Iimvume kwi Linux (chown, chmod, SUID, GUID, bit sticky bit, ACL, umask)

Molweni nonke. Olu luguqulelo lwenqaku elivela kwincwadi ethi RedHat RHCSA RHCE 7 RedHat Enterprise Linux 7 EX200 kunye EX300.

Dudula: Ndiyathemba ukuba eli nqaku aliyi kuba luncedo kuphela kubaqalayo, kodwa liya kunceda abalawuli abanamava ngakumbi ukuba bahlele ulwazi lwabo.

Masihambe ke.

Ukufikelela iifayile kwiLinux, iimvume zisetyenziswa. Ezi mvume zinikezelwe kwizinto ezintathu: umnini wefayile, umnini weqela, kunye nenye into (oko kukuthi, wonke umntu). Eli nqaku liza kukufundisa indlela yokufaka iimvume.

Inqaku liqala ngesishwankathelo seengqikelelo ezisisiseko kwaye emva koko lixoxe ngeemvume ezikhethekileyo kunye noLuhlu loLawulo lokuFikelela (ACLs). Isiphelo seli nqaku siquka iimvumelwano zokucwangcisa ezingagqibekanga ngokusebenzisa umask, kunye nokulawula iimpawu zomsebenzisi owandisiweyo.

Ulawulo lobunini befayile

Ngaphambi kokuxoxa ngeemvume, kuya kufuneka uyazi indima yefayile kunye nomnini weefayili. Ubunini beefayile kunye nabalawuli kubalulekile ekusebenzeni ngeemvume. Kweli candelo, uya kuqala ufunde ukuba ungambona njani umnini. Emva koko uya kufunda indlela yokutshintsha umnini weqela kunye nomsebenzisi kwiifayile kunye nabalawuli.

Ukubonisa umnini wefayile okanye uvimba weefayili

Kwi-Linux, ifayile nganye kunye noluhlu ngalunye lunabanikazi ababini: umsebenzisi kunye nomnini weqela.

Aba banini bacwangciswa xa ifayile okanye ulawulo lwenziwe. Umsebenzisi owenza ifayile uba ngumnini wale fayile, kwaye iqela eliphambili elingumsebenzisi ofanayo nalo liba ngumnini wale fayile. Ukumisela ukuba wena njengomsebenzisi unamalungelo ofikelelo kwifayile okanye ulawulo, iqokobhe lijonga ubunini.

Oku kwenzeka ngolu hlobo lulandelayo:

1. Iqokobhe liyahlola ukubona ukuba ungumnini wefayile ofuna ukufikelela kuyo. Ukuba ungulo mnini, unikwa iimvume kwaye iqokobhe liyayeka ukujonga.
2. Ukuba awunguye umnini wefayile, iqokobhe liya kukhangela ukubona ukuba ulilungu leqela elineemvume kwifayile. Ukuba ulilungu leli qela, uya kufikelela kwifayile ngeemvume ezibekelwe iqela, kwaye iqokobhe lizakuyeka ukukhangela.
3. Ukuba awungomsebenzisi okanye umnini weqela, ufumana Amanye amalungelo omsebenzisi.

Ukubona izabelo zomnini wangoku ungasebenzisa umyalelo Yiyeke. Lo myalelo ubonisa umsebenzisi kunye nomnini weqela. Ngezantsi ungabona useto lomnini lwezalathisi phantsi kwe/home directory.

[root@server1 home]# ls -l
total 8
drwx------. 3  bob            bob            74     Feb   6   10:13 bob
drwx------. 3  caroline       caroline       74     Feb   6   10:13 caroline
drwx------. 3  fozia          fozia          74     Feb   6   10:13 fozia
drwx------. 3  lara           lara           74     Feb   6   10:13 lara
drwx------. 5  lisa           lisa           4096   Feb   6   10:12 lisa
drwx------. 14 user           user           4096   Feb   5   10:35 user

Ngomyalelo ls ungabonisa umnini weefayile kulawulo olunikiweyo. Ngamanye amaxesha kunokuba luncedo ukufumana uluhlu lwazo zonke iifayile kwindlela enomsebenzisi onikiweyo okanye iqela njengomnini. Kule nto ungasebenzisa fumana. Ingxoxo fumana -umsebenzisi ingasetyenziselwa le njongo. Umzekelo, lo myalelo ulandelayo ubonisa zonke iifayile ezinelinda njengomnini:

find / -user linda

Unokusebenzisa fumana ukukhangela iifayile ezineqela elithile njengomnini wazo.

Umzekelo, lo myalelo ulandelayo ukhangela zonke iifayile zeqela abasebenzisi:

find / -group users

Ukutshintsha komnini

Ukufaka iimvume ezifanelekileyo, into yokuqala ekufuneka uyiqwalasele bubunikazi. Kukho umyalelo woku chown. I-syntax yalo myalelo kulula ukuyiqonda:

chown кто что

Umzekelo, lo myalelo ulandelayo utshintsha umnini/wekhaya/ulawulo lweakhawunti kumsebenzisi ulinda:

chown linda /home/account

Iqela chown inokhetho oluninzi, enye yazo eluncedo kakhulu: -R. Ungaqikelela ukuba yenza ntoni kuba olu khetho luyafumaneka kweminye imiyalelo emininzi ngokunjalo. Oku kukuvumela ukuba usete umnini ngokuphindaphindiweyo, okukuvumela ukuba ubeke umnini wencwadi yangoku kunye nayo yonke into engaphantsi kwayo. Lo myalelo ulandelayo utshintsha umnini/ulawulo lwekhaya kunye nayo yonke into ephantsi kwayo kumsebenzisi linda:

Ngoku abanini bakhangeleka ngolu hlobo:

[root@localhost ~]# ls -l /home
total 0
drwx------. 2 account account 62 Sep 25 21:41 account
drwx------. 2 lisa    lisa    62 Sep 25 21:42 lisa

Masenze:

[root@localhost ~]# chown -R lisa /home/account
[root@localhost ~]#

Ngoku umsebenzisi u-lisa ungumnikazi wesikhombisi seakhawunti:

[root@localhost ~]# ls -l /home
total 0
drwx------. 2 lisa account 62 Sep 25 21:41 account
drwx------. 2 lisa lisa    62 Sep 25 21:42 lisa

Guqula umnini weqela

Kukho iindlela ezimbini zokutshintsha ubunini beqela. Ungakwenza oku usebenzisa chown, kodwa kukho umyalelo okhethekileyo obizwa ngokuba chgrp, owenza lo msebenzi. Ukuba ufuna ukusebenzisa umyalelo chown, sebenzisa . okanye : phambi kwegama leqela.

Lo myalelo ulandelayo utshintsha nawuphi na umnini/wekhaya/weqela leakhawunti kwiqela le-akhawunti:

chown .account /home/account

ungasebenzisa chown ukutshintsha umnini womsebenzisi kunye/okanye iqela ngeendlela ezininzi. Nantsi eminye imizekelo:

• chown lisa myfile1 icwangcisa umsebenzisi lisa njengomnini wefayile myfile1.
• chown lisa.sales myfile icwangcisa umsebenzisi u-lisa njengomnini wefayile myfile, kwaye icwangcisa iqela leentengiso njengomnini wefayile enye.
• chown lisa:sales myfile ngokufanayo neqela langaphambili.
• chown .intengiso yamfile Icwangcisa iqela leentengiso ukuba libe ngumnini wefayile yam ngaphandle kokutshintsha umnini womsebenzisi.
• chown :intengiso yamfile ngokufanayo neqela langaphambili.

Ungasebenzisa umyalelo chgrpukutshintsha umnini weqela. Qwalasela lo mzekelo ulandelayo onokuwusebenzisa chgrp Seta umnini weakhawunti kwiqela leentengiso:

chgrp .sales /home/account

Njengokuba kunjalo chown, ungasebenzisa ukhetho -R с chgrp, kwaye utshintshe umnini weqela ngokuphindaphindiweyo.

Ukuqondwa koMnini okuMiselweyo

Usenokuba uqaphele ukuba xa umsebenzisi esenza ifayile, ubunini obungagqibekanga busetyenziswa.
Umsebenzisi owenza ifayile ngokuzenzekelayo uba ngumnini waloo fayile, kwaye iqela eliphambili laloo msebenzisi liba ngumnini waloo fayile ngokuzenzekelayo. Ngokuqhelekileyo eli liqela elidweliswe kwifayile /etc/passwd njengeqela eliphambili lomsebenzisi. Nangona kunjalo, ukuba umsebenzisi ulilungu lamaqela amaninzi, banokutshintsha iqela eliphambili elisebenzayo.

Ukubonisa iqela langoku elisebenzayo eliphambili, umsebenzisi unokusebenzisa umyalelo amaqela:

[root@server1 ~]# groups lisa
lisa : lisa account sales

Ukuba umsebenzisi wangoku ulinda ufuna ukutshintsha iqela eliphambili elisebenzayo, uya kusebenzisa umyalelo entshaelandelwa ligama leqela afuna ukulenza njengeqela elitsha elisebenzayo. Emva kokusebenzisa umyalelo entsha iqela eliphambili liyakusebenza ade umsebenzisi angenise umyalelo Phuma okanye ayizukuphuma kwinkqubo.

Nantsi indlela umsebenzisi ulinda awusebenzisa ngayo lo myalelo, kunye neqela eliphambili ekuthengiseni:

lisa@server1 ~]$ groups
lisa account sales
[lisa@server1 ~]$ newgrp sales
[lisa@server1 ~]$ groups
sales lisa account
[lisa@server1 ~]$ touch file1
[lisa@server1 ~]$ ls -l
total 0
-rw-r--r--. 1 lisa sales 0 Feb 6 10:06 file1

Emva kokutshintsha iqela eliphambili langoku, zonke iifayile ezitsha ezenziwe ngumsebenzisi ziya kuba nelo qela njengomnini weqela.Ukubuyela kulungiselelo lokuqala lweqela eliphambili, sebenzisa sebenzisa elo qela. Phuma.

Ukuze ukwazi ukusebenzisa umyalelo entsha, umsebenzisi kufuneka abe lilungu leqela afuna ukulisebenzisa njengeprayimari. Ukongeza, igama lokugqitha leqela lingasetyenziselwa iqela esebenzisa umyalelo yeyo. Ukuba umsebenzisi usebenzisa umyalelo entshakodwa ayilolungu leqela ekujoliswe kulo, iqokobhe lixelela igama eligqithisiweyo leqela. Nje ukuba ufake igama eligqithisiweyo elichanekileyo, iqela elitsha elisebenzayo liza kusekwa.

Ulawulo lwamalungelo asisiseko

Inkqubo yemvume yeLinux yaqanjwa ngoo-1970. Ekubeni iintswelo zekhompyutha zazilinganiselwe ngaloo minyaka, inkqubo yemvume esisiseko yayilinganiselwe. Le nkqubo yemvume isebenzisa iimvume ezintathu ezinokuthi zisetyenziswe kwiifayile kunye nabalawuli. Kweli candelo, uya kufunda ukusebenzisa kunye nokutshintsha ezi mvume.

Ukuqonda ukufunda, ukubhala, kunye nokwenza iimvumelwano

Iimvume ezintathu eziphambili zikuvumela ukuba ufunde, ubhale, kwaye wenze iifayile. Isiphumo sezi mvume siyahluka xa sisetyenziswa kwiifayile okanye abalawuli. Xa ifakwe kwifayile, imvume yokufunda ikunika ilungelo lokuvula ifayile ukuze uyifunde. Ke ngoko, unokufunda imixholo yayo, kodwa oku kuthetha ukuba ikhomputha yakho inokuvula ifayile ukwenza into ngayo.

Ifayile yenkqubo efuna ukufikelela kwithala leencwadi kufuneka, umzekelo, ibe nofikelelo lokufunda kwelo thala leencwadi. Oku kuthetha ukuba imvume yokufunda yeyona mvume isisiseko oyifunayo ukuze usebenze ngeefayile.

Xa kusetyenziswa kuluhlu, ukufunda kukuvumela ukuba ubonise imixholo yolo vimba weefayili. Kuya kufuneka uqaphele ukuba le mvume ayikuvumeli ukuba ufunde iifayile kulawulo. Inkqubo yeemvume zeLinux ayilazi ilifa, kwaye ekuphela kwendlela yokufunda ifayile kukusebenzisa iimvume zokufunda kuloo fayile.

Njengoko unokuqikelela, imvume yokubhala, xa ifakwe kwifayile, ivumela ukubhala kwifayile. Ngamanye amazwi, ikuvumela ukuba utshintshe imixholo yeefayile ezikhoyo. Nangona kunjalo, ayikuvumeli ukuba wenze okanye ucime iifayile ezintsha okanye utshintshe iimvume zefayile. Ukwenza oku, kufuneka unike imvume yokubhala kulawulo apho ufuna ukwenza khona ifayile. Kubalawuli, le mvume ikuvumela ukuba wenze kwaye ucime oovimba bolawulo abancinci abatsha.

Ukuphumeza imvume yinto oyifunayo ukuze uphumeze ifayile. Ayinakuze ifakwe ngokungagqibekanga, nto leyo eyenza iLinux iphantse ikhuseleke ngokupheleleyo kwiintsholongwane. Kuphela ngumntu onofikelelo lokubhala kulawulo onokuthi afake imvume yokuphumeza.

Oku kulandelayo kushwankathela ukusetyenziswa kweemvume ezisisiseko:

Ukusebenzisa i-chmod

Ukulawula amalungelo, sebenzisa umyalelo chmod. Ukusebenzisa chmod ungacwangcisa iimvume kumsebenzisi, iqela, kunye nezinye. Ungasebenzisa lo myalelo kwiindlela ezimbini: imo ehambelanayo kunye nemo egqibeleleyo. Kwimo egqibeleleyo, amanani amathathu asetyenziswa ukuseta iimvume ezisisiseko.

Xa ucwangcisa iimvume, bala ixabiso olifunayo. Ukuba ufuna ukucwangcisa ukufunda, ukubhala kwaye uphumeze umsebenzisi, funda kwaye uphumeze iqela, kwaye ufunde kwaye wenzele abanye kwi/somefile ngoko usebenzisa lo myalelo ulandelayo. chmod:

chmod 755 /somefile

Xa usebenzisa chmod Ngale ndlela, zonke iimvume zangoku zitshintshwa ziimvume ozisetayo.

Ukuba ufuna ukutshintsha iimvume ezihambelana neemvume zangoku, ungasebenzisa chmod kwimo ehambelanayo. Ukusebenzisa chmod kwimowudi ehambelanayo usebenza ngezalathi ezithathu ukubonisa into ofuna ukuyenza:

1. Kuqala uxela ukuba ufuna ukumtshintshela bani iimvume. Ukwenza oku ungakhetha phakathi komsebenzisi (u), iqela (g) kunye nabanye (o).
2. Emva koko usebenzisa ingxelo ukongeza okanye ukususa iimvume kwimo yangoku, okanye uzisete ngokupheleleyo.
3. Ekugqibeleni usebenzisa r, w и xukuxela ukuba zeziphi iimvume ofuna ukuzibeka.

Xa utshintsha iimvume kwimowudi ehambelanayo, ungatsiba "ukuya" inxalenye yokongeza okanye ukususa imvume yazo zonke izinto. Umzekelo, lo myalelo wongeza imvume yokuphumeza kubo bonke abasebenzisi:

chmod +x somefile

Xa usebenza kwimowudi ehambelanayo, ungasebenzisa kwakhona imiyalelo enzima ngakumbi. Umzekelo, lo myalelo wongeza imvume yokubhala kwiqela kwaye ususa imvume yokufunda kwabanye:

chmod g+w,o-r somefile

Sebenzisa chmod -R o+rx /data ubeka imvume yophumezo yabo bonke abalawuli, kunye neefayile kwi/data directory. Ukuseta imvume yokuphumeza kuphela kubalawuli hayi iifayile, sebenzisa chmod -R o+ rX /data.

Unobumba omkhulu X uqinisekisa ukuba iifayile azisayi kunikwa imvume yophumezo ngaphandle kokuba ifayile sele imisele imvume yophumezo kwezinye izinto. Oku kwenza u-X abe yindlela ekrelekrele yokujongana neemvume zokuphumeza; oku kuyakunqanda ukuseta le mvume kwiifayile apho ingafunwayo.

Amalungelo andisiweyo

Ukongeza kwiimvume ezisisiseko osanda kufunda ngazo, iLinux nayo ineseti yeemvume eziphambili. Ezi ayizizo iimvume ozibekayo ngokungagqibekanga, kodwa ngamanye amaxesha zibonelela ngodibaniso oluluncedo. Kweli candelo uya kufunda ukuba ziphi kunye nendlela yokuseta.

Ukuqonda i-SUID, i-GUID kunye namalungelo ancamathelayo awandisiweyo

Kukho izigqibo ezintathu eziphambili. Eyokuqala yimvume ye-ID yoMsebenzisi (i-SUID). Kwezinye iimeko ezikhethekileyo, unokufuna ukufaka le mvume kwiifayile eziphunyeziweyo. Ngokungagqibekanga, umsebenzisi osebenzisa ephunyeziweyo uqhuba loo fayile ngeemvume zabo.

Kubasebenzisi abaqhelekileyo, oku kuthetha ukuba ukusetyenziswa kwenkqubo kulinganiselwe. Nangona kunjalo, kwezinye iimeko, umsebenzisi ufuna iimvume ezikhethekileyo kuphela ukwenza umsebenzi othile.

Cinga, umzekelo, imeko apho umsebenzisi kufuneka atshintshe igama eliyimfihlo. Ukwenza oku, umsebenzisi kufuneka abhale igama eligqithisiweyo lakhe elitsha kwifayile /etc/shadow. Nangona kunjalo, le fayile ayibhalwanga ngabasebenzisi abangenangcambu:

root@hnl ~]# ls -l /etc/shadow
----------. 1 root root 1184 Apr 30 16:54 /etc/shadow

Imvume ye-SUID inika isisombululo kule ngxaki. Kwi/usr/bin/passwd into eluncedo, le mvume isetyenziswa ngokungagqibekanga. Oku kuthetha ukuba xa igama eligqithisiweyo litshintshiwe, umsebenzisi ufumana okwethutyana amalungelo engcambu, okubavumela ukuba babhale kwifayile /etc/shadow. Ungayibona imvume ye-SUID nge Yiyeke njani s kwindawo apho ubuya kulindela ukuyibona x kwiimvume eziqhelekileyo:

[root@hnl ~]# ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 32680 Jan 28 2010 /usr/bin/passwd

Imvume ye-SUID inokubonakala iluncedo (kwaye kwezinye iimeko injalo), kodwa inokuba yingozi. Ukuba isetyenziswe ngokungalunganga, unganikezela ngeemvume zengcambu ngempazamo. Ngoko ke, ndincoma ukuyisebenzisa kuphela ngokuqaphela okukhulu.

Uninzi lwabalawuli abasayi kufuna ukuyisebenzisa; uya kuyibona kuphela kwezinye iifayile apho isixokelelwano sokusebenza kufuneka siyibeke ngokungagqibekanga.

Imvume yesibini ekhethekileyo yi-ID yeQela (SGID). Le mvume ineziphumo ezimbini. Xa isetyenziswa kwifayile ephunyezwayo, inika umsebenzisi osebenzisa ifayile iimvume zomnini weqela laloo fayile. Ke i-SGID inokwenza ngaphezulu okanye ngaphantsi kwento enye ne-SUID. Nangona kunjalo, i-SGID ayifane isetyenziselwe le njongo.

Njengemvume ye-SUID, i-SGID isetyenziswa kwezinye iifayile zenkqubo njengolungiselelo olungagqibekanga.

Xa isetyenziswa kulawulo, i-SGID inokuba luncedo kuba unokuyisebenzisa ukuseta umnini weqela ongagqibekanga kwiifayile kunye noovimba beefayili abaphantsi kolu lawulo. Ngokungagqibekanga, xa umsebenzisi esenza ifayile, iqela labo elisebenzayo limiselwa njengomnini weqela laloo fayile.

Oku akusoloko kuluncedo kakhulu, ngakumbi kuba abasebenzisi be-Red Hat/CentOS baneqela labo eliphambili elibekwe kwiqela elinegama elifanayo njengomsebenzisi, kwaye apho umsebenzisi akuphela kwelungu. Ke, ngokungagqibekanga, iifayile ezenziwa ngumsebenzisi ziya kwabelwana ngazo.

Khawucinge ngemeko apho abasebenzisi ulinda kunye no-lori basebenza kwi-accounting kwaye bangamalungu eqela iakhawunti. Ngokungagqibekanga, aba basebenzisi ngamalungu eqela labucala abakuphela kwalo. Nangona kunjalo, bobabini abasebenzisi bangamalungu eqela leakhawunti, kodwa kwakhona njengeparameter yeqela lesibini.

Imeko engagqibekanga kukuba xa omnye waba basebenzisi benza ifayile, iqela eliphambili liba ngumnini. Ke ngoko, ngokungagqibekanga, ilinda ayinakufikelela kwiifayile ezenziwe ngulori, kwaye ngokuchaseneyo. Nangona kunjalo, ukuba udala uluhlu lweqela ekwabelwana ngalo (yithi /amaqela/iakhawunti) kwaye uqinisekise ukuba imvume yeSGID isetyenziswa kulo vimba weefayili kwaye iakhawunti yeqela imiselwe kuMnini weQela lolo lawulo, zonke iifayile ezenziwe kolu lawulo kunye nazo zonke oovimba beefayili , kwakhona fumana i-akhawunti yeqela njengomnini weqela omiselweyo.

Ngesi sizathu, imvume ye-SGID yimvume eluncedo kakhulu yokuhlohla kubalawuli beqela likawonke-wonke.

Imvume yeSGID iboniswe kwimveliso Yiyeke njani s kwindawo apho uqhele ukufumana imvume yophumezo lweqela:

[root@hnl data]# ls -ld account
drwxr-sr-x. 2 root account 4096 Apr 30 21:28 account

Isithathu seemvume ezikhethekileyo sincangathi. Le mvume iluncedo ekukhuseleni iifayile ekucinyweni ngempazamo kwindawo apho abasebenzisi abaninzi banokubhala ukufikelela kulawulo olufanayo. Ukuba isuntswana elincangathi lisetyenzisiwe, umsebenzisi unokucima kuphela ifayile ukuba ungumnikazi wefayile okanye ulawulo oluqulathe ifayile. Ngesi sizathu, yimvume engagqibekanga yolawulo lwe-tmp kwaye inokuba luncedo kubalawuli beqela loluntu ngokunjalo.

Ngaphandle kwentwana encangathi, ukuba umsebenzisi angenza iifayile kulawulo, banokucima iifayile kulo vimba weefayili. Kwimeko yeqela likawonke-wonke oku kunokucaphukisa. Khawufane ucinge abasebenzisi ulinda kunye no-lori, bobabini abaneemvume zokubhala kwi/data/akhawunti directory kwaye bafumane ezi mvume ngobulungu kwiqela leakhawunti. Ke ngoko, i-linda inokucima iifayile ezenziwe ngulori, kwaye ngokuchaseneyo.

Xa usebenzisa isuntswana elincangathi, umsebenzisi unokucima iifayile kuphela ukuba enye yezi meko zilandelayo iyinyani:

• Umsebenzisi ngumnini wefayile;
• Umsebenzisi ngumnini kavimba weefayili apho ifayile ikhoyo.

Sebenzisa Yiyeke, ungabona into encangathi t kwindawo oqhele ukubona kuyo ukwenza imvume kwabanye:

[root@hnl data]# ls -ld account/
drwxr-sr-t. 2 root account 4096 Apr 30 21:28 account/

Ukusebenzisa amalungelo awandisiweyo

Ukufakela i-SUID, i-SGID kunye nentwana encangathi ungayisebenzisa kwakhona chmod. I-SUID inexabiso lamanani u-4, i-SGID inexabiso elingu-2, kwaye isuntswana elincangathi linexabiso elingu-1.

Ukuba ufuna ukufaka ezi mvumelwano kufuneka udibanise ingxabano yabalinganiswa abane chmod, idijithi yokuqala ebhekisa kwiimvume ezikhethekileyo. Umgca olandelayo, umzekelo, uyakongeza imvume yeSGID kulawulo kwaye usete i-rwx yomsebenzisi kunye ne-rx yeqela kunye nabanye:

chmod 2755 /somedir

Oku akwenzeki ukuba ufuna ukubona iimvumelwano zangoku ezibekwe phambi kokuba usebenze nazo chmod kwimo egqibeleleyo. (Uzibeka emngciphekweni wokubhala phantsi iimvumelwano ukuba awukwenzi oku.) Ke ndicebisa ukuba usebenze kwimowudi ehambelanayo ukuba ufuna ukusebenzisa naziphi na iimvume ezikhethekileyo:

1. Ukusetyenziswa kwe-SUID chmod u+s.
2. Ukusetyenziswa kwe-SGID chmod g+s.
3. Ukusetyenziswa kwesuntswana elincangathi chmod +tilandelwa ligama lefayile okanye ulawulo ofuna ukuseta iimvume ngalo.

Itheyibhile ishwankathela yonke into ekufuneka uyazi malunga nokulawula iimvume ezikhethekileyo.

Umzekelo wokusebenza ngamalungelo akhethekileyo

Kulo mzekelo, usebenzisa iimvume ezikhethekileyo ukwenza kube lula kumalungu eqela ukwabelana ngeefayile kuluhlu lweqela ekwabelwana ngalo. Ukwabela i-ID ye-ID yeqela elimiselweyo kunye nesuntswana elincangathi, kwaye ubone ukuba xa sele zisetiwe, iimpawu zongezwa ukwenza kube lula kumalungu eqela ukusebenzisana.

1. Vula i-terminal apho unguye umsebenzisi linda. Unokwenza umsebenzisi ngomyalelo Linda, yongeza igama lokugqitha watsho u Linda.
2. Yenza i/data directory kwingcambu kunye/idatha/yentengiso uvimba weefayili ngomyalelo mkdir -p /data/sales. Phumeza cd /data/salesukuya kuluhlu lweentengiso. Phumeza touch Linda1 и touch Linda2ukwenza iifayile ezimbini ezingenanto ezizezelinda.
3. Baleka su-lisa ukutshintshela umsebenzisi wangoku kumsebenzisi u-lisa, okwalilungu leqela lokuthengisa.
4. Baleka cd /data/sales kwaye ukusuka kolu lawulo baleka Yiyeke. Uza kubona iifayile ezimbini ezenziwe ngumsebenzisi ulinda kwaye zezeqela lelinda. Phumeza rm -f linda*. Oku kuya kuzicima zombini iifayile.
5. Baleka touch lisa1 и touch lisa2ukwenza iifayile ezimbini ezizezomsebenzisi lisa.
6. Baleka su - ukwandisa amalungelo akho kwiingcambu.
7. Baleka chmod g+s,o+t /data/salesukuseta isichongi seqela (GUID) isuntswana kunye nentwana encangathi kulawulo lweqela ekwabelwana ngalo.
8. Baleka su-linda. Yenza ke touch Linda3 и touch Linda4. Kuya kufuneka ngoku ubone ukuba iifayile ezimbini ozenzileyo zezeqela lokuthengisa, elingumnini weqela le /data/ulawulo lwentengiso.
9. Baleka rm -rf lisa*. I-Sticky bit ithintela ukucinywa kwezi fayile njengelinda yomsebenzisi kuba awungomnini wezi fayile. Qaphela ukuba ukuba umsebenzisi ulinda ungumnini/yedatha/yentengiso ulawulo, angazicima ezi fayile nokuba kunjalo!

Ulawulo lwe-ACL (setfacl, getfacl) kwiLinux

Nangona iimvume eziphambili ezixoxwe ngasentla zongeza usetyenziso oluluncedo kwindlela iLinux ejongana ngayo neemvume, ayikuvumeli ukuba unikeze iimvume kubasebenzisi abangaphezu kwesinye okanye iqela elinye kwifayile enye.

Uluhlu lolawulo lokufikelela lubonelela ngokusebenza. Bakwavumela abalawuli ukuseta iimvume ezingagqibekanga ngendlela entsonkothileyo apho iimvume ezibekiweyo zinokwahluka phakathi kwabalawuli.

Ukuqonda ii-ACLs

Nangona inkqubo esezantsi ye-ACL yongeza umsebenzi omkhulu kumncedisi wakho, ine-drawback enye: ayizizo zonke izixhobo ezixhasayo. Ngoko ke, unokuphulukana noseto lwe-ACL xa ukhuphela okanye uhambisa iifayile, kwaye isoftware yogcino ayinakuze igcine useto lwe-ACL.

Usetyenziso lwetha aluxhasi ii-ACLs. Ukuqinisekisa ukuba useto ACL abalahlekanga xa usenza ugcino, sebenzisa Nkwenkwezi endaweni yetela. Nkwenkwezi isebenza ngeeparamitha ezifanayo njenge tar; yongeza ngokulula inkxaso yezicwangciso ze-ACL.

Unako kwakhona ugcino ACL usebenzisa fumacl, enokubuyiselwa kusetyenziswa umyalelo we setfacl. Ukwenza i-backup, sebenzisa getfacl -R/directory> file.acls. Ukubuyisela useto kwifayile egciniweyo, sebenzisa setfacl --restore=file.acl.

Ukunqongophala kwenkxaso kwezinye izixhobo akufanele kube yingxaki. Ii-ACL zidla ngokusetyenziswa kubalawuli njengomlinganiselo wesakhiwo endaweni yeefayile zomntu ngamnye.
Ke ngoko, abayi kuba baninzi kubo, kodwa bambalwa kuphela, abafakwe kwiindawo ezilumkileyo kwinkqubo yefayile. Ngoko ke, kulula ukubuyisela i-ACLs yoqobo osebenze nayo, nokuba isoftware yakho yogcino ayizixhasi.

Ukulungiselela isixokelelwano sefayile yee-ACLs

Phambi kokuba uqale ukusebenza kunye ACLs, kungafuneka ukuba ulungise inkqubo yakho yefayile ukuxhasa ACLs. Ngenxa yokuba imetadata yesixokelelwano sefayile kufuneka yandiswe, akusoloko kukho inkxaso engagqibekanga yee-ACLs kwisixokelelwano sefayile. Ukuba ufumana umyalezo othi "umsebenzi awuxhaswanga" xa uqwalasela ii-ACL zesixokelelwano sefayile, isixokelelwano sakho sefayile sinokungazixhasi ii-ACLs.

Ukulungisa oku kufuneka udibanise ukhetho acl entabeni kwifayile /etc/fstab ukuze inkqubo yefayile inyuswe ngenkxaso ye ACL ngokungagqibekanga.

Ukutshintsha nokujonga useto lwe-ACL usebenzisa i-setfacl kunye ne-getfacl

Ukuseta ACL udinga umyalelo setfacl. Ukubona useto lwangoku lwe-ACL olufunayo fumacl. Iqela Yiyeke ayibonisi naziphi na ii-ACL ezikhoyo; ibonisa ngokulula i + emva koluhlu lwemvume, ebonisa ukuba ii-ACLs ziyasebenza kwifayile ngokunjalo.

Phambi koqwalaselo ACLs, kusoloko kungumbono olungileyo ukubonisa izicwangciso ACL yangoku usebenzisa fumacl. Ngezantsi kumzekelo ungabona iimvume zangoku njengoko kubonisiwe nge Yiyeke, kwaye njengoko kubonisiwe nge fumacl. Ukuba ujongisisa ngokwaneleyo, uya kubona ukuba ulwazi olubonisiweyo lufana ncakasana.

[root@server1 /]# ls -ld /dir
drwxr-xr-x. 2 root root 6 Feb 6 11:28 /dir
[root@server1 /]# getfacl /dir
getfacl: Removing leading '/' from absolute path names
# file: dir
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

Njengesiphumo sokuphumeza umyalelo fumacl Ngezantsi ungabona ukuba iimvume ziboniswa kwizinto ezintathu ezahlukeneyo: umsebenzisi, iqela kunye nabanye. Ngoku masidibanise i-ACL ukunika ukufunda nokwenza iimvume kwiqela lentengiso. Umyalelo wale nto setfacl -mg:intengiso:rx /dir. Kweli qela -m ibonisa ukuba useto lwangoku lwe-ACL kufuneka lutshintshwe. Emveni kwalonto g:intengiso:rx ixelela umyalelo ukuseta ukufunda nokwenza i ACL (rx) kwiqela (g) iintengiso. Ngezantsi ungabona ukuba umyalelo ukhangeleka njani, kunye nemveliso yomyalelo we-getfacl emva kokutshintsha izicwangciso ze-ACL zangoku.

[root@server1 /]# setfacl -m g:sales:rx /dir
[root@server1 /]# getfacl /dir
getfacl: Removing leading '/' from absolute path names
# file: dir
# owner: root
# group: root
user::rwx
group::r-x
group:sales:r-x
mask::r-x
other::r-x

Ngoku ukuba uyayiqonda indlela yokuseta iqela ACL, kulula ukuqonda ACLs kubasebenzisi kunye nabanye abasebenzisi. Umzekelo, umyalelo setfacl -mu:linda:rwx /data Inika iimvume kumsebenzisi ulinda kwi/data directory ngaphandle kokumenza umnini okanye utshintshe isabelo somnini wangoku.

Iqela setfacl ineempawu ezininzi kunye nokhetho. Enye inketho ibaluleke kakhulu, iparameter -R. Ukuba isetyenziswa, ukhetho lwenza i ACL isicwangciso kuzo zonke iifayile kunye nabalawuli abaphantsi abakhoyo ngoku kulawulo apho ucwangcisa khona i ACL. Kuyacetyiswa ukuba usebenzise olu khetho ngalo lonke ixesha xa utshintsha ii-ACL kuluhlu olukhoyo.

Ukusebenza ngee-ACL eziMiselweyo

Enye yeenzuzo zokusebenzisa i-ACLs kukuba unokunika iimvume kubasebenzisi abaninzi okanye amaqela kulawulo. Enye inzuzo kukuba ungenza ilifa ngelixa usebenza kunye ne-ACL engagqibekanga.

Ngokucwangcisa i ACL engagqibekanga, uya kugqiba iimvume eziya kucwangciswa kuzo zonke izinto ezintsha ezenziwe kulawulo. Gcina ukhumbula ukuba i-ACL engagqibekanga ayitshintshi iimvume zeefayile ezikhoyo kunye noovimba beefayili. Ukuze uzitshintshe, kufuneka udibanise i-ACL eqhelekileyo!

Oku kubalulekile ukwazi. Ukuba ufuna ukusebenzisa i ACL ukuqwalasela abasebenzisi abaninzi okanye amaqela ukufikelela kulawulo olufanayo, kufuneka ukucwangcisa ACL kabini. Ukusetyenziswa kokuqala setfacl -R -mukutshintsha i ACL yeefayile zangoku. Emva koko sebenzisa setfacl -md:ukukhathalela zonke izinto ezintsha eziya kwenziwa nazo.

Ukuseta ACL engagqibekanga kufuneka nje ukongeza ukhetho d emva kokukhetha -m (i-oda ibalulekile!). Ngoko sebenzisa setfacl -md:g:intengiso:rx /dataukuba ufuna intengiso yeqela ifunde kwaye iphumeze yonke into eya kuze yenziwe kwi/data directory.

Xa usebenzisa ACLs engagqibekanga, kunokuba luncedo ukuseta ACLs kwabanye. Ngokwesiqhelo oku akunangqiqo kakhulu kuba unokutshintsha iimvume zabanye abasebenzisayo chmod. Nangona kunjalo, yintoni ongenakuyenza ngayo chmod, kukukhankanya amalungelo ekumele anikezelwe kwabanye abasebenzisi kwifayile nganye entsha eyenziweyo. Ukuba ufuna ukuthintela abanye ekufumaneni naziphi na iimvume kuyo nantoni na eyenziwe kwi/data, umzekelo, sebenzisa setfacl -md:o::- /data.

ACLs kunye neemvume rhoqo azisoloko indibanisela kakuhle. Iingxaki zinokuvela ukuba usebenzisa i ACL engagqibekanga kulawulo emva kokongeza izinto kulo vimba weefayili, uze uzame ukutshintsha iimvume eziqhelekileyo. Utshintsho olusebenzayo kwiimvume eziqhelekileyo aluyi kuboniswa kakuhle kumboniso we-ACL. Ukunqanda iingxaki, qala ngokucwangcisa iimvume eziqhelekileyo, emva koko usete ii-ACL ezingagqibekanga (kwaye emva koko, zama ukuba ungazitshintshi kwakhona).

Umzekelo wokulawula amalungelo awongeziweyo usebenzisa ii-ACLs

Kulo mzekelo, uya kuqhubeka nokusebenza nge/data/akhawunti kunye/nedatha/abalawuli beentengiso obenze ngaphambili. Kwimizekelo yangaphambili, uye waqinisekisa ukuba iqela lokuthengisa lineemvume/idatha/intengiso kunye neqela le-akhawunti lineemvume/idatha/iakhawunti.

Okokuqala, qiniseka ukuba iqela le-akhawunti lifunde iimvume kwi-data / intengiso yoluhlu kunye nokuba iqela lokuthengisa liye lafunda iimvume kwi-data / akhawunti directory.

Emva koko ubeka ii-ACL ezingagqibekanga ukuqinisekisa ukuba zonke iifayile ezintsha zineemvume ezicwangcisiweyo ngokuchanekileyo kuzo zonke izinto ezintsha.

1. Vula i-terminal.
2. Baleka setfacl -mg:akhawunti:rx /data/sales и setfacl -mg:intengiso:rx /data/account.
3. Baleka fumaclukuqinisekisa ukuba iimvume zibekwe ngendlela ofuna ngayo.
4. Baleka setfacl -md:g:akhawunti:rwx,g:intengiso:rx /data/intengisoukuseta ACL engagqibekanga kulawulo lwentengiso.
5. Yongeza i ACL engagqibekanga ye/data/akhawunti ulawulo usebenzisa setfacl -md:g:intengiso:rwx,g:akhawunti:rx /data/account.
6. Qinisekisa ukuba useto lwakho lwe-ACL luyasebenza ngokongeza ifayile entsha kwi/data/sales. Phumeza touch /data/sales/newfile kwaye yenze getfacl /data/sales/newfile ukujonga iimvume zangoku.

Ukucwangcisa iimvumelwano ezingagqibekanga usebenzisa umask

Ngaphezulu ufunde indlela yokusebenza ngee-ACL ezingagqibekanga. Ukuba awusebenzisi i ACL, kukho iqokobhe ukhetho olumisela iimvume ezingagqibekanga oza kuzifumana: umask (imaski ebuyela umva). Kweli candelo, uya kufunda indlela yokutshintsha iimvume ezingagqibekanga usebenzisa umask.

Usenokuba uqaphele ukuba xa usenza ifayile entsha, ezinye iimvume ezingagqibekanga ziyasetwa. Ezi mvume zimiselwa luseto umask. Olu seto lweqokobhe lusebenza kubo bonke abasebenzisi kwilogo. Kwipharamitha umask kusetyenziswa ixabiso lamanani elithatyathwe kubuninzi beemvume ezinokumiselwa ngokuzenzekelayo kwifayile; Elona seto liphezulu kwiifayili ngu-666, kwaye kwii-directory yi-777.

Nangona kunjalo, ezinye iimeko zisebenza kulo mgaqo. Ungafumana isishwankathelo esipheleleyo sesethingi umask kule theyibhile ingezantsi.

Ukususela kumanani asetyenziswe kwi umask, njengeengxoxo zamanani kumyalelo chmod, idijithi yokuqala ibhekisa kwiimvume zomsebenzisi, inani lesibini libhekisa kwiimvume zeqela, kwaye elokugqibela libhekisa kwiimvume ezingagqibekanga ezimiselwe abanye. Intsingiselo umask u 022 ongagqibekanga unika ama 644 kuzo zonke iifayile ezintsha kunye ne 755 yabo bonke abalawuli abatsha abadalwe kumncedisi wakho.

Gqibezela amagqabantshintshi onke amanani amanani umask kunye neziphumo zabo kwitheyibhile engezantsi.

Indlela elula yokubona indlela i-umask setting isebenza ngayo ngolu hlobo lulandelayo: qalisa ngeemvume zefayile ezingagqibekanga ezibekwe kwi-666 kwaye ukhuphe umask ukuze ufumane iimvume ezisebenzayo. Yenza okufanayo kuluhlu kunye neemvume zayo ezingagqibekanga ze-777.

Kukho iindlela ezimbini zokutshintsha i-umask setting: kubo bonke abasebenzisi kunye nabasebenzisi ngabanye. Ukuba ufuna ukuseta umask kubo bonke abasebenzisi, kufuneka uqinisekise ukuba isicwangciso se umask siyahlonitshwa xa usebenzisa iifayile zemekobume yeqokobhe, njengoko kucacisiwe kwi/etc/profile. Indlela echanekileyo kukwenza umbhalo weqokobhe obizwa ngokuba ngu umask.sh kwi/etc/profile.d ulawulo kwaye ukhankanye umask ofuna ukuwusebenzisa kweso sikripthi seqokobhe. Ukuba umask utshintshile kule fayile, isetyenziswa kubo bonke abasebenzisi emva kokungena kwiseva.

Enye indlela yokuseta umask ngokusebenzisa / etc/profile kunye neefayile ezihambelanayo, apho kusebenza kubo bonke abasebenzisi abangenayo, kukutshintsha izicwangciso zeumask kwifayile ebizwa ngokuba yi-.profile, eyenziwe kulawulo lwasekhaya lomsebenzisi ngamnye.

Izicwangciso ezifakwe kule fayile zisebenza kuphela kumsebenzisi ngamnye; ngoko ke, le yindlela elungileyo ukuba ufuna iinkcukacha ezingaphezulu. Mna ngokobuqu ndiyathanda eli nqaku ukutshintsha ingcambu umask engagqibekanga ukuya ku-027, ngelixa abasebenzisi abaqhelekileyo basebenza nge-umask engagqibekanga ka-022.

Ukusebenza kunye neempawu zabasebenzisi ezandisiweyo

Eli licandelo lokugqibela kwiimvume zeLinux.

Xa usebenza ngeemvume, kuhlala kukho ubudlelwane phakathi komsebenzisi okanye into yeqela kunye neemvume ezo zinto zabasebenzisi okanye zeqela banazo kwifayile okanye ulawulo. Enye indlela yokukhusela iifayile kumncedisi we Linux kukusebenza ngeempawu.
Iimpawu zenza umsebenzi wazo kungakhathaliseki ukuba umsebenzisi ufikelela kwifayile.

Njengakwi-ACLs, iimpawu zefayile zinokufuna ukuba zenziwe zisebenze. Ukunyuka.

Olu lukhetho umsebenzisi_xattr. Ukuba ufumana umyalezo othi "umsebenzi awuxhaswanga" xa usebenza neempawu zomsebenzisi owandisiweyo, qiniseka ukuba uyaseta Ukunyuka kwifayile /etc/fstab.

Iimpawu ezininzi zibhaliwe. Ezinye iimpawu ziyafumaneka kodwa azikaphunyezwa. Musa ukuzisebenzisa; abayikuzisela nto.

Ngezantsi zezona mpawu ziluncedo onokuzisebenzisa:

A Olu phawu luqinisekisa ukuba ixesha lokufikelela kwifayile yefayile alitshintshi.
Ngokuqhelekileyo, lonke ixesha ifayile ivuliwe, ixesha elifunyenwe ngayo ifayile kufuneka lirekhodwe kwimethadatha yefayile. Oku kuchaphazela kakubi ukusebenza; ngoko ke, kwiifayile ezifikelelwa rhoqo, uphawu A ingasetyenziswa ukuvala oluphawu.

a Olu phawu lukuvumela ukuba ungeze, kodwa ungayicimi, ifayile.

c Ukuba usebenzisa isixokelelwano sefayile exhasa ucinezelo lomgangatho wevolumu, olu phawu lwefayile luqinisekisa ukuba ifayile ixinzelelwe xa injini yoxinzelelo iqala ukwenziwa.

D Olu phawu luqinisekisa ukuba utshintsho kwiifayile zibhalwa kwidiski ngokukhawuleza kunokuba zigcinwe kuqala. Olu luphawu oluluncedo kwiifayile zesiseko sedatha ukuqinisekisa ukuba azilahlekanga phakathi kwefayile yefayile kunye ne-hard drive.

d Olu phawu luqinisekisa ukuba ifayile ayigcinwanga kwii-backups apho kusetyenziswa usetyenziso lokulahla.

I Olu phawu loyelelwano lwenza isalathisi kulawulo apho luvulwe khona. Oku kubonelela ngofikelelo olukhawulezayo lwefayile kwiisistim zefayile zamandulo ezifana ne-Ext3, engasebenzisi i-database ye-B-tree ukufikelela kwifayile ngokukhawuleza.

i Olu phawu lwenza ukuba ifayile itshintshe. Ngoko ke, akukho lutshintsho lunokwenziwa kwifayile, eluncedo kwiifayile ezifuna ukhuseleko olongezelelweyo.

j Olu phawu luqinisekisa ukuba kwisistim yefayile ye-ext3, ifayile ibhalwa kuqala kwijenali ize emva koko iye kwiibhloko zedatha kwi-hard disk.

s Bhala phezu kweebhloko apho ifayile igcinwe khona ngo-0 emva kokuba ifayile icinyiwe. Oku kuqinisekisa ukuba ifayile ayinakufunyanwa kwakhona xa sele icinyiwe.

u Olu phawu lugcina ulwazi malunga nokucinywa. Oku kukuvumela ukuba uphuhlise usetyenziso olusebenza ngolu lwazi ukuhlangula iifayile ezicinyiweyo.

Ukuba ufuna ukusebenzisa iimpawu ungasebenzisa umyalelo incoko. Umzekelo, sebenzisa chattr +s somefileukufaka iimpawu kwifayile ethile. Ngaba ufuna ukususa uphawu? Emva koko sebenzisa chattr -s somefile, kwaye iya kucinywa. Ukufumana isishwankathelo sazo zonke iimpawu ezisetyenziswayo ngoku, sebenzisa umyalelo lsattr.

Isishwankathelo

Kweli nqaku, ufunde indlela yokusebenza ngeemvume. Ufunda malunga neemvume ezintathu ezisisiseko, iimvume eziphambili, kunye nendlela yokusebenzisa ii-ACLs kwinkqubo yefayile. Ufunde kwakhona ukusebenzisa iparameter umask ukufaka iimvume ezingagqibekanga. Ekupheleni kweli nqaku, ufunde indlela yokusebenzisa iimpawu ezongeziweyo zomsebenzisi ukufaka umaleko owongezelelweyo wokhuseleko lwenkqubo yefayile.

Ukuba uyithandile le nguqulelo, nceda ubhale ngayo kwizimvo. Kuya kubakho inkuthazo engakumbi yokwenza iinguqulelo eziluncedo.

Ndilungise ezinye iimpazamo zokuchwetheza kunye neempazamo zegrama kwinqaku. Kuthotywe iziqendu ezikhulu zaba zezincinane ukuze kube lula ukufunda.

Endaweni yokuba "Ngumntu onamalungelo olawulo kulawulo kuphela onokufaka isicelo semvume yokuphumeza." ilungiswe ukuya ku "Kuphela umntu onofikelelo lokubhala kulawulo onokwenza isicelo semvume yokuphumeza.", iya kuba ichaneke ngakumbi.

Enkosi ngezimvo berez.

Kutshintshwe:
Ukuba awungomnini womsebenzisi, iqokobhe liya kukhangela ukubona ukuba ulilungu leqela, elikwabizwa ngokuba liqela lefayile.

Kwi:
Ukuba awunguye umnini wefayile, iqokobhe liya kukhangela ukubona ukuba ulilungu leqela elineemvume kwifayile. Ukuba ulilungu leli qela, uya kufikelela kwifayile ngeemvume ezibekelwe iqela, kwaye iqokobhe lizakuyeka ukukhangela.

Enkosi ngezimvo zakho CryptoPirate

umthombo: www.habr.com