Lennart Iimbongi
Imeko yendawo yolawulo lwasekhaya iza ngohlobo lwefayile enyusiweyo yomfanekiso, idatha apho iguqulelwe ngokuntsonkothileyo. Iinkcukacha zomsebenzisi zibotshelelwa kulawulo lwasekhaya kunezicwangciso zenkqubo- endaweni ye /etc/passwd kunye/etc/shadow
Iiparamitha zisenokubandakanya ulwazi olongezelelweyo olunje ngezitshixo ze-SSH, idatha yoqinisekiso lwebhayometriki, umfanekiso, i-imeyile, idilesi, indawo yexesha, ulwimi, inkqubo kunye nemida yememori, iiflegi ezongezelelweyo zokunyuka (nodev, noexec, nosuid), ulwazi malunga nomsebenzisi osetyenzisiweyo we-IMAP/SMTP abancedisi. , ulwazi malunga nokwenza ulawulo lwabazali, iinketho zokugcina, njl. I-API inikezelwe ukubuza kunye nokwahlula iiparamitha
Isabelo se-UID/GID kunye nokuqhubekeka kwenziwa ngokuguquguqukayo kwindlela nganye yendawo apho uvimba weefayili wasekhaya udityanisiwe. Ukusebenzisa inkqubo ecetywayo, umsebenzisi unokugcina ulawulo lwakhe lwasekhaya kunye naye, umzekelo kwi-Flash drive, kwaye ufumane indawo yokusebenza kuyo nayiphi na ikhompyutha ngaphandle kokudala ngokucacileyo i-akhawunti kuyo (ubukho befayile kunye nomfanekiso wesilawuli sasekhaya. ikhokelela ekudibaneni komsebenzisi).
Kucetywa ukuba kusetyenziswe inkqubo engaphantsi ye-LUKS2 yofihlo lwedatha, kodwa i-systemd-homed ikwavumela ukusetyenziswa kwezinye ii-backends, umzekelo, kwii-directory ezingabhalwanga, i-Btrfs, i-Fscrypt kunye ne-CIFS network partitions. Ukulawula abalawuli abaphathwayo, usetyenziso lwe-homectl lucetywayo, olukuvumela ukuba wenze kwaye usebenzise imifanekiso yezalathisi zasekhaya, kunye nokutshintsha ubungakanani babo kwaye usete igama eligqithisiweyo.
Kwinqanaba lenkqubo, umsebenzi uqinisekiswa ngamacandelo alandelayo:
- systemd-homed.service - ilawula ulawulo lwasekhaya kwaye ifake iirekhodi ze-JSON ngqo kwimifanekiso yolawulo lwasekhaya;
- pam_systemd - inkqubo yeeparameters ukusuka kwiprofayile ye-JSON xa umsebenzisi engena kwaye ezisebenzisa kumxholo weseshoni esebenzayo (yenza uqinisekiso, iqwalasela iimeko eziguquguqukayo, njl.);
- systemd-logind.service - inkqubo yeeparameters ukusuka kwiprofayili ye-JSON xa umsebenzisi engena ngaphakathi, usebenzisa izicwangciso zolawulo lwemithombo eyahlukeneyo kwaye ibeka imida;
- I-nss-systemd - imodyuli ye-NSS ye-glibc, idibanisa iirekhodi ze-NSS zakudala ezisekwe kwiprofayile ye-JSON, ibonelela ngasemva ngokuhambelana ne-UNIX yokusetyenzwa komsebenzisi API (/etc/password);
- I-PID 1 - idala ngokuguquguqukayo abasebenzisi (abahlanganiswe ngokufanisa kunye nokusetyenziswa komyalelo weDynamicUser kwiiyunithi) kwaye ubenze babonakale kuyo yonke inkqubo;
- systemd-userdbd.service - iguqulela i-akhawunti ye-UNIX/glibc NSS kwiirekhodi ze-JSON kwaye ibonelela ngeVarlink API edibeneyo yokubuza kunye nokuphindaphinda kwiirekhodi.
Iinzuzo zenkqubo ecetywayo ziquka ukukwazi ukulawula abasebenzisi xa unyuswa / njl njl kwimodi yokufunda kuphela, ukungabikho kwesidingo sokuvumelanisa izichasi (UID / GID) phakathi kweenkqubo, ukuzimela komsebenzisi kwikhompyutheni ethile, ukuvala idatha yomsebenzisi. ngexesha lemo yokulala, ukusetyenziswa kwe-encryption kunye neendlela zanamhlanje zokuqinisekisa. I-Systemd-homed icwangciswe ukuba ifakwe kwi-systemd yesiqhelo ekukhululweni kwe-244 okanye i-245.
Umzekelo weprofayile yomsebenzisi we-JSON:
"autoLogin": yinyaniso,
"ukubopha": {
Β«15e19cd24e004b949ddaac60c74aa165Β» : {
"fileSystemType" : "ext4"
Β«fileSystemUUIDΒ» : Β«758e88c8-5851-4a2a-b98f-e7474279c111Β»,
"gid": 60232,
"homeDirectory" : "/home/test",
"ImagePath" : "/home/test.home",
"luksCipher" : "ewe",
"luksCipherMode" : "xts-plain64",
Β«luksUUIDΒ» : Β«e63581ba-79fa-4226-b9de-1888393f7573Β»,
"luksVolumeKeySize" : 32,
Β«partitionUUIDΒ» : Β«41f9ce04-c927-4b74-a981-c669f93eb4dcΒ»,
"storage" : "luks",
"uid": 60233
}
},
"disposition" : "regular",
"enforcePasswordPolicy" : bubuxoki,
"LastChangeUSec" : 1565951024279735,
"ilungu le": [
"ivili"
],
"ilungelo" : {
"hashedPassword" : [
Β«$6$WHBKvAFFT9jKPA4k$OPY4D5β¦/Β»
]},
"utyikityo" : [
{
"data" : "LU/HeVrPZSzi3M3J...==",
"key" : "ββQALISA ISIQINISO SIKAWONKE-WONKEββ\nMCowBQADK2VwAyβ¦=\nββPHELA ISIQHELO SIKAWONKE-WONKEββ\n"
}
],
"userName" : "test",
"isimo": {
Β«15e19cf24e004b949dfaac60c74aa165Β» : {
"GoodAuthenticationCounter": 16,
"lastGoodAuthenticationUSec": 1566309343044322,
"rateLimitBeginUSec" : 1566309342341723,
"rateLimitCount" : 1,
"state" : "engasebenziyo",
"service" : "io.systemd.Home",
"ubungakanani bediski": 161218667776,
"diskCeiling": 191371729408,
"diskFloor": 5242780,
"signedLocally" : yinyani
}
}
umthombo: opennet.ru