Izini a cikin Linux (chown, chmod, SUID, GUID, m bit, ACL, umask)

Assalamu alaikum. Wannan fassarar labari ce daga littafin RedHat RHCSA RHCE 7 RedHat Enterprise Linux 7 EX200 da EX300.

Tura: Ina fatan labarin zai kasance da amfani ba kawai ga masu farawa ba, amma kuma zai taimaka wa wasu ƙwararrun masu gudanarwa su daidaita ilimin su.

Don haka mu tafi.

Don samun damar fayiloli a cikin Linux, ana amfani da izini. Ana ba da waɗannan izini ga abubuwa uku: mai fayil, mai rukuni, da wani abu (wato, kowa da kowa). A cikin wannan labarin, zaku koyi yadda ake amfani da izini.

Wannan labarin yana farawa da bayyani na ainihin ra'ayi, sannan kuma tattaunawa na izini na Musamman da Lissafin Sarrafa Hannu (ACLs). A ƙarshen wannan labarin, muna rufe saitin tsoffin izini ta hanyar umask, da kuma sarrafa ƙarin halayen mai amfani.

Gudanar da ikon mallakar fayil

Kafin yin magana game da izini, ya kamata ku san aikin fayil da mai littafin adireshi. Mallakar fayiloli da kundayen adireshi suna da mahimmanci don ma'amala da izini. A cikin wannan sashe, za ku fara koyon yadda za ku iya ganin mai shi. Daga nan zaku koyi yadda ake canza mai kungiyar da mai amfani don fayiloli da kundayen adireshi.

Nuna mai fayil ko kundin adireshi

A cikin Linux, kowane fayil da kowane kundin adireshi yana da masu biyu: mai amfani da mai rukuni.

Ana saita waɗannan masu mallakar lokacin da aka ƙirƙiri fayil ko kundin adireshi. Mai amfani da ya ƙirƙiro fayil ɗin ya zama mai wannan fayil ɗin, kuma rukunin farko wanda mai amfani ɗaya ke cikin su shima ya zama mai wannan fayil ɗin. Don tantance idan ku, a matsayin mai amfani, kuna da izinin shiga fayil ko kundin adireshi, harsashi yana bincika ikon mallakar.

Wannan yana faruwa a cikin tsari mai zuwa:

1. Harsashi yana dubawa don ganin ko kai ne mai fayil ɗin da kake son shiga. Idan kai ne mai shi, kuna samun izini kuma harsashi ya daina dubawa.
2. Idan ba kai ne mai fayil ɗin ba, harsashi zai bincika don ganin ko kai memba ne na ƙungiyar da ke da izini akan fayil ɗin. Idan kun kasance memba na wannan rukunin, zaku shiga fayil ɗin tare da izinin da ƙungiyar ta tsara, kuma harsashi zai daina dubawa.
3. Idan kai ba mai amfani ba ne ko kuma mamallakin ƙungiya, ana ba ka haƙƙoƙin wasu masu amfani (Sauran).

Don ganin ayyukan mai shi na yanzu, zaku iya amfani da umarnin ls -l. Wannan umarni yana nuna mai amfani da mai ƙungiyar. A ƙasa zaku iya ganin saitunan mai shi don kundayen adireshi a cikin kundin adireshi/gida.

[root@server1 home]# ls -l
total 8
drwx------. 3  bob            bob            74     Feb   6   10:13 bob
drwx------. 3  caroline       caroline       74     Feb   6   10:13 caroline
drwx------. 3  fozia          fozia          74     Feb   6   10:13 fozia
drwx------. 3  lara           lara           74     Feb   6   10:13 lara
drwx------. 5  lisa           lisa           4096   Feb   6   10:12 lisa
drwx------. 14 user           user           4096   Feb   5   10:35 user

Amfani da umarnin ls za ka iya nuna ma'abucin fayiloli a cikin jagorar da aka bayar. Wani lokaci yana iya zama da amfani don samun jerin duk fayiloli akan tsarin waɗanda ke da mai amfani ko ƙungiyar da aka ba su azaman mai shi. Don wannan zaka iya amfani samu. Hujja sami - mai amfani za a iya amfani da shi don wannan dalili. Misali, umarni mai zuwa yana jera duk fayilolin da mai amfani Linda ya mallaka:

find / -user linda

Hakanan zaka iya amfani samu don bincika fayilolin da ke da takamaiman rukuni a matsayin mai su.

Misali, umarni mai zuwa yana neman duk fayiloli na ƙungiyar users:

find / -group users

Canjin mai shi

Don amfani da izini masu dacewa, abu na farko da za a yi la'akari da shi shine mallaka. Akwai umarni ga wannan chown. Ma'anar wannan umarni yana da sauƙin fahimta:

chown кто что

Misali, umarni mai zuwa yana canza mai/gida/asusu zuwa linda mai amfani:

chown linda /home/account

tawagar chown yana da zaɓuɓɓuka da yawa, ɗaya daga cikinsu yana da amfani musamman: -R. Kuna iya tsammani abin da yake yi saboda wannan zaɓin yana samuwa don wasu umarni da yawa kuma. Wannan yana ba ku damar saita mai shi akai-akai, wanda ke ba ku damar saita mai mallakar kundin adireshi na yanzu da duk abin da ke ƙasa. Umurni mai zuwa yana canza ikon mallakar kundin adireshin gida da duk abin da ke ƙasa zuwa ga mai amfani da Linda:

Yanzu masu mallakar sun kasance kamar haka:

[root@localhost ~]# ls -l /home
total 0
drwx------. 2 account account 62 Sep 25 21:41 account
drwx------. 2 lisa    lisa    62 Sep 25 21:42 lisa

Mu yi:

[root@localhost ~]# chown -R lisa /home/account
[root@localhost ~]#

Yanzu lisa mai amfani ya zama mai mallakar kundin adireshi:

[root@localhost ~]# ls -l /home
total 0
drwx------. 2 lisa account 62 Sep 25 21:41 account
drwx------. 2 lisa lisa    62 Sep 25 21:42 lisa

Canza mai kungiyar

Akwai hanyoyi guda biyu don canza ikon mallakar ƙungiya. Kuna iya yin wannan ta amfani da chown, amma akwai umarni na musamman mai suna chgrphakan yayi aikin. Idan kuna son amfani da umarnin chown, amfani . ko : a gaban sunan rukuni.

Umurni mai zuwa yana canza kowane mai mallakar rukunin / gida/asusu zuwa rukunin asusun:

chown .account /home/account

zaka iya amfani chown don canza mai amfani da/ko rukuni ta hanyoyi da yawa. Ga wasu misalai:

• chown lisa myfile1 saita lisa mai amfani a matsayin mai myfile1.
• chown lisa.sales myfile yana saita lisa mai amfani a matsayin mai mallakar fayil ɗin myfile, sannan kuma ya saita ƙungiyar tallace-tallace a matsayin mai wannan fayil ɗin.
• chown lisa:sales myfile daidai da umarnin da ya gabata.
• chown .sales myfile Yana saita ƙungiyar tallace-tallace ta zama mai mallakar myfile ba tare da canza mai mai amfani ba.
• chown:sales myfile daidai da umarnin da ya gabata.

Kuna iya amfani da umarnin chgrpdon canza mai kungiyar. Ka yi la’akari da misali na gaba, inda za ka iya amfani da su chgrp saita mai asusun adireshi zuwa rukunin tallace-tallace:

chgrp .sales /home/account

Kamar yadda chown, za ka iya amfani da zabin -R с chgrp, da kuma canza mai kungiyar akai-akai.

Fahimtar Tsoffin Mai shi

Wataƙila ka lura cewa lokacin da mai amfani ya ƙirƙiri fayil, ana amfani da tsoffin mallakar mallakar.
Mai amfani wanda ya ƙirƙiri fayil ɗin ta atomatik ya zama mai wannan fayil ɗin, kuma rukunin farko na mai amfani ya zama mai wannan fayil ɗin ta atomatik. Wannan shine yawanci ƙungiyar da aka jera a cikin fayil ɗin /etc/passwd azaman rukunin farko na mai amfani. Koyaya, idan mai amfani memba ne na rukuni sama da ɗaya, mai amfani zai iya canza ƙungiyar farko mai inganci.

Don nuna rukunin farko mai tasiri na yanzu, mai amfani zai iya amfani da umarnin kungiyoyin:

[root@server1 ~]# groups lisa
lisa : lisa account sales

Idan mai amfani da Linda na yanzu yana son canza rukunin farko mai inganci, zai yi amfani da umarnin sabonsai kuma sunan kungiyar da yake son kafawa a matsayin sabuwar kungiya ta farko mai inganci. Bayan amfani da umarnin sabon rukunin farko zai kasance yana aiki har sai mai amfani ya shigar da umarni fita ko ba fita ba.

Mai zuwa yana nuna yadda mai amfani Linda ke amfani da wannan umarni, tare da tallace-tallace a matsayin rukuni na farko:

lisa@server1 ~]$ groups
lisa account sales
[lisa@server1 ~]$ newgrp sales
[lisa@server1 ~]$ groups
sales lisa account
[lisa@server1 ~]$ touch file1
[lisa@server1 ~]$ ls -l
total 0
-rw-r--r--. 1 lisa sales 0 Feb 6 10:06 file1

Bayan canza ingantaccen rukunin farko, duk sabbin fayilolin da mai amfani ya ƙirƙira za su sami wannan rukunin a matsayin mai ƙungiyar. Don komawa zuwa saitunan rukunin farko na asali, yi amfani da su. fita.

Don samun damar yin amfani da umarnin sabon, dole ne mai amfani ya kasance memba na ƙungiyar da suke son amfani da su azaman rukunin farko. Bugu da kari, ana iya amfani da kalmar sirri ta rukuni don ƙungiya ta amfani da umarnin syewaz. Idan mai amfani yana amfani da umarnin sabonamma ba memba ne na kungiyar da aka yi niyya ba, harsashi ya haifar da kalmar sirrin kungiyar. Bayan shigar da madaidaicin kalmar sirri ta kungiya, za a kafa sabuwar rukunin farko mai inganci.

Gudanar da haƙƙin asali

An ƙirƙiri tsarin izini na Linux a cikin 1970s. Tunda buƙatun kwamfuta sun iyakance a waɗannan shekarun, tsarin izini na asali yana da iyaka sosai. Wannan tsarin izini yana amfani da izini guda uku waɗanda za a iya amfani da su ga fayiloli da kundayen adireshi. A cikin wannan sashin, zaku koyi yadda ake amfani da canza waɗannan izini.

Fahimtar Karatu, Rubutu, da Aiwatar da Izini

Izinin asali guda uku suna ba ku damar karantawa, rubuta, da aiwatar da fayiloli. Tasirin waɗannan izini ya bambanta lokacin amfani da fayiloli ko kundayen adireshi. Don fayil, izinin karantawa yana ba ku damar buɗe fayil ɗin don karantawa. Don haka, kuna iya karanta abubuwan da ke cikinsa, amma hakan yana nufin kwamfutarka za ta iya buɗe fayil ɗin don yin wani abu da shi.

Fayil ɗin shirin da ke buƙatar shiga ɗakin karatu dole ne, alal misali, ya sami damar karantawa zuwa waccan ɗakin karatu. Ya biyo bayan izinin karantawa shine mafi kyawun izinin da kuke buƙatar aiki tare da fayiloli.

Lokacin amfani da kundin adireshi, karantawa yana ba ku damar nuna abubuwan da ke cikin wannan kundin adireshi. Ya kamata ku sani cewa wannan izinin ba ya ba ku damar karanta fayilolin da ke cikin kundin adireshi. Tsarin izini na Linux bai san gado ba, kuma hanya ɗaya tilo don karanta fayil ita ce amfani da izinin karantawa akan wannan fayil ɗin.

Kamar yadda ƙila za ku iya tsammani, rubuta izini, idan an yi amfani da shi akan fayil, yana ba da damar rubutawa zuwa fayil ɗin. A takaice dai, yana ba ku damar canza abubuwan da ke cikin fayilolin da ke akwai. Koyaya, baya ba ku damar ƙirƙira ko share sabbin fayiloli ko canza izinin fayil. Don yin wannan, kuna buƙatar ba da izinin rubutawa zuwa kundin adireshi inda kuke son ƙirƙirar fayil ɗin. A cikin kundayen adireshi, wannan izini kuma yana ba ku damar ƙirƙira da share sabbin kundin adireshi.

Aiwatar da izini shine abin da kuke buƙatar aiwatar da fayil ɗin. Ba za a taɓa shigar da shi ta tsohuwa ba, wanda ke sa Linux kusan gaba ɗaya rigakafi ga ƙwayoyin cuta. Sai kawai wanda ke da izinin rubutawa akan kundin adireshin zai iya neman izinin aiwatarwa.

Mai zuwa yana taƙaita amfani da izini na asali:

Amfani da chmod

Ana amfani da umarnin don sarrafa izini. chmod... Amfani chmod zaka iya saita izini ga mai amfani (mai amfani), ƙungiyoyi (ƙungiyar) da sauransu (sauran). Kuna iya amfani da wannan umarni ta hanyoyi biyu: yanayin dangi da cikakken yanayin. A cikin cikakkiyar yanayin, ana amfani da lambobi uku don saita izini na asali.

Lokacin saita izini, ƙididdige ƙimar da kuke buƙata. Idan kuna son saita karanta / rubuta / aiwatarwa don mai amfani, karanta / aiwatarwa don rukuni, kuma karanta / aiwatar da wasu a cikin / somefile sannan kuyi amfani da umarni mai zuwa. chmod:

chmod 755 /somefile

Lokacin amfani chmod Ta wannan hanyar, duk izini na yanzu ana maye gurbinsu da izinin da kuka saita.

Idan kuna son canza izini dangane da izini na yanzu, zaku iya amfani da su chmod cikin yanayin dangi. Amfani chmod a cikin yanayin dangi kuna aiki tare da alamomi guda uku don nuna abin da kuke son yi:

1. Da farko za ku bayyana wanda kuke son canza izini don. Don yin wannan, zaku iya zaɓar tsakanin mai amfani (u), group (g) da sauransu (o).
2. Sannan kuna amfani da sanarwa don ƙara ko cire izini daga yanayin yanzu, ko saita su gaba ɗaya.
3. A karshen kuna amfani r, w и xdon tantance waɗanne izini kuke son saitawa.

Lokacin canza izini a yanayin dangi, zaku iya tsallake sashin "zuwa" don ƙara ko cire izini ga duk abubuwa. Misali, wannan umarnin yana ƙara aiwatar da izini ga duk masu amfani:

chmod +x somefile

Lokacin aiki a yanayin dangi, Hakanan zaka iya amfani da ƙarin hadaddun umarni. Misali, wannan umarni yana ƙara izinin rubutawa ga ƙungiya kuma yana cire izinin karantawa ga wasu:

chmod g+w,o-r somefile

Lokacin amfani chmod -R o+rx /data kun saita aiwatar da izini ga duk kundayen adireshi da fayiloli a cikin /bayanin kundiƙin bayanai. Don saita aiwatar da izini don kundin adireshi kawai ba don fayiloli ba, yi amfani chmod -R o+ rX/data.

Babban harafin X yana tabbatar da cewa ba za a ba fayiloli aiwatar da izini ba sai dai idan fayil ɗin ya riga ya saita izinin aiwatar da wasu abubuwa. Wannan yana sa X ya zama mafi wayo don magance aiwatar da izini; wannan zai guje wa saita wannan izini akan fayiloli inda ba a buƙata ba.

Hakkoki masu girma

Baya ga ainihin izini da kuka karanta game da su, Linux kuma yana da saitin izini na ci-gaba. Waɗannan ba izini ba ne da kuka saita ta tsohuwa, amma wani lokacin suna ba da ƙari mai amfani. A cikin wannan sashe, zaku koyi menene su da yadda ake saita su.

Fahimtar SUID, GUID, da Izinin Tsare-tsare Bit

Akwai manyan izini guda uku. Na farkon waɗannan shine izinin saita mai gano mai amfani (SUID). A wasu lokuta na musamman, zaku iya amfani da wannan izinin zuwa fayilolin aiwatarwa. Ta hanyar tsoho, mai amfani da ke gudanar da aikin aiwatarwa yana gudanar da wannan fayil ɗin tare da izinin nasu.

Ga talakawa masu amfani, wannan yawanci yana nufin cewa amfani da shirin yana da iyaka. Koyaya, a wasu lokuta, mai amfani yana buƙatar izini na musamman, kawai don yin takamaiman aiki.

Yi la'akari, alal misali, yanayin da mai amfani ke buƙatar canza kalmar sirri. Don yin wannan, mai amfani dole ne ya rubuta sabon kalmar sirri zuwa fayil ɗin /etc/shadow. Koyaya, wannan fayil ɗin ba za a iya rubuta shi ta masu amfani da ba tushen tushe ba:

root@hnl ~]# ls -l /etc/shadow
----------. 1 root root 1184 Apr 30 16:54 /etc/shadow

Izinin SUID yana ba da mafita ga wannan matsalar. Mai amfani /usr/bin/passwd yana amfani da wannan izinin ta tsohuwa. Wannan yana nufin cewa lokacin canza kalmar sirri, mai amfani ya zama tushen na ɗan lokaci, wanda ke ba shi damar rubutawa zuwa fayil ɗin /etc/shadow. Kuna iya ganin izinin SUID tare da ls -l yadda s a matsayin da za ku saba tsammanin gani x don izini na al'ada:

[root@hnl ~]# ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 32680 Jan 28 2010 /usr/bin/passwd

Izinin SUID na iya zama da amfani (kuma a wasu lokuta yana da), amma kuma yana da haɗari. Idan ba a yi amfani da shi daidai ba, za ku iya ba da izinin tushen bisa kuskure. Don haka, ina ba da shawarar yin amfani da shi kawai tare da matuƙar kulawa.

Yawancin masu gudanarwa ba za su taɓa buƙatar amfani da shi ba; kawai za ku gan shi a wasu fayiloli inda tsarin aiki ya kamata ya saita shi ta tsohuwa.

Izini na musamman na biyu shine mai gano ƙungiyar (SGID). Wannan izini yana da tasiri guda biyu. Lokacin amfani da fayil ɗin da za a iya aiwatarwa, yana ba mai amfani wanda ya aiwatar da fayil ɗin izinin mai rukunin fayil ɗin. Don haka SGID na iya yin fiye ko žasa abu ɗaya da SUID. Koyaya, SGID kusan ba a amfani dashi don wannan dalili.

Kamar yadda yake tare da izinin SUID, ana amfani da SGID zuwa wasu fayilolin tsarin azaman saitin tsoho.

Lokacin amfani da kundin adireshi, SGID na iya zama da amfani saboda zaku iya amfani da shi don saita mai mallakar rukunin tsoho don fayiloli da ƙananan kundiyoyin da aka ƙirƙira a waccan kundin. Ta hanyar tsoho, lokacin da mai amfani ya ƙirƙiri fayil, ingantaccen rukuninsu na farko ana saita shi azaman mai ƙungiyar don fayil ɗin.

Wannan ba koyaushe yana da amfani sosai ba, musamman tunda masu amfani da Red Hat/CentOS suna da rukunin farko da aka saita zuwa rukuni mai suna iri ɗaya da mai amfani, kuma mai amfani shine kawai memba. Don haka, ta tsohuwa, fayilolin da mai amfani ya ƙirƙira za a raba su da yawa.

Ka yi la'akari da halin da ake ciki inda masu amfani da Linda da Lori ke aiki a cikin lissafin kuɗi kuma su ne membobin ƙungiya account. Ta hanyar tsoho, waɗannan masu amfani membobi ne na ƙungiyoyi masu zaman kansu waɗanda su kaɗai ne memba na. Koyaya, duka masu amfani biyu membobi ne na rukunin asusun, amma kuma azaman ma'aunin rukuni na biyu.

Yanayin da aka saba shine lokacin da kowane ɗayan waɗannan masu amfani ya ƙirƙiri fayil, rukunin farko ya zama mai shi. Saboda haka, ta tsohuwa, Linda ba za ta iya samun dama ga fayilolin da aka kirkira ta lori ba, kuma akasin haka. Koyaya, idan kun ƙirƙiri kundin adireshi na rukuni (faɗi / ƙungiyoyi / asusu) kuma tabbatar da cewa an yi amfani da izinin SGID akan waccan adireshin kuma an saita asusun ƙungiyar azaman mai ƙungiyar don wannan jagorar, duk fayilolin da aka ƙirƙira a waccan adireshin kuma duka. na subdirectories , kuma sami kungiyar asusun a matsayin mai kungiyar ta tsohuwa.

Saboda wannan dalili, izinin SGID izini ne mai fa'ida sosai don saita kan kundayen adireshi na jama'a.

An nuna izinin SGID a cikin fitarwa ls -l yadda s a wurin da yawanci za ku sami izini don aiwatar da ƙungiya:

[root@hnl data]# ls -ld account
drwxr-sr-x. 2 root account 4096 Apr 30 21:28 account

Na uku na izini na musamman shine ɗan ɗan leƙen asiri. Wannan izinin yana da amfani don kare fayiloli daga gogewar bazata a cikin mahalli inda masu amfani da yawa suka sami damar yin rubutu zuwa ga directory iri ɗaya. Idan an yi amfani da ɗan ɗan leƙen asiri, mai amfani zai iya share fayil kawai idan sun kasance masu amfani da fayil ko kundin adireshi mai ɗauke da fayil ɗin. Don wannan dalili, ana amfani da shi azaman tsoho izini don adireshin /tmp kuma yana iya zama da amfani ga kundayen adireshi na jama'a suma.

Ba tare da ɗan ɗan leƙen asiri ba, idan mai amfani zai iya ƙirƙirar fayiloli a cikin kundin adireshi, kuma za su iya share fayiloli daga wannan directory. A cikin rukunin jama'a, wannan na iya zama mai ban haushi. Ka yi tunanin masu amfani Linda da lori, waɗanda dukansu suna da rubuta izini zuwa ga /data/asusu directory kuma sami waɗannan izini ta kasancewa membobin ƙungiyar asusun. Saboda haka, Linda na iya share fayilolin da aka kirkira ta lori da akasin haka.

Lokacin da kuka yi amfani da ɗan ɗan leƙen asiri, mai amfani zai iya share fayiloli kawai idan ɗayan waɗannan sharuɗɗan gaskiya ne:

• Mai amfani shine mamallakin fayil ɗin;
• Mai amfani shine mamallakin kundin adireshi inda fayil ɗin yake.

Lokacin amfani ls -l, za ku iya ganin ɗan ɗan leƙen asiri kamar t a matsayin da za ku saba ganin izinin kisa ga wasu:

[root@hnl data]# ls -ld account/
drwxr-sr-t. 2 root account 4096 Apr 30 21:28 account/

Aiwatar da ƙarin haƙƙoƙin

Don amfani da SUID, SGID da danko bit zaka iya amfani da su chmod. SUID yana da ƙimar lamba na 4, SGID yana da ƙimar lamba na 2, kuma ɗan ƙaramin bit yana da ƙimar lamba na 1.

Idan kuna son amfani da waɗannan izini, kuna buƙatar ƙara hujja mai lamba huɗu zuwa chmod, wanda lambar farko ke nufin izini na musamman. Layi mai zuwa, alal misali, zai ƙara izinin SGID zuwa kundin adireshi kuma saita rwx don mai amfani da rx don rukuni da sauransu:

chmod 2755 /somedir

Wannan ba shi da amfani idan kuna buƙatar ganin izini na yanzu waɗanda aka saita kafin aiki da su chmod a cikin cikakken yanayin. (Kuna da haɗarin sake rubuta izini idan ba ku yi ba.) Don haka ina ba da shawarar yin aiki cikin yanayin dangi idan kuna buƙatar amfani da kowane izini na musamman:

1. Don amfani da SUID chmod u+s.
2. Don amfani da SGID chmod g+s.
3. Don amfani mai ɗanɗano chmod +t, sannan sunan fayil ko kundin adireshi wanda kake son saita izini.

Teburin yana taƙaita duk abin da kuke buƙatar sani game da sarrafa izini na musamman.

Misali na aiki tare da haƙƙin musamman

A cikin wannan misalin, kuna amfani da izini na musamman don sauƙaƙa wa membobin rukuni don raba fayiloli a cikin kundin adireshi na rukuni. Kuna sanya bit ɗin ID na rukunin ID ɗin saiti da kuma ɗan ɗan leƙen asiri, kuma ku ga cewa da zarar an saita su, ana ƙara fasalulluka don sauƙaƙe ga membobin ƙungiyar su yi aiki tare.

1. Bude tasha inda kai ne mai amfani da linda. Kuna iya ƙirƙirar mai amfani tare da umarnin mai amfani Linda, ƙara kalmar sirri da Linda.
2. Ƙirƙiri littafin adireshi/data a cikin tushen da /data/sales subdirectory tare da umarni mkdir -p /data/sales. Cikakkun cd /data/salesdon zuwa kundin tallace-tallace. Cikakkun taba linda1 и taba linda2don ƙirƙirar fayilolin fanko guda biyu mallakin Linda.
3. Kisa su-lisa don canza mai amfani na yanzu zuwa mai amfani lisa, wanda kuma memba ne na ƙungiyar tallace-tallace.
4. Kisa cd /data/sales kuma daga wannan directory aiwatar ls -l. Za ku ga fayiloli guda biyu waɗanda mai amfani da Linda ya ƙirƙira kuma suna cikin rukunin Linda. Cikakkun rm-f linda*. Wannan zai share fayiloli biyu.
5. Kisa taba lisa1 и taba lisa2don ƙirƙirar fayiloli guda biyu waɗanda ke mallakar lisa mai amfani.
6. Kisa su - don daukaka gata ga tushen.
7. Kisa chmod g+s,o+t /data/salesdon saita bit mai gano ƙungiyar (GUID) da kuma ɗan ɗan leƙen asiri a cikin jagorar ƙungiyar da aka raba.
8. Kisa su-linda. Sannan yi taba linda3 и taba linda4. Ya kamata ku ga yanzu cewa fayilolin guda biyu da kuka ƙirƙira mallakin ƙungiyar tallace-tallace ne, wanda shine mai rukunin rukunin / bayanai / adiresoshin tallace-tallace.
9. Kisa rm-rf lisa*. Ƙaƙwalwar ɗan leƙen asiri yana hana waɗannan fayilolin gogewa a madadin mai amfani da Linda, tunda ba kai ne mai waɗannan fayilolin ba. Lura cewa idan mai amfani da Linda shine mamallakin littafin /data/ tallace-tallace, za su iya share waɗannan fayilolin ta wata hanya!

Gudanar da ACL (setfacl, getfacl) a cikin Linux

Ko da yake ƙarin izini da aka tattauna a sama suna ƙara ayyuka masu amfani ga yadda Linux ke sarrafa izini, baya ƙyale ku ba da izini ga mai amfani ko rukuni fiye da ɗaya a cikin fayil iri ɗaya.

Lissafin ikon shiga suna ba da wannan fasalin. Har ila yau, suna ƙyale masu gudanarwa su saita tsoffin izini ta hanyar hadaddun inda saitin izini na iya bambanta tsakanin kundayen adireshi.

Fahimtar ACLs

Kodayake tsarin tsarin ACL yana ƙara babban aiki ga uwar garken ku, yana da lahani guda ɗaya: ba duk kayan aiki bane ke goyan bayan sa. Don haka, kuna iya rasa saitunan ACL ɗinku lokacin da kuke kwafi ko matsar da fayiloli, kuma software ɗin ajiyar ku na iya kasa yin ajiyar saitunan ACL ɗinku.

Mai amfani kwal ba ya goyan bayan ACLs. Don tabbatar da saitunan ACL ba su ɓace ba lokacin da kuka ƙirƙiri madadin, yi amfani star maimakon kwalta. star yana aiki tare da zaɓuɓɓuka iri ɗaya kamar kwalta; kawai yana ƙara tallafi don saitunan ACL.

Hakanan zaka iya yin ajiyar ACLs tare da samsarin, wanda za'a iya dawo dasu ta amfani da umarnin saiti. Don ƙirƙirar madadin, yi amfani getfacl -R / directory> file.acls. Don dawo da saituna daga fayil ɗin wariyar ajiya, yi amfani da setfacl --restore=file.acl.

Rashin tallafin wasu kayan aikin bai kamata ya zama matsala ba. Yawancin lokaci ana amfani da ACLs zuwa kundin adireshi azaman ma'auni na tsari maimakon ga fayilolin mutum ɗaya.
Sabili da haka, ba za a sami yawancin su ba, amma kaɗan ne kawai, ana amfani da su a wurare masu kyau a cikin tsarin fayil. Don haka, maido da ainihin ACLs ɗin da kuka yi aiki da su yana da sauƙin sauƙi, koda software ɗin ajiyar ku ba ta tallafa musu ba.

Ana shirya tsarin fayil don ACLs

Kafin ka fara aiki tare da ACLs, ƙila ka buƙaci shirya tsarin fayil ɗinka don tallafawa ACLs. Saboda metadata tsarin fayil yana buƙatar tsawaita, ba koyaushe ana samun tallafin tsoho don ACLs a cikin tsarin fayil ba. Idan ka sami saƙon "ba'a goyan bayan aiki" lokacin saita ACLs don tsarin fayil, tsarin fayil ɗin ku bazai goyi bayan ACLs ba.

Don gyara wannan kuna buƙatar ƙara zaɓi acl ku a cikin /etc/fstab fayil don haka tsarin fayil ya kasance tare da goyon bayan ACL ta tsohuwa.

Canzawa da duba saitunan ACL tare da setfacl da getfacl

Don saita ACL kuna buƙatar umarni setfacl. Don ganin saitunan ACL na yanzu, kuna buƙatar samsarin. Tawaga ls -l baya nuna kowane ACLs na yanzu; kawai yana nuna + bayan jerin izini, wanda ke nuna cewa ACLs suna amfani da fayil ɗin kuma.

Kafin kafa ACLs, yana da kyau koyaushe a nuna saitunan ACL na yanzu tare da samsarin. A cikin misalin da ke ƙasa, zaku iya ganin izini na yanzu, kamar yadda aka nuna tare da ls -l, da kuma kamar yadda aka nuna tare da samsarin. Idan ka duba sosai, za ka ga cewa bayanan da aka nuna daidai suke.

[root@server1 /]# ls -ld /dir
drwxr-xr-x. 2 root root 6 Feb 6 11:28 /dir
[root@server1 /]# getfacl /dir
getfacl: Removing leading '/' from absolute path names
# file: dir
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

Sakamakon aiwatar da umarnin samsarin A ƙasa zaku iya ganin cewa ana nuna izini don abubuwa daban-daban guda uku: mai amfani, rukuni da sauransu. Yanzu bari mu ƙara ACL don ba da karatu da aiwatar da izini ga ƙungiyar tallace-tallace kuma. umarni ga wannan setfacl -mg: tallace-tallace:rx /dir. A cikin wannan tawagar -m yana nuna cewa ana buƙatar canza saitunan ACL na yanzu. Bayan haka g:sayar:rx yana gaya wa umarnin don saita ACL mai karantawa (rx) ga group (g) tallace-tallace. A ƙasa zaku iya ganin yadda umarnin yayi kama, da kuma fitowar umarnin getfacl bayan canza saitunan ACL na yanzu.

[root@server1 /]# setfacl -m g:sales:rx /dir
[root@server1 /]# getfacl /dir
getfacl: Removing leading '/' from absolute path names
# file: dir
# owner: root
# group: root
user::rwx
group::r-x
group:sales:r-x
mask::r-x
other::r-x

Yanzu da kuka fahimci yadda ake kafa ƙungiyar ACL, yana da sauƙin fahimtar ACL ga masu amfani da sauran masu amfani. Misali, umarnin setfacl -mu:linda:rwx /data yana ba da izini ga mai amfani da linda a cikin /bayanin adireshi ba tare da sanya shi mai shi ba ko canza aikin mai shi na yanzu.

tawagar setfacl yana da fasali da zaɓuɓɓuka masu yawa. Zaɓi ɗaya yana da mahimmanci musamman, siga -R. Idan aka yi amfani da shi, zaɓin yana sanya saitin ACL don duk fayiloli da kundin adireshi waɗanda a halin yanzu suke cikin kundin adireshi inda kuka saita ACL. Ana ba da shawarar cewa koyaushe ku yi amfani da wannan zaɓin lokacin canza ACLs don kundayen adireshi.

Yin aiki tare da Default ACLs

Ɗaya daga cikin fa'idodin amfani da ACLs shine cewa zaku iya ba da izini ga masu amfani da yawa ko ƙungiyoyi a cikin kundin adireshi. Wani fa'ida shine zaku iya ba da damar gado ta hanyar aiki tare da tsoffin ACLs.

Ta hanyar saita tsohowar ACL, za ku ƙayyade izinin da za a saita akan duk sabbin abubuwa da aka ƙirƙira a cikin kundin adireshi. Ka tuna cewa tsohowar ACL ba ta canza izini na fayilolin da ke akwai da ƙananan kundiyoyi. Don canza su, kuna buƙatar ƙara ACL na yau da kullun kuma!

Wannan yana da mahimmanci a sani. Idan kana son amfani da ACL don saita masu amfani da yawa ko ƙungiyoyi don samun dama ga shugabanci iri ɗaya, dole ne ka saita ACL sau biyu. Amfani na farko kafa -R -mdon canza ACL don fayilolin na yanzu. Sannan amfani setfacl-md:don kula da duk sabbin abubuwa waɗanda kuma za a ƙirƙira su.

Don saita tsoho ACL kawai kuna buƙatar ƙara zaɓi d bayan zabin -m (Oda al'amura!). Don haka amfani setfacl -md:g:sales:rx /dataidan kana son tallace-tallacen rukuni don karantawa da aiwatar da duk abin da aka taɓa ƙirƙira a cikin /bayanin adireshi.

Lokacin amfani da tsoffin ACLs, yana iya zama da amfani don saita ACLs ga wasu. Wannan yawanci ba ya da ma'ana sosai saboda kuna iya canza izini ga wasu masu amfani chmod. Koyaya, abin da ba za ku iya yi da shi ba chmod, shine a ƙayyade haƙƙoƙin da dole ne a ba wa wasu masu amfani don kowane sabon fayil ɗin da aka taɓa ƙirƙira. Idan kana son hana wasu samun izini akan duk wani abu da aka ƙirƙira a / bayanai misali amfani setfacl -md:o::- /data.

ACLs da izini na yau da kullun ba a haɗa su da kyau ba. Matsaloli na iya tasowa idan kun yi amfani da tsohowar ACL zuwa kundin adireshi, sannan ana ƙara abubuwa zuwa wannan littafin, sannan ku yi ƙoƙarin canza izini na yau da kullun. Canje-canjen da suka shafi izini na yau da kullun ba za su fito da kyau a cikin bayanin ACL ba. Don guje wa matsaloli, fara saita izini na al'ada, sannan saita tsoffin ACLs (kuma a gwada kar a sake canza su bayan haka).

Misalin Maɗaukakin Gudanar da Haƙƙin Amfani da ACLs

A cikin wannan misali, za ku ci gaba da /data/account da /data/nail adiresoshin tallace-tallace da kuka ƙirƙira a baya. A cikin misalan da suka gabata, kun tabbatar da cewa ƙungiyar tallace-tallace tana da izini akan / bayanai/tallace-tallace kuma ƙungiyar asusun tana da izini akan /data/account.

Da farko, tabbatar da cewa rukunin asusun sun sami izinin karantawa akan littafin / bayanai / tallace-tallace kuma ƙungiyar tallace-tallace ta sami izinin karantawa akan littafin /data/account directory.

Kuna saita tsoffin ACLs don tabbatar da cewa duk sabbin fayiloli suna da daidaitattun izini da aka saita don duk sabbin abubuwa.

1. Bude tasha.
2. Kisa setfacl -mg: account:rx /data/sales и setfacl -mg:sales:rx /data/account.
3. Kisa samsarindon tabbatar da an saita izini yadda kuke so.
4. Kisa setfacl -md:g:account:rwx,g:sales:rx /data/salesdon saita tsoho ACL don kundin tallace-tallace.
5. Ƙara tsohowar ACL don bayanin / bayanai/asusu ta amfani da setfacl -md:g: tallace-tallace:rwx,g:account:rx /data/account.
6. Tabbatar cewa saitunan ACL suna aiki ta ƙara sabon fayil zuwa /data/tallace-tallace. Kashe taba /data/sales/newfile da aiwatarwa getfacl /data/sales/newfile don duba izini na yanzu.

Saita tsoffin izini tare da umask

A sama, kun koyi yadda ake aiki tare da tsoffin ACLs. Idan ba ku amfani da ACL, akwai zaɓin harsashi wanda ke ƙayyade tsoffin izini za ku samu: umask (mask na baya). A cikin wannan sashe, zaku koyi yadda ake canza tsoffin izini da su umask.

Wataƙila ka lura cewa lokacin da ka ƙirƙiri sabon fayil, ana saita wasu tsoffin izini. Ana ƙayyade waɗannan izini ta hanyar saitin umask. Wannan saitin harsashi ya shafi duk masu amfani a logon. A cikin siga umask ana amfani da ƙimar lamba wanda aka cire daga iyakar izini waɗanda za'a iya saitawa ta atomatik don fayil ɗin; Matsakaicin saitin fayiloli shine 666 kuma don kundayen adireshi shine 777.

Koyaya, wasu keɓancewa sun shafi wannan doka. Kuna iya samun cikakken bayyani na saituna umask a cikin teburin da ke ƙasa.

Daga cikin lambobin da aka yi amfani da su umask, kamar yadda yake a cikin mahallin lambobi don umarnin chmod, lamba ta farko tana nufin izinin mai amfani, lamba ta biyu tana nufin izinin ƙungiyar, kuma na ƙarshe yana nufin izini na tsoho da aka saita don wasu. Ma'ana umask Tsohuwar 022 tana ba da 644 don duk sabbin fayiloli da 755 don duk sabbin kundayen adireshi da aka kirkira akan sabar ku.

Cikakken bayyani na duk ƙimar lambobi umask da sakamakon su a cikin tebur da ke ƙasa.

Hanya mai sauƙi don ganin yadda saitin umask ke aiki shine kamar haka: fara da tsoffin izini na fayil da aka saita zuwa 666 kuma cire umask don samun izini masu inganci. Yi haka don directory da tsoffin izini na 777.

Akwai hanyoyi guda biyu don canza saitin umask: ga duk masu amfani da na masu amfani guda ɗaya. Idan kana son saita umask ga duk masu amfani, dole ne ka tabbatar da cewa an yi la'akari da saitin umask lokacin fara fayilolin yanayin harsashi, kamar yadda aka ƙayyade a /etc/profile. Hanyar da ta dace ita ce ƙirƙirar rubutun harsashi mai suna umask.sh a cikin /etc/profile.d directory kuma saka umask ɗin da kuke son amfani da shi a cikin wannan rubutun harsashi. Idan an canza umask a cikin wannan fayil ɗin, ana amfani da shi ga duk masu amfani bayan shiga uwar garken.

Madadin saita umask ta hanyar /etc/profile da fayilolin da ke da alaƙa, inda ya shafi duk masu amfani da ke shiga, shine canza saitunan umask a cikin fayil mai suna .profile wanda aka ƙirƙira a cikin kundin adireshin gida na kowane mai amfani.

Saitunan da aka yi amfani da su a cikin wannan fayil suna aiki ne kawai ga mai amfani; don haka wannan hanya ce mai kyau idan kuna buƙatar ƙarin daki-daki. Ni da kaina ina son wannan fasalin don canza tsohuwar umask don tushen mai amfani zuwa 027 yayin da masu amfani na yau da kullun ke gudana tare da tsoho umask na 022.

Yin aiki tare da ƙarin halayen mai amfani

Wannan shine sashe na ƙarshe akan izini Linux.

Lokacin aiki tare da izini, koyaushe akwai alaƙa tsakanin mai amfani ko abu na rukuni da izini waɗanda waɗancan abubuwan masu amfani ko ƙungiyar ke da su akan fayil ko kundin adireshi. Wata hanyar da za ta kare fayiloli akan uwar garken Linux ita ce yin aiki tare da halaye.
Halayen suna yin aikinsu ba tare da la'akari da mai amfani da samun damar fayil ɗin ba.

Kamar yadda yake tare da ACLs, halayen fayil na iya buƙatar haɗawa da zaɓi Dutsen.

Wannan zaɓi ne mai amfani_xattr. Idan ka sami saƙon "ba a tallafawa aiki" lokacin aiki tare da tsawaita halayen mai amfani, tabbatar da saita siga. Dutsen in /etc/fstab.

An rubuta halaye da yawa. Akwai wasu halaye amma har yanzu ba a aiwatar da su ba. Kada ku yi amfani da su; ba za su kawo maka komai ba.

A ƙasa akwai halayen da suka fi amfani da za ku iya amfani da su:

A Wannan sifa tana tabbatar da cewa lokacin samun fayil ɗin fayil ɗin baya canzawa.
Yawanci, duk lokacin da aka buɗe fayil, dole ne a yi rikodin lokacin isa ga fayil ɗin a cikin metadata na fayil ɗin. Wannan mummunan tasiri aiki; don haka ga fayilolin da ake samu akai-akai, sifa A ana iya amfani dashi don kashe wannan fasalin.

a Wannan sifa tana ba ku damar ƙara amma ba cire fayil ba.

c Idan kana amfani da tsarin fayil wanda ke goyan bayan matsawa matakin ƙarar, wannan sifa na fayil yana tabbatar da cewa an matsa fayil ɗin lokacin da aka fara kunna injin matsawa.

D Wannan sifa tana tabbatar da cewa an rubuta canje-canje zuwa fayiloli zuwa faifai nan da nan maimakon cache farko. Wannan sifa ce mai amfani akan mahimman fayilolin bayanai don tabbatar da cewa ba su ɓace ba tsakanin cache fayil da rumbun kwamfutarka.

d Wannan sifa yana tabbatar da cewa ba za a adana fayil ɗin a cikin madogara ba inda ake amfani da juji.

I Wannan sifa yana ba da damar yin fihirisa ga kundin adireshin da aka kunna ta. Wannan yana ba da damar shiga fayil cikin sauri don tsarin fayil na farko kamar Ext3 waɗanda basa amfani da bayanan bishiyar B don samun damar fayil cikin sauri.

i Wannan sifa tana sa fayil ɗin ba ya canzawa. Don haka, ba za a iya yin canje-canje ga fayil ɗin ba, wanda ke da amfani ga fayilolin da ke buƙatar ƙarin kariya.

j Wannan sifa tana tabbatar da cewa, akan tsarin fayil na ext3, an fara rubuta fayil ɗin zuwa mujallar sannan zuwa ga toshe bayanai akan rumbun kwamfutarka.

s Rubuta tubalan da aka ajiye fayil ɗin zuwa 0s bayan share fayil ɗin. Wannan yana tabbatar da cewa ba za a iya dawo da fayil ɗin ba da zarar an share shi.

u Wannan sifa tana adana bayanai game da gogewa. Wannan yana ba ku damar haɓaka abin amfani da ke aiki tare da wannan bayanin don ceton fayilolin da aka goge.

Idan kuna son amfani da halayen, kuna iya amfani da umarnin hira. Misali, amfani chattr +s somefiledon amfani da halayen ga somefile. Kuna buƙatar cire sifa? Sannan amfani chattr-s somefilekuma za a cire. Don samun bayyani na duk halayen da ake amfani da su a halin yanzu, yi amfani da umarnin lsattr.

Takaitaccen

A cikin wannan labarin, kun koyi yadda ake aiki tare da izini. Kun karanta game da ainihin izini guda uku, izini na ci gaba, da yadda ake amfani da ACLs akan tsarin fayil. Hakanan kun koyi yadda ake amfani da zaɓin umask don amfani da tsoffin izini. A ƙarshen wannan labarin, kun koyi yadda ake amfani da sifofin haɓakar mai amfani don amfani da ƙarin tsarin tsaro na tsarin fayil.

Idan kuna son wannan fassarar, to da fatan za a rubuta game da ita a cikin sharhi. Za a sami ƙarin kuzari don yin fassarori masu amfani.

An gyara wasu kurakuran rubutu da na nahawu a cikin labarin. Rage wasu manyan sakin layi zuwa kanana don ingantaccen karantawa.

Maimakon "Wani ne kaɗai ke da haƙƙin gudanarwa ga kundin adireshi zai iya yin amfani da izini." daidaitawa zuwa "Wani kawai da ke da izinin rubutawa akan kundin adireshi zai iya neman izinin aiwatarwa.", wanda zai zama daidai.

Na gode da sharhi berez.

Maye gurbin:
Idan ba kai ne mai amfani ba, harsashi zai bincika don ganin ko kai memba ne na ƙungiyar, wanda kuma ake kira rukunin fayil ɗin.

A kan:
Idan ba kai ne mai fayil ɗin ba, harsashi zai bincika don ganin ko kai memba ne na ƙungiyar da ke da izini akan fayil ɗin. Idan kun kasance memba na wannan rukunin, zaku shiga fayil ɗin tare da izinin da ƙungiyar ta tsara, kuma harsashi zai daina dubawa.

Na gode da sharhinku CryptoPirate

source: www.habr.com