7. 特殊權限與 POSIX ACL 權限設定

題目：

1. Create a new directory in /depts/ called tech. Change the permissions such that root is the owner and hr is the group.
2. Use ACLs to give full permission for /depts/tech/ to the web group.
3. Allow alex read/execute (but not write) permission on the /depts/tech/ directory. Set a default ACL if read/write for alex on that directory.
4. Create some files in /depts/tech/ as several if the users and verify access. Does alex or joshua have access to files? Does manager?

-----------------------------------------------------------------------------------
  

solution

• 執行此範例時，需要建立練習的使用者帳號及群組。
• Create a new directory in /depts/ called tech.
• Change the permissions such that root is the owner and hr is the group.

[root@station8 ~]# nano /etc/fstab

LABEL=/                 /                       ext3    defaults,acl    1 1 (這邊加入,acl 打開 acl 的設定權限)
LABEL=/var              /var                    ext3    defaults        1 2
LABEL=/usr              /usr                    ext3    defaults        1 2
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
LABEL=SWAP-sda8         swap                    swap    defaults        0 0
/dev/vg0/lvm            /mnt/lvm                ext3    defaults    0 0

[root@server1 /]# mkdir -p /depts/tech/
[root@server1 /]# chown root:hr /depts/tech/
[root@server1 /]# chmod 2770 /depts/tech/
(請思考為何要加上SGID的權限?否則這一行 chmod 2770 看起來其中的 2 好像是非必須的)
Use ACLs to give full permission for /depts/tech/ to the web group.
[root@server1 /]# setfacl -m g:web:rwx /depts/tech/
[root@server1 /]# getfacl /depts/tech/
getfacl: Removing leading '/' from absolute path names
# file: depts/tech
# owner: root
# group: hr
user::rwx
group::rwx
group:web:rwx
mask::rwx
other::---

• Allow alex read/execute (but not write) permission on the /depts/tech/ directory.
• Set a default ACL if read/write for alex on that directory.

[root@server1 /]# setfacl -m u:alex:rx /depts/tech/
[root@server1 /]# getfacl /depts/tech/
getfacl: Removing leading '/' from absolute path names
# file: depts/tech
# owner: root
# group: hr
user::rwx
user:alex:r-x
group::rwx
group:web:rwx
mask::rwx
other::---
[root@server1 /]# setfacl -m d:u:alex:rw /depts/tech/
[root@server1 /]# getfacl /depts/tech/
getfacl: Removing leading '/' from absolute path names
# file: depts/tech
# owner: root
# group: hr
user::rwx
user:alex:r-x
group::rwx
group:web:rwx
mask::rwx
other::---
default:user::rwx
default:user:alex:rw-
default:group::rwx
default:mask::rwx
default:other::---

• Create some files in /depts/tech/ as several if the users and verify access.
• Does alex or joshua have access to files? Does manager?
• 使用 joshua 使用者測試權限

[joshua@server1 ~]$ touch /depts/tech/joshua
touch: cannot touch ‘/depts/tech/joshua’: 拒絕不符權限的操作
[joshua@server1 ~]$ exit
# 切換到 manager 此使用者的第二個群組為 web,hr
[root@server1 /]# su - manager
[manager@server1 ~]$ touch /depts/tech/manager
[manager@server1 ~]$ getfacl /depts/tech/manager
getfacl: Removing leading '/' from absolute path names
# file: depts/tech/manager
# owner: manager
# group: hr
user::rw-
user:alex:rw-
group::rwx                      #effective:rw-
mask::rw-
other::---

# 測試 alex 使用者的權限
[alex@server1 ~]$ touch /depts/tech/manager
[alex@server1 ~]$ touch /depts/tech/alex
touch: cannot touch ‘/depts/tech/alex’: 拒絕不符權限的操作