Lennart Pottering () engqungqutheleni ye-All Systems Go 2019, ingxenye entsha yomphathi wesistimu - , okuhloswe ngayo ukwenza izinkomba zasekhaya zomsebenzisi zithwaleke futhi zihlukaniswe nezilungiselelo zesistimu. Umqondo oyinhloko wephrojekthi ukudala izindawo ezizimele zedatha yomsebenzisi engadluliswa phakathi kwamasistimu ahlukene ngaphandle kokukhathazeka ngokuvumelanisa izihlonzi kanye nokugcinwa kuyimfihlo.
Indawo yohla lwemibhalo yasekhaya ifika ngendlela yefayela lesithombe elikhweziwe, idatha ebethelwe kulo. Imininingwane yomsebenzisi iboshelwe kusiqondisi sasekhaya kunezilungiselelo zesistimu - esikhundleni sika-/etc/passwd kanye/etc/shadow ngefomethi ye-JSON, egcinwe kuhla lwemibhalo ~/.identity. Iphrofayela iqukethe amapharamitha adingekayo emsebenzini womsebenzisi, okuhlanganisa ulwazi mayelana negama, i-hashi yephasiwedi, okhiye bokubethela, ama-quota, nezinsiza ezabiwe. Iphrofayili ingagunyazwa ngesiginesha yedijithali egcinwe kuthokheni ye-Yubikey yangaphandle.
Amapharamitha angase futhi afake ulwazi olwengeziwe olufana nokhiye be-SSH, idatha yokuqinisekisa i-biometric, isithombe, i-imeyili, ikheli, indawo yesikhathi, ulimi, inqubo nemikhawulo yenkumbulo, amafulegi okukhweza engeziwe (nodev, noexec, nosuid), ulwazi mayelana namaseva asetshenzisiwe e-IMAP/SMTP , ulwazi mayelana nokuvumela izilawuli zabazali, izinketho zokwenza ikhophi yasenqolobaneni, njll. I-API ihlinzekwe ukuze icele futhi ihlukanise amapharamitha .
Ukunikezwa kwe-UID/GID nokucubungula kwenziwa ngendlela eguquguqukayo kusistimu ngayinye yendawo lapho uhla lwemibhalo lwasekhaya luxhunywe khona. Esebenzisa uhlelo oluhlongozwayo, umsebenzisi angagcina inkomba yakhe yasekhaya kuye, ngokwesibonelo ku-Flash drive, futhi athole indawo yokusebenza kunoma iyiphi ikhompyutha ngaphandle kokudala i-akhawunti kuyo (ukuba khona kwefayela elinesithombe sohlu lwasekhaya. kuholela ekuhlanganiseni komsebenzisi).
Kuhlongozwa ukuthi kusetshenziswe isistimu engaphansi ye-LUKS2 yokubethela idatha, kodwa i-systemd-homed iphinde ivumele ukusetshenziswa kwamanye ama-backend, isibonelo, kuma-directory angabhaliwe, ama-Btrfs, ama-Fscrypt kanye ne-CIFS network partitions. Ukuze uphathe izinkomba eziphathwayo, kuhlongozwa insiza ye-homectl, ekuvumela ukuthi udale futhi wenze kusebenze izithombe zemibhalo yasekhaya, futhi ushintshe usayizi wazo bese usetha iphasiwedi.
Ezingeni lesistimu, umsebenzi uqinisekiswa yizinto ezilandelayo:
- i-systemd-homed.service - ilawula uhla lwemibhalo lwasekhaya futhi ishumeke amarekhodi e-JSON ngqo ezithombeni zohlu lwasekhaya;
- pam_systemd - icubungula amapharamitha ukusuka kuphrofayela ye-JSON lapho umsebenzisi engena futhi eyisebenzisa kumongo weseshini eyenziwe yasebenza (yenza ukuqinisekiswa, ilungiselela okuguquguqukayo kwendawo, njll.);
- systemd-logind.service - icubungula amapharamitha ukusuka kuphrofayela ye-JSON lapho umsebenzisi engena, usebenzisa izilungiselelo zokuphatha izisetshenziswa ezihlukahlukene futhi usethe imikhawulo;
- I-nss-systemd - Imojula ye-NSS ye-glibc, ihlanganisa amarekhodi e-NSS asendulo ngokusekelwe kuphrofayela ye-JSON, ihlinzeka ngokuhambisana okusemuva ne-UNIX yokucubungula umsebenzisi API (/etc/password);
- I-PID 1 - idala abasebenzisi ngendlela eguquguqukayo (ehlanganiswe ngokufanisa nokusetshenziswa komyalelo we-DynamicUser kumayunithi) futhi ibenze babonakale kulo lonke uhlelo;
- systemd-userdbd.service - ihumusha ama-akhawunti e-UNIX/glibc NSS ibe amarekhodi e-JSON futhi inikeza i-Varlink API ehlanganisiwe yokubuza nokuphindaphinda amarekhodi.
Izinzuzo zesistimu ehlongozwayo zifaka ikhono lokuphatha abasebenzisi lapho ufaka umkhombandlela / njll kwimodi yokufunda kuphela, ukungabikho kwesidingo sokuvumelanisa izihlonzi (UID/GID) phakathi kwezinhlelo, ukuzimela komsebenzisi kwikhompyutha ethile, ukuvimbela idatha yomsebenzisi. phakathi nemodi yokulala, ukusetshenziswa kokubethela nezindlela zokuqinisekisa zesimanje. I-Systemd-homed ihlelelwe ukufakwa ku-systemd mainstream ekukhululweni kwe-244 noma i-245.
Isibonelo sephrofayela yomsebenzisi we-JSON:
"autoLogin": iqiniso,
"ukubopha" : {
«15e19cd24e004b949ddaac60c74aa165» : {
"fileSystemType" : "ext4"
«fileSystemUUID» : «758e88c8-5851-4a2a-b98f-e7474279c111»,
"gid": 60232,
"homeDirectory" : "/home/test",
"imagePath" : "/home/test.home",
"luksCipher" : "aes",
"luksCipherMode" : "xts-plain64",
«luksUUID» : «e63581ba-79fa-4226-b9de-1888393f7573»,
"luksVolumeKeySize" : 32,
«partitionUUID» : «41f9ce04-c927-4b74-a981-c669f93eb4dc»,
"storage" : "luks",
"Uid": 60233
}
},
"disposition" : "njalo",
"enforcePasswordPolicy" : amanga,
"LastChangeUSec" : 1565951024279735,
"ilungu": [
"isondo"
],
"ilungelo" : {
"hashedPassword" : [
«$6$WHBKvAFFT9jKPA4k$OPY4D5…/»
]},
"isiginesha" : [
{
"data" : "LU/HeVrPZSzi3M3J...==",
"key" : "——QALA UKHIYE WOMPHAKATHI——\nMCowBQADK2VwAy…=\n——QEDA UKHIYE WOMPHAKATHI——\n"
}
],
"userName" : "test",
"isimo" : {
«15e19cf24e004b949dfaac60c74aa165» : {
"GoodAuthenticationCounter": 16,
"lastGoodAuthenticationUSec" : 1566309343044322,
"rateLimitBeginUSec" : 1566309342341723,
"rateLimitCount" : 1,
"state" : "engasebenzi",
"service" : "io.systemd.Home",
"diskSize": 161218667776,
"diskCeiling": 191371729408,
"i-diskFloor": 5242780,
"signedLocally" : kuyiqiniso
}
}
Source: opennet.ru