Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Tinayambitsa systemd-homed kuti tiziyang'anira zolemba zapanyumba

Tinayambitsa systemd-homed kuti tiziyang'anira zolemba zapanyumba

Lennart Pottering anayambitsa (PDF) pamsonkhano wa All Systems Go 2019, gawo latsopano la system manager systemd - systemd-homed, cholinga chake ndi kupanga zolemba zapanyumba za ogwiritsa ntchito kuti zizitha kunyamula komanso zolekanitsidwa ndi zosintha zamakina. Lingaliro lalikulu la polojekiti ndikupanga malo odzidalira okha a data ya ogwiritsa ntchito omwe amatha kusamutsidwa pakati pa machitidwe osiyanasiyana popanda kudandaula za kulunzanitsa kwa zidziwitso ndi chinsinsi.

Malo osungira kunyumba amabwera ngati fayilo yazithunzi yokwera, zomwe zimasungidwa. Zidziwitso za ogwiritsa ntchito zimamangiriridwa ku chikwatu chakunyumba m'malo mosintha kachitidwe - m'malo mwa /etc/passwd ndi /etc/shadow mbiri mumtundu wa JSON, wosungidwa mu ~/.identity directory. Mbiriyo ili ndi magawo ofunikira pa ntchito ya wogwiritsa ntchito, kuphatikiza zambiri za dzina, mawu achinsinsi, makiyi obisala, ma quotas, ndi zothandizira zomwe zaperekedwa. Mbiriyo imatha kutsimikiziridwa ndi siginecha ya digito yosungidwa pa chizindikiro chakunja cha Yubikey.

Ma parameter angaphatikizeponso zambiri monga makiyi a SSH, data yotsimikizika ya biometric, chithunzi, imelo, adilesi, nthawi, chilankhulo, njira ndi malire a kukumbukira, mbendera zowonjezera (nodev, noexec, nosuid), zambiri za ogwiritsa ntchito IMAP/SMTP maseva , zambiri zokhudza kuyatsa zowongolera za makolo, zosankha zosunga zobwezeretsera, ndi zina. API imaperekedwa kuti ipemphe ndikuwunika magawo Varlink.

Kugawa kwa UID/GID ndikukonza kumachitika mwamphamvu pamakina aliwonse am'deralo komwe chikwatu chakunyumba chimalumikizidwa. Pogwiritsa ntchito dongosolo lomwe akufuna, wogwiritsa ntchito amatha kusunga chikwatu chake chakunyumba, mwachitsanzo pa Flash drive, ndikupeza malo ogwirira ntchito pakompyuta iliyonse popanda kupanga akaunti yake (kukhalapo kwa fayilo yokhala ndi chithunzi cha bukhu lanyumba). kumabweretsa kuphatikizika kwa wogwiritsa ntchito).

Akufuna kugwiritsa ntchito kagawo kakang'ono ka LUKS2 pakubisa kwa data, koma systemd-homed imalolanso kugwiritsa ntchito ma backends ena, mwachitsanzo, pazolemba zosasungidwa, Btrfs, Fscrypt ndi CIFS network partitions. Kuti muzitha kuyang'anira maupangiri osunthika, pulogalamu ya homectl ikufunsidwa, yomwe imakupatsani mwayi wopanga ndi kuyambitsa zithunzi zamakanema apanyumba, komanso kusintha kukula kwawo ndikuyika mawu achinsinsi.

Pamlingo wa dongosolo, ntchito imatsimikiziridwa ndi zigawo zotsatirazi:

  • systemd-homed.service - imayang'anira chikwatu chakunyumba ndikuyika zolemba za JSON mwachindunji muzithunzi zowongolera kunyumba;
  • pam_systemd - imapanga magawo kuchokera ku mbiri ya JSON pamene wogwiritsa ntchito alowa ndikuwagwiritsa ntchito potsata gawo lomwe lakhazikitsidwa (amatsimikizira, amakonza zosintha zachilengedwe, etc.);
  • systemd-logind.service - imapanga magawo kuchokera ku mbiri ya JSON pamene wogwiritsa ntchito alowa, amagwiritsa ntchito makonda osiyanasiyana kasamalidwe kazinthu ndikuyika malire;
  • nss-systemd - NSS module ya glibc, imapanga zolemba zakale za NSS kutengera mbiri ya JSON, ndikupereka kuyanjana chakumbuyo ndi UNIX user processing API (/etc/password);
  • PID 1 - imapanga ogwiritsa ntchito mwamphamvu (opangidwa molingana ndi kugwiritsa ntchito malangizo a DynamicUser m'mayunitsi) ndikuwapangitsa kuti awonekere kudongosolo lonselo;
  • systemd-userdbd.service - imamasulira maakaunti a UNIX/glibc NSS kukhala ma JSON records ndipo imapereka Varlink API yolumikizana pofunsa ndi kubwereza marekodi.

Ubwino wamakina omwe akufunsidwawo ndi monga kutha kuyang'anira ogwiritsa ntchito poyika chikwatu / etc mumayendedwe owerengera okha, kusowa kwa kufunikira kolumikiza zozindikiritsa (UID/GID) pakati pa machitidwe, kudziyimira pawokha kwa ogwiritsa ntchito pakompyuta inayake, kutsekereza deta ya ogwiritsa ntchito. panthawi yogona, kugwiritsa ntchito kubisa ndi njira zamakono zotsimikizira. Systemd-homed ikukonzekera kuphatikizidwa mu systemd mainstream pakumasulidwa 244 kapena 245.

Chitsanzo cha ogwiritsa ntchito a JSON:

"autoLogin": zoona,
"kumanga": {
«15e19cd24e004b949ddaac60c74aa165» : {
"fileSystemType" : "ext4"
«fileSystemUUID» : «758e88c8-5851-4a2a-b98f-e7474279c111»,
"gid": 60232,
"homeDirectory" : "/home/test",
"imagePath" : "/home/test.home",
"luksCipher" : "aes",
"luksCipherMode" : "xts-plain64",
«luksUUID» : «e63581ba-79fa-4226-b9de-1888393f7573»,
"luksVolumeKeySize" : 32,
«partitionUUID» : «41f9ce04-c927-4b74-a981-c669f93eb4dc»,
"storage" : "luks",
Mtengo: 60233
}
},
"disposition" : "nthawi zonse",
"enforcePasswordPolicy": zabodza,
"lastChangeUSec" : 1565951024279735,
"membalaWa": [
"gudumu"
],
"mwayi" : {
"hashedPassword": [
«$6$WHBKvAFFT9jKPA4k$OPY4D5…/»
]},
"signature": [
{
"data" : "LU/HeVrPZSzi3M3J...==",
"key" : "——YAMBANI PUBLIC KEY——\nMCowBQADK2VwAy…=\n——TALIMBANI PUBLIC KEY——\n"
}
],
"userName" : "test",
"status": {
«15e19cf24e004b949dfaac60c74aa165» : {
"GoodAuthenticationCounter": 16,
"lastGoodAuthenticationUSec": 1566309343044322,
"rateLimitBeginUSec" : 1566309342341723,
"rateLimitCount": 1,
"state" : "osagwira ntchito",
"service" : "io.systemd.Home",
"diskSize": 161218667776,
"diskCeiling": 191371729408,
"diskFloor": 5242780,
"signedLocally" : zoona
}
}

Source: opennet.ru

Kuwonjezera ndemanga