12/08/28 5장 계정 관리

ACL

Access Control List

 목록에 있는 사용자의 경우 특정 디렉토리나 파일에 접근할 수 있게끔.

표준 UGO  (User Group Other) 모드에서 추가되는 개념이다.

ACL은 ACL이고 UGO에 영향을 미치지 않는다.

-----------------------------------------------------------------------------------------

Set UID

Set GID

위 두개는 실행권한과 관리가 있다.

SET UID는 대표적인 예가 passwd명령.

루트소유지만 다른 사용자가 실행해도 루트권한으로 실행되는 것처럼

StickBit = 공유디렉토리. 대표적인 게 tmp 디렉토리.

tmp를 공유디렉토리로 설정.

이 디렉토리에 있는 파일은 그 파일을 생성한 계정이나 루트만이 지울 수 있다.

------------------------------------------------------------------------------

p.82

[root@server4 ~]# lab-add-users

Setting up, one moment please... done!
[root@server4 ~]# mkdir /opt/research
[root@server4 ~]# cd /opt
[root@server4 opt]# ls -al
total 12
drwxr-xr-x.  3 root root 4096 Aug 28 13:03 .
dr-xr-xr-x. 28 root root 4096 Aug 28 13:02 ..
drwxr-xr-x.  2 root root 4096 Aug 28 13:03 research
[root@server4 opt]# chgrp grads research
[root@server4 opt]# ls -al
total 12
drwxr-xr-x.  3 root root  4096 Aug 28 13:03 .
dr-xr-xr-x. 28 root root  4096 Aug 28 13:02 ..
drwxr-xr-x.  2 root grads 4096 Aug 28 13:03 research
[root@server4 opt]# cd research/
[root@server4 research]# touch afile
[root@server4 research]# ls -al
total 8
drwxr-xr-x. 2 root grads 4096 Aug 28 13:04 .
drwxr-xr-x. 3 root root  4096 Aug 28 13:03 ..
-rw-r--r--. 1 root root     0 Aug 28 13:04 afile
[root@server4 research]# chmod 2770 /opt/research/
[root@server4 research]# cd ..
[root@server4 opt]# ls -al
total 12
drwxr-xr-x.  3 root root  4096 Aug 28 13:03 .
dr-xr-xr-x. 28 root root  4096 Aug 28 13:02 ..
drwxrws---.  2 root grads 4096 Aug 28 13:04 research
[root@server4 opt]# cd research/
[root@server4 research]# touch bfile
[root@server4 research]# ls -al
total 8
drwxrws---. 2 root grads 4096 Aug 28 13:05 .
drwxr-xr-x. 3 root root  4096 Aug 28 13:03 ..
-rw-r--r--. 1 root root     0 Aug 28 13:04 afile
-rw-r--r--. 1 root grads    0 Aug 28 13:05 bfile
[root@server4 research]# setfacl -m g:profs:rwx /opt/research
[root@server4 research]# getfacl /opt/research
getfacl: Removing leading '/' from absolute path names
# file: opt/research
# owner: root
# group: grads
# flags: -s-
user::rwx
group::rwx
group:profs:rwx
mask::rwx
other::---

[root@server4 research]# su - faraday
[faraday@server4 ~]$ cd /opt/research
[faraday@server4 research]$ ls
afile  bfile
[faraday@server4 research]$ touch cfile
[faraday@server4 research]$ ls -al
total 12
drwxrws---+ 2 root    grads 4096 Aug 28 13:09 .
drwxr-xr-x. 3 root    root  4096 Aug 28 13:03 ..
-rw-r--r--. 1 root    root     0 Aug 28 13:04 afile
-rw-r--r--. 1 root    grads    0 Aug 28 13:05 bfile
-rw-rw-r--. 1 faraday grads    0 Aug 28 13:09 cfile
[faraday@server4 research]$ exit
logout
[root@server4 research]# touch dfile
[root@server4 research]# ls -al
total 12
drwxrws---+ 2 root    grads 4096 Aug 28 13:10 .
drwxr-xr-x. 3 root    root  4096 Aug 28 13:03 ..
-rw-r--r--. 1 root    root     0 Aug 28 13:04 afile
-rw-r--r--. 1 root    grads    0 Aug 28 13:05 bfile
-rw-rw-r--. 1 faraday grads    0 Aug 28 13:09 cfile
-rw-r--r--. 1 root    grads    0 Aug 28 13:10 dfile
[root@server4 research]# getfacl dfile
# file: dfile
# owner: root
# group: grads
user::rw-
group::r--
other::r--

[root@server4 research]# setfacl -m d:g:profs:rw /opt/research
[root@server4 research]# touch efile
[root@server4 research]# getfacl efile
# file: efile
# owner: root
# group: grads
user::rw-
group::rwx            #effective:rw-
group:profs:rw-
mask::rw-
other::---

[root@server4 research]# su - faraday
[faraday@server4 ~]$ cd /opt/research/
[faraday@server4 research]$ touch efile
[faraday@server4 research]$ ls -al
total 16
drwxrws---+ 2 root    grads 4096 Aug 28 13:12 .
drwxr-xr-x. 3 root    root  4096 Aug 28 13:03 ..
-rw-r--r--. 1 root    root     0 Aug 28 13:04 afile
-rw-r--r--. 1 root    grads    0 Aug 28 13:05 bfile
-rw-rw-r--. 1 faraday grads    0 Aug 28 13:09 cfile
-rw-r--r--. 1 root    grads    0 Aug 28 13:10 dfile
-rw-rw----+ 1 root    grads    0 Aug 28 13:12 efile
[faraday@server4 research]$ exit
logout
[root@server4 research]# setfacl -m g:interns:rx /opt/research/
[root@server4 research]# getfacl /opt/research/
getfacl: Removing leading '/' from absolute path names
# file: opt/research/
# owner: root
# group: grads
# flags: -s-
user::rwx
group::rwx
group:interns:r-x
group:profs:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:profs:rw-
default:mask::rwx
default:other::---

[root@server4 research]# setfacl -m d:g:interns:r /opt/research/
[root@server4 research]# getfacl /opt/research/
getfacl: Removing leading '/' from absolute path names
# file: opt/research/
# owner: root
# group: grads
# flags: -s-
user::rwx
group::rwx
group:interns:r-x
group:profs:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:interns:r--
default:group:profs:rw-
default:mask::rwx
default:other::---

[root@server4 research]# su - ben
[ben@server4 ~]$ cd /opt/research
[ben@server4 research]$ ls
afile  bfile  cfile  dfile  efile
[ben@server4 research]$ touch efile
touch: cannot touch `efile': Permission denied
[ben@server4 research]$ cat efile
cat: efile: Permission denied
[ben@server4 research]$ exit
logout
[root@server4 research]# date > foo.txt
[root@server4 research]# cat foo.txt
Tue Aug 28 13:15:32 KST 2012
[root@server4 research]# su - ben
[ben@server4 ~]$ cd /opt/research/
[ben@server4 research]$ ls
afile  bfile  cfile  dfile  efile  foo.txt
[ben@server4 research]$ cat foo.txt
Tue Aug 28 13:15:32 KST 2012