Question

使用d开关使用acl时发现了最奇怪的行为：

使用setfacl命令中的d:进行测试

create directory: mkdir /var/tmp/tester
create three users: useradd userA -d /tmp etc…
remove the other permission of the directory: chmod 750 /var/tmp/tester
grant acl permissions for userA: # file: setfacl -md:u:userA:rwx var/tmp/tester/
grant acl permissions for userB: setfacl -m d:u:userB:rx /var/tmp/tester
grant acl permissions for userC(not really needed): setfacl -m d:u:userC:rwx /var/tmp/tester
list the acl of the directory: getfacl /var/tmp/tester

       # owner: root
        # group: root
        user::rwx
        group::r-x
        other::---
        default:user::rwx
        default:user:userA:rwx
        default:user:userB:r-x
        default:user:userC:---
        default:group::r-x
        default:mask::rwx
        default:other::---

Become userA and navigate to the tester dir: ''su - userA cd /var/tmp''/tester

结果：-bash：cd：/ var / tmp / tester：Permission denied

现在进行相同测试，但未在我的acl setfacl命令中使用d:

create directory: mkdir /var/tmp/tester
create three users: useradd userA -d /tmp etc…
remove the other permission of the directory: chmod 750 /var/tmp/tester
grant acl permissions for userA: # file: setfacl -m u:userA:rwx var/tmp/tester/
grant acl permissions for userB: setfacl -m u:userB:rx /var/tmp/tester
grant acl permissions for userC(not really needed): setfacl -m u:userC:rwx /var/tmp/tester
list the acl of the directory: getfacl /var/tmp/tester

       # owner: root
        # group: root
        user::rwx
        group::r-x
        other::---
        default:user::rwx
        default:user:userA:rwx
        default:user:userB:r-x
        default:user:userC:---
        default:group::r-x
        default:mask::rwx
        default:other::---

Become userA and navigate to the tester dir: ''su - userA cd /var/tmp''/tester

结果：成功！？

这是预期的行为吗？为什么getfacl在测试中没有显示出任何差异？

Answer 1

d:是default:的缩写，用于指定目录的默认 ACL，而非实际ACL。来自man 5 acl：

OBJECT CREATION AND DEFAULT ACLs
     The access ACL of a file object is initialized when the object is created
     with any of the creat(), mkdir(), mknod(), mkfifo(), or open() functions.
     If a default ACL is associated with a directory, the mode parameter to
     the functions creating file objects and the default ACL of the directory
     are used to determine the ACL of the new object:

     1.   The new object inherits the default ACL of the containing directory
          as its access ACL.

     2.   The access ACL entries corresponding to the file permission bits are
          modified so that they contain no permissions that are not contained
          in the permissions specified by the mode parameter.

所以，是的：当（不）使用d:时，您观察到不同的行为是正常的。

但是请注意，您发布的getfacl的输出是错误的：在第二种情况下（不使用d:时），您应该有一些前缀为user:userA的行，{{1 }，user:userB，而不是前缀为user:userC的行。这是一个更简单的例子：

default:

ACL linux的意外行为

1 个答案: