ProHoster > Ibhulogi > iindaba ze-intanethi > Yaziswa nge-systemd-homed yokulawula amaxwebhu aphathwayo asekhaya

Yaziswa nge-systemd-homed yokulawula amaxwebhu aphathwayo asekhaya

Lennart Iimbongi wazisiwe (PDF) kwinkomfa ye-All Systems Go 2019, icandelo elitsha le-system managerd - systemd-homed, ejolise ekwenzeni abalawuli basekhaya abasebenzisi baphatheke kwaye bahlukane nesethingi yenkqubo. Owona mbono uphambili weprojekthi kukudala imeko-bume yokuzimela yedatha yomsebenzisi enokudluliselwa phakathi kweenkqubo ezahlukeneyo ngaphandle kokukhathazeka malunga nongqamaniso lwesazisi kunye nobumfihlo.

Imeko yendawo yolawulo lwasekhaya iza ngohlobo lwefayile enyusiweyo yomfanekiso, idatha apho iguqulelwe ngokuntsonkothileyo. Iinkcukacha zomsebenzisi zibotshelelwa kulawulo lwasekhaya kunezicwangciso zenkqubo- endaweni ye /etc/passwd kunye/etc/shadow iprofayili kwifomati ye-JSON, egcinwe kwi ~/.isazisi ulawulo. Iprofayile iqulethe iiparameters eziyimfuneko kumsebenzi womsebenzisi, kubandakanywa ulwazi malunga negama, i-password hash, izitshixo ze-encryption, i-quotas, kunye nezibonelelo ezinikezelweyo. Iprofayili inokuqinisekiswa ngesignesha yedijithali egcinwe kwithokheni yeYubikey yangaphandle.

Iiparamitha zisenokubandakanya ulwazi olongezelelweyo olunje ngezitshixo ze-SSH, idatha yoqinisekiso lwebhayometriki, umfanekiso, i-imeyile, idilesi, indawo yexesha, ulwimi, inkqubo kunye nemida yememori, iiflegi ezongezelelweyo zokunyuka (nodev, noexec, nosuid), ulwazi malunga nomsebenzisi osetyenzisiweyo we-IMAP/SMTP abancedisi. , ulwazi malunga nokwenza ulawulo lwabazali, iinketho zokugcina, njl. I-API inikezelwe ukubuza kunye nokwahlula iiparamitha Varlink.

Isabelo se-UID/GID kunye nokuqhubekeka kwenziwa ngokuguquguqukayo kwindlela nganye yendawo apho uvimba weefayili wasekhaya udityanisiwe. Ukusebenzisa inkqubo ecetywayo, umsebenzisi unokugcina ulawulo lwakhe lwasekhaya kunye naye, umzekelo kwi-Flash drive, kwaye ufumane indawo yokusebenza kuyo nayiphi na ikhompyutha ngaphandle kokudala ngokucacileyo i-akhawunti kuyo (ubukho befayile kunye nomfanekiso wesilawuli sasekhaya. ikhokelela ekudibaneni komsebenzisi).

Kucetywa ukuba kusetyenziswe inkqubo engaphantsi ye-LUKS2 yofihlo lwedatha, kodwa i-systemd-homed ikwavumela ukusetyenziswa kwezinye ii-backends, umzekelo, kwii-directory ezingabhalwanga, i-Btrfs, i-Fscrypt kunye ne-CIFS network partitions. Ukulawula abalawuli abaphathwayo, usetyenziso lwe-homectl lucetywayo, olukuvumela ukuba wenze kwaye usebenzise imifanekiso yezalathisi zasekhaya, kunye nokutshintsha ubungakanani babo kwaye usete igama eligqithisiweyo.

Kwinqanaba lenkqubo, umsebenzi uqinisekiswa ngamacandelo alandelayo:

  • systemd-homed.service - ilawula ulawulo lwasekhaya kwaye ifake iirekhodi ze-JSON ngqo kwimifanekiso yolawulo lwasekhaya;
  • pam_systemd - inkqubo yeeparameters ukusuka kwiprofayile ye-JSON xa umsebenzisi engena kwaye ezisebenzisa kumxholo weseshoni esebenzayo (yenza uqinisekiso, iqwalasela iimeko eziguquguqukayo, njl.);
  • systemd-logind.service - inkqubo yeeparameters ukusuka kwiprofayili ye-JSON xa umsebenzisi engena ngaphakathi, usebenzisa izicwangciso zolawulo lwemithombo eyahlukeneyo kwaye ibeka imida;
  • I-nss-systemd - imodyuli ye-NSS ye-glibc, idibanisa iirekhodi ze-NSS zakudala ezisekwe kwiprofayile ye-JSON, ibonelela ngasemva ngokuhambelana ne-UNIX yokusetyenzwa komsebenzisi API (/etc/password);
  • I-PID 1 - idala ngokuguquguqukayo abasebenzisi (abahlanganiswe ngokufanisa kunye nokusetyenziswa komyalelo weDynamicUser kwiiyunithi) kwaye ubenze babonakale kuyo yonke inkqubo;
  • systemd-userdbd.service - iguqulela i-akhawunti ye-UNIX/glibc NSS kwiirekhodi ze-JSON kwaye ibonelela ngeVarlink API edibeneyo yokubuza kunye nokuphindaphinda kwiirekhodi.

Iinzuzo zenkqubo ecetywayo ziquka ukukwazi ukulawula abasebenzisi xa unyuswa / njl njl kwimodi yokufunda kuphela, ukungabikho kwesidingo sokuvumelanisa izichasi (UID / GID) phakathi kweenkqubo, ukuzimela komsebenzisi kwikhompyutheni ethile, ukuvala idatha yomsebenzisi. ngexesha lemo yokulala, ukusetyenziswa kwe-encryption kunye neendlela zanamhlanje zokuqinisekisa. I-Systemd-homed icwangciswe ukuba ifakwe kwi-systemd yesiqhelo ekukhululweni kwe-244 okanye i-245.

Umzekelo weprofayile yomsebenzisi we-JSON:

"autoLogin": yinyaniso,
"ukubopha": {
Β«15e19cd24e004b949ddaac60c74aa165Β» : {
"fileSystemType" : "ext4"
Β«fileSystemUUIDΒ» : Β«758e88c8-5851-4a2a-b98f-e7474279c111Β»,
"gid": 60232,
"homeDirectory" : "/home/test",
"ImagePath" : "/home/test.home",
"luksCipher" : "ewe",
"luksCipherMode" : "xts-plain64",
Β«luksUUIDΒ» : Β«e63581ba-79fa-4226-b9de-1888393f7573Β»,
"luksVolumeKeySize" : 32,
Β«partitionUUIDΒ» : Β«41f9ce04-c927-4b74-a981-c669f93eb4dcΒ»,
"storage" : "luks",
"uid": 60233
}
},
"disposition" : "regular",
"enforcePasswordPolicy" : bubuxoki,
"LastChangeUSec" : 1565951024279735,
"ilungu le": [
"ivili"
],
"ilungelo" : {
"hashedPassword" : [
Β«$6$WHBKvAFFT9jKPA4k$OPY4D5…/Β»
]},
"utyikityo" : [
{
"data" : "LU/HeVrPZSzi3M3J...==",
"key" : "β€”β€”QALISA ISIQINISO SIKAWONKE-WONKEβ€”β€”\nMCowBQADK2VwAy…=\nβ€”β€”PHELA ISIQHELO SIKAWONKE-WONKEβ€”β€”\n"
}
],
"userName" : "test",
"isimo": {
Β«15e19cf24e004b949dfaac60c74aa165Β» : {
"GoodAuthenticationCounter": 16,
"lastGoodAuthenticationUSec": 1566309343044322,
"rateLimitBeginUSec" : 1566309342341723,
"rateLimitCount" : 1,
"state" : "engasebenziyo",
"service" : "io.systemd.Home",
"ubungakanani bediski": 161218667776,
"diskCeiling": 191371729408,
"diskFloor": 5242780,
"signedLocally" : yinyani
}
}

umthombo: opennet.ru

Yongeza izimvo