Ni aabo Awọn faili/Awọn ilana nipa lilo awọn ACL (Awọn atokọ Iṣakoso Wiwọle) ni Lainos

Gẹgẹbi Alabojuto Eto, iṣaju akọkọ wa yoo jẹ lati daabobo ati ni aabo data lati iraye laigba aṣẹ. Gbogbo wa ni o mọ ti awọn igbanilaaye ti a ṣeto nipa lilo diẹ ninu awọn aṣẹ Linux ti o wulo bi chmod, chown, chgrp… abb. Sibẹsibẹ, awọn ipilẹ igbanilaaye aiyipada wọnyi ni diẹ ninu idiwọn ati nigbami o le ma ṣiṣẹ bi fun awọn aini wa. Fun apẹẹrẹ, a ko le ṣeto awọn eto igbanilaaye oriṣiriṣi fun awọn olumulo oriṣiriṣi lori itọsọna kanna tabi faili. Nitorinaa, Awọn atokọ Iṣakoso Wiwọle (ACLs) ni imuse.

Jẹ ki a sọ, o ni awọn olumulo mẹta, 'tecmint1', 'tecmint2' ati 'tecmint3'. Olukuluku ti o ni ẹgbẹ ti o wọpọ sọ ‘acl’. Olumulo 'tecmint1' fẹ pe olumulo 'tecmint2' nikan ni o le ka ati wọle si awọn faili ti o jẹ ti 'tecmint1' ati pe ko si ẹlomiran ti o yẹ ki o ni iraye si eyikeyi lori iyẹn.

Awọn ACL (Awọn atokọ Iṣakoso Wiwọle) gba wa laaye lati ṣe ẹtan kanna. Awọn ACL wọnyi gba wa laaye lati fun awọn igbanilaaye fun olumulo kan, ẹgbẹ ati eyikeyi ẹgbẹ ti eyikeyi awọn olumulo eyiti ko si ninu atokọ ẹgbẹ ti olumulo kan.

Akiyesi: Gẹgẹbi Iwe-akọọlẹ Ọja Redhat, o pese atilẹyin ACL fun eto faili ext3 ati awọn eto faili okeere ti NFS.

Bii o ṣe le Ṣayẹwo Atilẹyin ACL ni Awọn Ẹrọ Linux

Ṣaaju ki o to lọ siwaju o yẹ ki o ni atilẹyin fun awọn ACL lori Kernel lọwọlọwọ ati awọn eto faili ti a gbe sori.

Ṣiṣe aṣẹ atẹle lati ṣayẹwo Atilẹyin ACL fun eto faili ati aṣayan POSIX_ACL = Y (ti o ba wa N dipo Y, lẹhinna o tumọ si Kernel ko ṣe atilẹyin ACL ati pe o nilo lati tunto).

 grep -i acl /boot/config*

CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y

Ṣaaju ki o to bẹrẹ ṣiṣẹ pẹlu awọn ACL rii daju pe o ti fi awọn idii ti o fi sii. Ni isalẹ ni awọn idii ti o nilo ti o nilo lati fi sori ẹrọ ni lilo yum tabi apt-get.

 yum install nfs4-acl-tools acl libacl		[on RedHat based systems]

 mount  | grep -i root

/dev/mapper/fedora-root on / type ext4 (rw,relatime,data=ordered)

Ṣugbọn ninu ọran wa ko ṣe afihan acl nipasẹ aiyipada. Nitorinaa, atẹle a ni aṣayan lati yọkuro ipin ti a gbe lẹẹkansii nipa lilo aṣayan acl. Ṣugbọn, ṣaaju lilọ siwaju, a ni aṣayan miiran lati rii daju pe ipin ti wa ni ori pẹlu aṣayan acl tabi rara, nitori fun eto to ṣẹṣẹ o le ṣepọ pẹlu aṣayan oke aiyipada.

 tune2fs -l /dev/mapper/fedora-root | grep acl

Default mount options:    user_xattr acl

Ninu iṣẹjade ti o wa loke, o le rii pe aṣayan oke aiyipada tẹlẹ ti ni atilẹyin fun acl. Aṣayan miiran ni lati yọ ipin kuro bi o ti han ni isalẹ.

 mount -o remount,acl /

Nigbamii, ṣafikun titẹsi isalẹ si faili ‘/ ati be be/fstab’ lati jẹ ki o wa titi.

/dev/mapper/fedora-root /	ext4    defaults,acl 1 1

Lẹẹkansi, yọ ipin kuro.

 mount -o remount  /

Lori olupin NFS, ti eto faili eyiti o jẹ okeere nipasẹ olupin NSF ṣe atilẹyin ACL ati pe awọn ACL le ka nipasẹ Awọn alabara NFS, lẹhinna Awọn ACL ni lilo nipasẹ Eto alabara.

Fun mu awọn ACL kuro lori ipin NFS, o ni lati ṣafikun aṣayan\"no_acl" ni '/ ati be be lo/awọn gbigbe si ilẹ okeere' faili lori olupin NFS. Lati mu ma ṣiṣẹ lori ẹgbẹ alabara NSF lẹẹkansi lo aṣayan\"no_acl" lakoko akoko oke.

Bii a ṣe le ṣe Atilẹyin ACL ni Awọn Ẹrọ Lainos

Awọn oriṣi meji ti ACL wa:

1. Wiwọle ACLs: Awọn ACL iraye si ni a lo fun fifun awọn igbanilaaye lori eyikeyi faili tabi itọsọna.
2. Awọn ACL aiyipada: A lo awọn ACL aiyipada fun fifunni/ṣeto atokọ iṣakoso iwọle lori itọsọna kan pato.

Iyato laarin ACL Wiwọle ati ACL Aiyipada:

1. ACL aiyipada le ṣee lo lori ipele itọsọna nikan.
2. Itọsọna eyikeyi iha tabi faili ti a ṣẹda laarin itọsọna yẹn yoo jogun awọn ACL lati itọsọna obi rẹ. Ni apa keji faili kan jogun awọn ACL aiyipada bi awọn ACL iraye si rẹ.
3. A lo lilo\"- d" fun siseto awọn ACL aiyipada ati Awọn ACL aiyipada jẹ awọn aṣayan.

Lati pinnu awọn ACL aiyipada fun faili kan pato tabi itọsọna, lo aṣẹ 'getfacl'. Ninu apẹẹrẹ ni isalẹ, a lo getfacl lati gba awọn ACL aiyipada fun folda kan 'Orin'.

 getfacl Music/

# file: Music/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::rw-

Lati ṣeto awọn ACL aiyipada fun faili kan pato tabi itọsọna, lo aṣẹ 'setfacl'. Ninu apẹẹrẹ ni isalẹ, aṣẹ setfacl yoo ṣeto awọn ACL tuntun kan (ka ati ṣiṣẹ) lori folda ‘Orin’ kan.

 setfacl -m d:o:rx Music/
 getfacl Music/
# file: Music/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

Lo aṣẹ 'setfacl' fun siseto tabi iyipada lori eyikeyi faili tabi itọsọna. Fun apẹẹrẹ, lati fun kika ati kọ awọn igbanilaaye si olumulo 'tecmint1'.

# setfacl -m u:tecmint1:rw /tecmint1/example

Lo aṣẹ 'getfacl' fun wiwo ACL lori eyikeyi faili tabi itọsọna. Fun apẹẹrẹ, lati wo ACL lori ‘/ tecmint1/apẹẹrẹ‘ lo pipaṣẹ isalẹ.

# getfacl /tecmint1/example

# file: tecmint1/example/
# owner: tecmint1
# group: tecmint1
user::rwx
user:tecmint1:rwx
user:tecmint2:r--
group::rwx
mask::rwx
other::---

Fun yọ ACL kuro ni eyikeyi faili/itọsọna, a lo awọn aṣayan x ati b bi o ṣe han ni isalẹ.

# setfacl -x ACL file/directory  	# remove only specified ACL from file/directory.

# setfacl -b  file/directory   		#removing all ACL from file/direcoty

Jẹ ki a ṣe imuse ACL lori atẹle iṣẹlẹ naa.

Awọn olumulo meji (tecmint1 ati tecmint2), awọn mejeeji ni ẹgbẹ keji ti o wọpọ ti a npè ni 'acl'. A yoo ṣẹda itọsọna kan ti o jẹ ti 'tecmint1' ati pe yoo pese kika ati ṣiṣẹ igbanilaaye lori itọsọna yẹn si olumulo 'tecmint2'.

Igbesẹ 1: Ṣẹda awọn olumulo meji ati yọ ọrọ igbaniwọle kuro lati mejeji

 for user in tecmint1 tecmint2

> do
> useradd $user
> passwd -d $user
> done
Removing password for user tecmint1.
passwd: Success
Removing password for user tecmint2.
passwd: Success

Igbesẹ 2: Ṣẹda Ẹgbẹ kan ati Awọn olumulo si Ẹgbẹ Atẹle.

 groupadd acl
 usermod -G acl tecmint1
 usermod -G acl tecmint2

Igbesẹ 3: Ṣẹda Itọsọna/tecmint ki o yipada nini si tecmint1.

 mkdir /tecmint1
 chown tecmint1 /tecmint1/

 ls -ld /tecmint1/

drwxr-xr-x 2 tecmint1 root 4096 Apr 17 14:46 /tecmint1/

 getfacl /tecmint1

getfacl: Removing leading '/' from absolute path names
# file: tecmint1
# owner: tecmint1
# group: root
user::rwx
group::r-x
other::r-x

Igbesẹ 4: Buwolu wọle pẹlu tecmint1 ki o ṣẹda Itọsọna ni/tecmint folda.

[[email  ~]$ su - tecmint1

Last login: Thu Apr 17 14:49:16 IST 2014 on pts/4

[[email  ~]$ cd /tecmint1/
[[email  tecmint1]$ mkdir example

[[email  tecmint1]$ ll

total 4
drwxrwxr-x 2 tecmint1 tecmint1 4096 Apr 17 14:50 example

[[email  tecmint1]$ whoami 
tecmint1

Igbesẹ 5: Nisisiyi ṣeto ACL nipa lilo 'setfacl', ki 'tecmint1' yoo ni gbogbo awọn igbanilaaye rwx, 'tecmint2' yoo nikan ka igbanilaaye lori folda 'apẹẹrẹ' ati pe miiran kii yoo ni awọn igbanilaaye.

$ setfacl -m u:tecmint1:rwx example/
$ setfacl -m u:tecmint2:r-- example/
$ setfacl -m  other:--- example/
$ getfacl example/

# file: example
# owner: tecmint1
# group: tecmint1
user::rwx
user:tecmint1:rwx
user:tecmint2:r--
group::r-x
mask::rwx
other::---

Igbesẹ 6: Bayi buwolu wọle pẹlu olumulo miiran ie ‘tecmint2’ lori ebute miiran ki o yipada itọsọna si ‘/ tecmint1’. Bayi gbiyanju lati wo awọn akoonu nipa lilo ‘ls’ pipaṣẹ lẹhinna gbiyanju lati yi itọsọna pada ki o wo iyatọ bi isalẹ.

[[email  ~]$ su - tecmint2

Last login: Thu Apr 17 15:03:31 IST 2014 on pts/5

[[email  ~]$ cd /tecmint1/
[[email  tecmint1]$ ls -lR example/
example/:
total 0

[[email  tecmint1]$ cd example/

-bash: cd: example/: Permission denied

[[email  tecmint1]$ getfacl example/

# file: example
# owner: tecmint1
# group: tecmint1
user::rwx
user:tecmint1:rwx
user:tecmint2:r--
group::rwx
mask::rwx
other::---

Igbese 7: Nisisiyi fun 'ṣiṣẹ' igbanilaaye si 'tecmint2' lori folda 'apẹẹrẹ' lẹhinna lo aṣẹ 'cd' lati wo ipa naa. Bayi 'tecmint2' ni awọn igbanilaaye lati wo ati yi itọsọna pada, ṣugbọn ko ni awọn igbanilaaye fun kikọ ohunkohun.

[[email  tecmint1]$ setfacl -m u:tecmint2:r-x example/
[[email  tecmint1]$ getfacl example/

# file: example
# owner: tecmint1
# group: tecmint1
user::rwx
user:tecmint1:rwx
user:tecmint2:r-x
group::rwx
mask::rwx
other::---

[[email  ~]$ su - tecmint2

Last login: Thu Apr 17 15:09:49 IST 2014 on pts/5

[[email  ~]$ cd /tecmint1/
[[email  tecmint1]$ cd example/
[[email  example]$ getfacl .

[[email  example]$ mkdir test

mkdir: cannot create directory ‘test’: Permission denied

[[email  example]$ touch test

touch: cannot touch ‘test’: Permission denied

Akiyesi: Lẹhin imuse ACL, iwọ yoo wo ami afikun '+' fun iṣẹjade 'ls –l' bi isalẹ.

 ll

total 4
drwxrwx---+ 2 tecmint1 tecmint1 4096 Apr 17 17:01 example

Itọkasi Awọn ọna asopọ

Iwe ACL