我有一个应用程序在/ opt / reports中生成报告文件,其文件在0600拥有root:root.为了允许外部系统自动处理这些报告,我创建了一个具有组’report’的新服务帐户用户,更改了/ opt / reports组用于报告和设置SUIG位,然后在/ opt / reports目录中设置默认ACL,以包含400的报告组和400的掩码.
我注意到,当我手动创建文件时,权限都按预期设置,但是当应用程序创建文件时,默认值不会被继承.
- [root@reports1 ~]# getfacl /opt/reports
- getfacl: Removing leading '/' from absolute path names
- # file: opt/reports
- # owner: root
- # group: report
- user::rwx
- group::r-x
- other::r-x
- [root@reports1 ~]# setfacl -R -d -n -m g:report:r,m::r /opt/reports/
- [root@reports1 ~]# getfacl /opt/reports
- getfacl: Removing leading '/' from absolute path names
- # file: opt/reports
- # owner: root
- # group: report
- user::rwx
- group::r-x
- other::r-x
- default:user::rwx
- default:group::r-x #effective:r--
- default:group:report:r--
- default:mask::r--
- default:other::r-x
手动创建文件似乎工作正常
- [root@reports1 ~]# echo "This is a test file" > /opt/reports/testfile.txt
- [root@reports1 ~]# ls -l /opt/nessus_reports/testfile.txt
- -rw-r--r--+ 1 root report 20 Apr 24 11:16 /opt/reports/testfile.txt
- [root@reports1 ~]# getfacl /opt/reports/testfile.txt
- getfacl: Removing leading '/' from absolute path names
- # file: opt/reports/testfile.txt
- # owner: root
- # group: report
- user::rw-
- group::r-x #effective:r--
- group:report:r--
- mask::r--
- other::r--
- [root@reports1 ~]# ls -l /opt/reports/018b274b-7c21-859d-6295-1af24b14da8451d8fe886e9c192d
- -rw-------+ 1 root report 125952 Apr 24 11:18 /opt/reports/018b274b-7c21-859d-6295-1af24b14da8451d8fe886e9c192d
- [root@reports1 ~]# getfacl /opt/reports/018b274b-7c21-859d-6295-1af24b14da8451d8fe886e9c192d
- getfacl: Removing leading '/' from absolute path names
- # file: opt/reports/018b274b-7c21-859d-6295-1af24b14da8451d8fe886e9c192d
- # owner: root
- # group: report
- user::rw-
- group::r-x #effective:---
- group:report:r-- #effective:---
- mask::---
- other::---
这是预期的行为,我只是误解了所涉及的术语?我错过了某处的旗帜或选项,我是否完全从错误的方向接近它?
