不同组的Linux目录权限
[英]Linux directory permissions for different groups
问题描述
I'm having two directories: "public" and "private". 
我有两个目录:“公共”和“私人”。 I have three users: "chris", "john", "dan". 我有三个用户:“chris”,“john”,“dan”。 I have two groups: "pub", "priv" and "god". 我有两个小组:“pub”,“priv”和“god”。
- The group "god" should have full access to "public" and "private". “上帝”这个群体应该可以完全获得“公共”和“私人”。
- The group "pub" should be the only group to have permissions over "public" “pub”组应该是唯一拥有“public”权限的组
- The group "priv" should be the only group to have permissions over "private". “priv”组应该是唯一拥有“私有”权限的组。
As root: 作为根:
useradd chris
useradd john
useradd dan
usermod -g god chris
usermod -g pub john
usermod -g priv dan
chgrp god public private
chgrp pub public
chgrp priv private
su chris
As "chris": 作为“克里斯”:
cd public/
touch test = permission denied touch test =权限被拒绝
The same for the other users ... under "dan" I have no permissions over the "private" directory, althou "dan" is a member of the "priv" group. 其他用户也一样......在“dan”下我对“private”目录没有权限,“dan”是“priv”组的成员。
Do you have any idea? 你有什么主意吗?
4 个解决方案
解决方案1
15 已采纳 2013-03-14 17:58:42
Well, I know this is relatively old, but twalberg is correct: there's actually a relatively easy way to accomplish this with POSIX ACL's. 嗯,我知道这是相对陈旧的,但twalberg是正确的:实际上有一种相对简单的方法来实现POSIX ACL。 They've existed since the late 90's/early 2000's so I don't know why more people don't use them. 它们自90年代末/ 2000年初就存在,所以我不知道为什么更多的人不使用它们。
How to do it: Do as you've already done, then simply execute this command: 怎么做:按照你已经完成的方式执行,然后只需执行以下命令:
# setfacl -m g:god:rwx public private
and in one command you get what you're wanting. 在一个命令中,你得到了你想要的东西。 You'll spend forever trying to figure out how to do it using ONLY traditional unix permissions. 你会花费永远的努力来弄清楚如何使用传统的unix权限来做到这一点。
Mikic's advice may still be good (depending on what you're trying to accomplish), and it might be more straight forward to reference as few groups as possible in your permissions (or maybe you want it to be apparent that "chris" isn't a regular user, but an administrative one, again it depends on what you want to construct). Mikic的建议可能仍然很好(取决于你想要完成的事情),并且可能更直接地在你的权限中引用尽可能少的组(或者你希望它显然“chris”isn'常规用户,但是管理用户,再次取决于您想要构建的用户)。
I offered something closer to what you're trying to accomplish, because there may be situations where you're trying to give a secondary user/group access to a directory but you don't want to choose between "chris" not getting access to these two directories and "chris" getting access to all those other files and directories "pub" and "priv" might have access to. 我提供了一些更接近你想要完成的东西的东西,因为在某些情况下你可能试图让一个辅助用户/组访问一个目录,但你不想在“chris”之间选择无法访问这两个目录和“chris”访问所有其他文件和目录“pub”和“priv”可能有权访问。 With ACL's you don't have to make those choices, which is why they were added and are now a core part of most Unix (and BSD and Linux) platforms. 使用ACL,您无需做出这些选择,这就是为什么它们被添加并且现在是大多数Unix(以及BSD和Linux)平台的核心部分。
解决方案2
4 2012-11-12 22:01:47
You said that the group "pub" should be the only group to have permissions over "public". 你说组“pub”应该是唯一拥有“public”权限的组。 But right before that you said that "god" should also have access. 但在此之前,你说“上帝”也应该有机会。 So "pub" can't be the only one that has access. 所以“pub”不可能是唯一有访问权限的人。 Ditto for "priv". 同意“私人”。
You also say: 你还说:
I have two groups: "pub", "priv" and "god".
Well, that's three groups. 嗯,这是三组。 (Reminds me of that famous quote: "There's three kinds of people in this world; those who can count and those who can't." :-P) (让我想起那句名言:“这个世界上有三种人;可以统计的人和那些不能的人。”:-P)
Your base concept seems wrong. 你的基本概念似乎错了。 The way this works is rather simple. 这种方式很简单。 Create two groups, "pub" and "priv". 创建两个组,“pub”和“priv”。 Place all users who need access to the directories accordingly. 放置所有需要访问目录的用户。 Users who need access to both directories should belong to both groups. 需要访问这两个目录的用户应属于这两个组。
In this case, "chris" should be put in both the "pub" as well as the "priv" group. 在这种情况下,“chris”应该放在“pub”和“priv”组中。 "john" should be put in the "pub" group. “john”应该放在“pub”组中。 "dan" should be put in the "priv" group. “dan”应该放在“priv”组中。
What you were trying to do is having the directories be owned by two groups. 您要做的是让目录由两个组拥有。 That's not possible. 那是不可能的。 It's users who can be part of multiple groups, not files or directories. 它的用户可以是多个组的一部分,而不是文件或目录。 You simply got it backwards :-) 你只是倒退了:-)
解决方案3
2 2012-11-12 21:48:21
There are two problematic things in your approach. 你的方法有两个问题。 The first one is: 第一个是:
chgrp god public private
chgrp pub public
With second command, you discarded the effect of the first one. 使用第二个命令,您放弃了第一个命令的效果。 Directory public now belongs to pub group, not to god anymore. public目录现在属于pub组,而不再是god 。
The second thing is that you probably didn't give write permissions on directory public to group that owns it (the fact that the user executing the command touch belongs to directory's group doesn't matter). 第二件事是你可能没有对拥有它的组提供对目录public写权限(执行命令touch的用户属于目录组并不重要)。
Try this: 试试这个:
chmod 770 public
and do similar with other directories. 并与其他目录类似。 However, what you're initially trying to achieve is impossible because the directory can belong to one group only. 但是,您最初尝试实现的是不可能的,因为该目录只能属于一个组。 Nikos elaborated it well in his answer - place user in more groups. 尼克斯在他的回答中详细阐述了它 - 将用户放在更多的群体中。
解决方案4
2 2012-11-12 22:17:55
You will need to use a file system that supports ACLs. 您将需要使用支持ACL的文件系统。 As mentioned in other answers, the pub and priv group ownership is possible with the basic Linux permissions, but to grant access to the god group, since files/directories can only have a single group tag, will require an ACL. 正如其他答案所述, pub和priv组所有权可以使用基本的Linux权限,但是为了授予对god组的访问权限,因为文件/目录只能有一个组标记,所以需要ACL。 Most of the current file systems should support this functionality - see the manual pages for getfacl and setfacl . 大多数当前文件系统应支持此功能 - 请参阅getfacl和setfacl的手册页。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.