var/tmp/tester
list the acl of the directory: getfacl /var/tmp/tester
# owner: root
# group: root
user::rwx
group::r-x
other::---
default:user::rwx
default:user:userA:rwx
default:user:userB:r-x
default:user:userC:---
default:group::r-x
default:mask::rwx
default:other::---
Become userA and navigate to the tester dir: ''su - userA cd /var/tmp''/tester
结果:-bash: cd: /var/tmp/tester: 权限被拒绝
现在进行同样的测试,但在我的 acl setfacl 命令
中不使用d:
create directory: mkdir /var/tmp/tester
create three users: useradd userA -d /tmp etc…
remove the other permission of the directory: chmod 750 /var/tmp/tester
grant acl permissions for userA: # file: setfacl -m u:userA:rwx var/tmp/tester/
grant acl permissions for userB: setfacl -m u:userB:rx /var/tmp/tester
grant acl permissions for userC(not really needed): setfacl -m u:userC:rwx /var/tmp/tester
list the acl of the directory: getfacl /var/tmp/tester
# owner: root
# group: root
user::rwx
group::r-x
other::---
default:user::rwx
default:user:userA:rwx
default:user:userB:r-x
default:user:userC:---
default:group::r-x
default:mask::rwx
default:other::---
Become userA and navigate to the tester dir: ''su - userA cd /var/tmp''/tester
结果:成功!?
这是预期的行为吗? 为什么 getfacl 在测试中没有显示任何差异?
d:
是 default:
的缩写,指定目录的 默认 ACL,而不是真正的 ACL。来自 man 5 acl
:
OBJECT CREATION AND DEFAULT ACLs
The access ACL of a file object is initialized when the object is created
with any of the creat(), mkdir(), mknod(), mkfifo(), or open() functions.
If a default ACL is associated with a directory, the mode parameter to
the functions creating file objects and the default ACL of the directory
are used to determine the ACL of the new object:
1. The new object inherits the default ACL of the containing directory
as its access ACL.
2. The access ACL entries corresponding to the file permission bits are
modified so that they contain no permissions that are not contained
in the permissions specified by the mode parameter.
所以,是的:当(不)使用 d:
.
但是请注意,您发布的 getfacl
的输出是错误的:在第二种情况下(当不使用 d:
时)您应该有一些前缀为 user:userA
的行,user:userB
, user:userC
而不是前缀为 default:
的行。这是一个更简单的例子:
$ mkdir a b
$ setfacl -m u:nobody:rx a
$ setfacl -m d:u:nobody:rx b
$ diff -u <(getfacl a) <(getfacl b)
--- /dev/fd/63 2016-03-12 11:10:20.032239216 +0100
+++ /dev/fd/62 2016-03-12 11:10:20.024239117 +0100
@@ -1,9 +1,12 @@
-# file: a
+# file: b
# owner: andrea
# group: andrea
user::rwx
-user:nobody:r-x
group::rwx
-mask::rwx
other::r-x
+default:user::rwx
+default:user:nobody:r-x
+default:group::rwx
+default:mask::rwx
+default:other::r-x