如何使用POSIX ACL实现文件和目录权限管理 - Apsara File Storage NAS

This topic describes how to configure Portable Operating System Interface (POSIX) access control lists (ACLs) to control access to the files and directories in an NFSv3 file system.

Prerequisites

An NFSv3 file system is mounted. For more information, see Mount an NFS file system on a Linux ECS instance.

Command description

Before you configure POSIX ACLs, we recommend that you get familiar with specific commands. The following table describes the commands.

Command	Description
getfacl <filename>	Queries the ACL that applies to the specified file.
setfacl -m g::w <filename>	Adds an access control entry (ACE) that grants the write permissions on a specified file to the GROUP@ principal.
setfacl -m u:player:w <filename>	Grants the write permissions to the player user.
setfacl -m g:players:rwx <filename>	Grants the read, write, and execute permissions to the players group.
setfacl -x g:players <filename>	Revokes permissions from the players group.
getfacl file1 \| setfacl --set-file=- file2	Copies the ACL for the file1 file to the file2 file.
setfacl -b file1	Removes all extended ACEs from the file1 file. The base ACEs of the owner, group, and others are retained.
setfacl -k file1	Removes all default ACEs from the file1 file.
setfacl -R -m g:players:rw dir	Grants the read and write permissions on the files and subdirectories in the dir directory to the players group.
setfacl -d -m g:players:rw dir1	Grants the read and write permissions on the new files and subdirectories in the dir1 directory to the players group.

Procedure

To control access to files and directories by configuring NFS ACLs, perform the following steps:

Create users and groups.
In this example, the following users are created: player, admini, and anonym. The following groups are created: players and adminis. The player user is added to the players group and the admini user is added to the adminis group.
```
sudo useradd player
sudo groupadd players
sudo usermod -g players player
sudo useradd admini
sudo groupadd adminis
sudo usermod -g adminis admini
sudo useradd anonym
```

Configure POSIX ACLs to control access to files and directories.

Run the following commands to complete the operations: Create a directory named dir0. Grant the read-only permissions to the players group, the read, write, and execute permissions to the adminis group, and no permissions on all the files in the dir0 directory to the others class.

sudo umask 777
sudo mkdir dir0
sudo setfacl -m g:players:r-x dir0
sudo setfacl -m g:adminis:rwx dir0
sudo setfacl -m u::--- dir0
sudo setfacl -m g::--x dir0
sudo setfacl -m o::--- dir0
sudo setfacl -d -m g:players:r-x dir0
sudo setfacl -d -m g:adminis:rwx dir0
sudo setfacl -d -m u::--- dir0
sudo setfacl -d -m g::--x dir0
sudo setfacl -d -m o::--- dir0

Run the sudo getfacl dir0 command to verify the configuration.

# file: dir0
# owner: root
# group: root
user::---
group::--x
group:players:r-x
group:adminis:rwx
mask::rwx
other::---
default:user::---
default:group::--x
default:group:players:r-x
default:group:adminis:rwx
default:mask::rwx
default:other::---

Verify the ACL configuration.
1. Run the following commands to verify that the admini user has the read and write permissions:
```
sudo su admini -c 'touch dir0/file'
```
```
sudo su admini -c 'echo 123 > dir0/file'
```
2. Verify that the player user has the read-only permissions.
  1. Verify that the player user does not have the permissions to create the file file.
    For example, verify that the player user cannot create the file file in the dir0 directory.
    - Run the following command:
      sudo su player -c 'touch dir0/file'
    - If the output is similar to the following information, the player user does not have the permissions to create the file file:
      touch: cannot touch 'dir0/file': Permission denied
  2. Verify that the player user has the permissions to view the content of the dir0/file file.
    - Run the following command:
      sudo su player -c 'cat dir0/file'
    - If the output is similar to the following information, the player user has the permissions to view the content of the dir0/file file:
      123
  3. Verify that the player user does not have the write permissions.
    - Run the following command:
      sudo su player -c 'echo 456 >> dir0/file'
    - If the output is similar to the following information, the player user does not have the write permissions:
      bash: dir0/file: Permission denied
    You can also run the sudo su player -c 'getfacl dir0/file' command to view the permissions that the player user has on the dir0/file file.
    # file: dir0/file # owner: admini # group: adminis user::--- group::--- group:players:r-x group:adminis:rwx mask::rwx other::---
3. Verify that the anonym user does not have permissions on the dir0 directory.
  1. Verify that the anonym user does not have the permissions to view files in the dir0 directory.
    - Run the following command:
      sudo su anonym -c 'ls dir0'
    - If the output is similar to the following information, the anonym user does not have permissions on the dir0 directory:
      ls: cannot open directory dir0: Permission denied
  2. Verify that the anonym user does not have the permissions to view the content of the file.
    - Run the following command:
      sudo su anonym -c 'cat dir0/file'
    - If the output is similar to the following information, the anonym user does not have the permissions to view the content of the file:
      cat: dir0/file: Permission denied
  3. Verify that the anonym user does not have the permissions to access the file.
    - Run the following command:
      sudo su anonym -c 'getfacl dir0/file'
    - If the output is similar to the following information, the anonym user does not have the permissions to access the file.
      getfacl: dir0/file: Permission denied

Related operations

You can use the following method to revoke permissions from a user.

If you want to use NFSv4 ACLs, we recommend that you add each user to groups. This allows you to configure permissions for a group rather than a separate user. To revoke permissions on an object from a user, you can remove the user from the group that is granted permissions on the object. For example, the following commands remove the admini user from the adminis group and add the user to the adminis2 group.

Run the following command to create the adminis2 group:
```
sudo groupadd adminis2
```
Run the following command to remove the admini user from the adminis group and add the user to the adminis2 group:
```
sudo usermod -g adminis2 admini
```
Query the ID information about the user.
- Run the following command:
```
id admini
```
- The following information is returned:
```
uid=1057(admini) gid=1057(admini) groups=1061(adminis2)
```
Verify the permissions of the admini user.
1. Verify that the admini user does not have the permissions to access the dir0 directory.
  - Run the following command:
```
sudo su admini -c 'ls dir0'
```
  - If the output is similar to the following information, the admini user does not have the permissions to access the dir0 directory:
```
ls: cannot open directory dir0: Permission denied
```
2. Verify that the admini user does not have the permissions to view the content of the dir0/file file.
  - Run the following command:
```
sudo su admini -c 'cat dir0/file'
```
  - If the output is similar to the following information, the admini user does not have the permissions to view the content of the dir0/file file:
```
cat: dir0/file: Permission denied
```
3. Verify that the admini user does not have the permissions to access the dir0/file file.
  - Run the following command:
```
sudo su admini -c 'getfacl dir0/file'
```
  - If the output is similar to the following information, the admini user does not have the permissions to access the dir0/file file:
```
getfacl: dir0/file: Permission denied
```