Amintattun Fayiloli/Kudiritoci ta amfani da ACLs (Jerin Sarrafa Shiga) a cikin Linux
A matsayin Manajan Tsari, fifikonmu na farko shine karewa da kiyaye bayanai daga shiga mara izini. Dukanmu muna sane da izinin da muka saita ta amfani da wasu umarni na Linux masu taimako kamar chmod, chown, chgrp… da sauransu. Duk da haka, waɗannan saitunan izini na asali suna da iyakancewa kuma wani lokacin ƙila ba su yi aiki daidai da bukatunmu ba. Misali, ba za mu iya saita saitin izini daban-daban don masu amfani daban-daban akan kundin adireshi ko fayil iri ɗaya ba. Don haka, an aiwatar da Lists Control (ACLs).
Bari mu ce, kuna da masu amfani guda uku, 'tecmint1', 'tecmint2' da 'tecmint3'. Kowanne yana da rukunin gama gari yana cewa 'acl'. Mai amfani 'tecmint1' yana son mai amfani da 'tecmint2' kawai zai iya karantawa da samun damar fayiloli mallakar'tecmint1'kuma babu wani wanda ya isa ya sami damar yin hakan.
ACLs (Jesisin Kula da Shiga) yana ba mu damar yin wannan dabara. Waɗannan ACLs suna ba mu damar ba da izini ga mai amfani, ƙungiya da kowane rukuni na kowane masu amfani waɗanda basa cikin jerin rukunin mai amfani.
Lura: Kamar yadda Takardun Samfuran Redhat, yana ba da tallafin ACL don tsarin fayil na ext3 da tsarin fayil ɗin da aka fitar da NFS.
Yadda ake Duba Tallafin ACL a cikin Linux Systems
Kafin ci gaba ya kamata ku sami goyan baya ga ACLs akan Kernel na yanzu da tsarin fayil ɗin da aka ɗora.
Gudun umarni mai zuwa don bincika Tallafin ACL don tsarin fayil da zaɓi na POSIX_ACL = Y (idan akwai N maimakon Y, to yana nufin Kernel baya goyan bayan ACL kuma yana buƙatar sake tarawa).
grep -i acl /boot/config* CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_REISERFS_FS_POSIX_ACL=y CONFIG_JFS_POSIX_ACL=y CONFIG_XFS_POSIX_ACL=y CONFIG_BTRFS_FS_POSIX_ACL=y CONFIG_FS_POSIX_ACL=y CONFIG_GENERIC_ACL=y CONFIG_TMPFS_POSIX_ACL=y CONFIG_NFS_V3_ACL=y CONFIG_NFSD_V2_ACL=y CONFIG_NFSD_V3_ACL=y CONFIG_NFS_ACL_SUPPORT=m CONFIG_CIFS_ACL=y CONFIG_9P_FS_POSIX_ACL=y
Kafin fara wasa da ACLs tabbatar cewa an shigar da fakitin da ake buƙata. A ƙasa akwai fakitin da ake buƙata waɗanda ke buƙatar shigarwa ta amfani da yum ko apt-get.
yum install nfs4-acl-tools acl libacl [on RedHat based systems]
mount | grep -i root /dev/mapper/fedora-root on / type ext4 (rw,relatime,data=ordered)
Amma a cikin yanayin mu baya nuna acl ta tsohuwa. Don haka, gaba muna da zaɓi don sake hawa ɓangaren da aka ɗora ta amfani da zaɓi na acl. Amma, kafin ci gaba, muna da wani zaɓi don tabbatar da cewa an ɗora bangare tare da zaɓi na acl ko a'a, saboda tsarin kwanan nan yana iya haɗawa tare da zaɓin tsaunuka na asali.
tune2fs -l /dev/mapper/fedora-root | grep acl Default mount options: user_xattr acl
A cikin fitarwar da ke sama, zaku iya ganin zaɓin tsauni na tsoho ya riga ya sami goyan baya ga acl. Wani zabin shine sake hawan bangare kamar yadda aka nuna a kasa.
mount -o remount,acl /
Na gaba, ƙara shigarwar da ke ƙasa zuwa fayil '/etc/fstab' don sanya shi dindindin.
/dev/mapper/fedora-root / ext4 defaults,acl 1 1
Bugu da kari, remount da bangare.
mount -o remount /
A kan uwar garken NFS, idan tsarin fayil wanda uwar garken NSF ke fitarwa yana goyan bayan ACL kuma ACLs na iya karantawa ta Abokan ciniki na NFS, to ACLs suna amfani da tsarin abokin ciniki.
Don kashe ACLs akan rabon NFS, dole ne ka ƙara zaɓi \no_acl a cikin '/etc/exportfs'fayil akan NFS Server. Don musaki shi a gefen abokin ciniki na NSF sake amfani da zaɓin no_acl yayin lokacin hawan.
Yadda ake Aiwatar da Tallafin ACL a cikin Tsarin Linux
Akwai nau'ikan ACL guda biyu:
- Samar da ACLs: Ana amfani da damar ACLs don ba da izini akan kowane fayil ko kundin adireshi.
- Tsoffin ACLs: Tsoffin ACLs ana amfani da su don ba da/saita lissafin ikon shiga akan takamaiman kundin adireshi kawai.
Bambanci tsakanin Access ACL da Default ACL:
- Tsoffin ACL za a iya amfani da su akan matakin adireshi kawai.
- Duk wani babban kundin adireshi ko fayil da aka ƙirƙira a cikin wannan kundin zai gaji ACLs daga kundin adireshi na iyaye. A gefe guda kuma fayil yana gaji tsohowar ACLs azaman hanyar shiga ACLs.
- Muna amfani da \-d don saita tsoffin ACLs da Default ACLs zaɓi ne.
Don ƙayyade tsoffin ACLs don takamaiman fayil ko kundin adireshi, yi amfani da umarnin 'getfacl'. A cikin misalin da ke ƙasa, ana amfani da getfacl don samun tsoffin ACLs don babban fayil 'Music'.
getfacl Music/ # file: Music/ # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:other::rw-
Don saita tsoffin ACLs don takamaiman fayil ko kundin adireshi, yi amfani da umarnin 'setfacl'. A cikin misalin da ke ƙasa, umarnin saitin zai saita sabon ACLs (karantawa da aiwatarwa) akan babban fayil 'Music'.
setfacl -m d:o:rx Music/ getfacl Music/ # file: Music/ # owner: root # group: root user::rwx group::r-x other::r-x default:user::rwx default:group::r-x default:other::r-x
Yi amfani da umarnin 'setfacl' don saiti ko gyara akan kowane fayil ko kundin adireshi. Misali, don ba da izinin karantawa da rubutawa ga mai amfani 'tecmint1'.
# setfacl -m u:tecmint1:rw /tecmint1/example
Yi amfani da umarnin 'getfacl'don duba ACL akan kowane fayil ko shugabanci. Misali, don duba ACL akan '/ tecmint1/misali' yi amfani da umarnin ƙasa.
# getfacl /tecmint1/example # file: tecmint1/example/ # owner: tecmint1 # group: tecmint1 user::rwx user:tecmint1:rwx user:tecmint2:r-- group::rwx mask::rwx other::---
Don cire ACL daga kowane fayil/directory, muna amfani da zaɓuɓɓukan x da b kamar yadda aka nuna a ƙasa.
# setfacl -x ACL file/directory # remove only specified ACL from file/directory. # setfacl -b file/directory #removing all ACL from file/direcoty
Bari mu aiwatar da ACL akan bin yanayin.
Masu amfani biyu (tecmint1 da tecmint2), duka suna da rukunin sakandare gama gari mai suna 'acl'. Za mu ƙirƙiri adireshi ɗaya mallakar 'tecmint1' kuma za mu ba da izinin karantawa da aiwatar da izini akan waccan adireshin ga mai amfani'tecmint2'.
Mataki 1: Ƙirƙiri masu amfani biyu kuma cire kalmar sirri daga duka biyun
for user in tecmint1 tecmint2 > do > useradd $user > passwd -d $user > done Removing password for user tecmint1. passwd: Success Removing password for user tecmint2. passwd: Success
Mataki 2: Ƙirƙiri Ƙungiya da Masu Amfani zuwa Ƙungiya ta Sakandare.
groupadd acl usermod -G acl tecmint1 usermod -G acl tecmint2
Mataki 3: Ƙirƙiri Directory/tecmint kuma canza ikon mallakar zuwa tecmint1.
mkdir /tecmint1 chown tecmint1 /tecmint1/
ls -ld /tecmint1/ drwxr-xr-x 2 tecmint1 root 4096 Apr 17 14:46 /tecmint1/
getfacl /tecmint1 getfacl: Removing leading '/' from absolute path names # file: tecmint1 # owner: tecmint1 # group: root user::rwx group::r-x other::r-x
Mataki 4: Shiga tare da tecmint1 kuma ƙirƙiri Directory a /tecmint babban fayil.
[[email ~]$ su - tecmint1 Last login: Thu Apr 17 14:49:16 IST 2014 on pts/4
[[email ~]$ cd /tecmint1/ [[email tecmint1]$ mkdir example
[[email tecmint1]$ ll total 4 drwxrwxr-x 2 tecmint1 tecmint1 4096 Apr 17 14:50 example
[[email tecmint1]$ whoami tecmint1
Mataki 5: Yanzu saita ACL ta amfani da 'setfacl', ta yadda' tecmint1'zai sami duk izinin rwx,'tecmint2'zai karanta izini kawai akan babban fayil 'misali' kuma sauran ba za su sami izini ba.
$ setfacl -m u:tecmint1:rwx example/ $ setfacl -m u:tecmint2:r-- example/ $ setfacl -m other:--- example/ $ getfacl example/ # file: example # owner: tecmint1 # group: tecmint1 user::rwx user:tecmint1:rwx user:tecmint2:r-- group::r-x mask::rwx other::---
Mataki 6: Yanzu shiga tare da wani mai amfani watau 'tecmint2' akan wani tashar kuma canza directory zuwa '/ tecmint1'. Yanzu gwada duba abubuwan da ke ciki ta amfani da umarnin 'ls' sannan ku yi ƙoƙarin canza kundin adireshi kuma ku ga bambanci kamar ƙasa.
[[email ~]$ su - tecmint2 Last login: Thu Apr 17 15:03:31 IST 2014 on pts/5
[[email ~]$ cd /tecmint1/ [tecmi[email tecmint1]$ ls -lR example/ example/: total 0
[[email tecmint1]$ cd example/ -bash: cd: example/: Permission denied
[[email tecmint1]$ getfacl example/ # file: example # owner: tecmint1 # group: tecmint1 user::rwx user:tecmint1:rwx user:tecmint2:r-- group::rwx mask::rwx other::---
Mataki 7: Yanzu ba da 'execute' izini don 'tecmint2' akan babban fayil 'misali' sannan yi amfani da umarnin 'cd' don ganin tasirin. Yanzu 'tecmint2' suna da izini don dubawa da canza kundin adireshi, amma ba ku da izini don rubuta wani abu.
[[email tecmint1]$ setfacl -m u:tecmint2:r-x example/ [[email tecmint1]$ getfacl example/ # file: example # owner: tecmint1 # group: tecmint1 user::rwx user:tecmint1:rwx user:tecmint2:r-x group::rwx mask::rwx other::---
[[email ~]$ su - tecmint2 Last login: Thu Apr 17 15:09:49 IST 2014 on pts/5
[[email ~]$ cd /tecmint1/ [[email tecmint1]$ cd example/ [[email example]$ getfacl .
[[email example]$ mkdir test mkdir: cannot create directory ‘test’: Permission denied
[[email example]$ touch test touch: cannot touch ‘test’: Permission denied
Lura: Bayan aiwatar da ACL, za ku ga ƙarin alamar '+' don fitarwa 'ls -l' kamar yadda ke ƙasa.
ll total 4 drwxrwx---+ 2 tecmint1 tecmint1 4096 Apr 17 17:01 example
Rubutun Magana
Bayanan Bayani na ACL