Amintattun Fayiloli/Kudiritoci ta amfani da ACLs (Jerin Sarrafa Shiga) a cikin Linux

A matsayin Manajan Tsari, fifikonmu na farko shine karewa da kiyaye bayanai daga shiga mara izini. Dukanmu muna sane da izinin da muka saita ta amfani da wasu umarni na Linux masu taimako kamar chmod, chown, chgrp… da sauransu. Duk da haka, waɗannan saitunan izini na asali suna da iyakancewa kuma wani lokacin ƙila ba su yi aiki daidai da bukatunmu ba. Misali, ba za mu iya saita saitin izini daban-daban don masu amfani daban-daban akan kundin adireshi ko fayil iri ɗaya ba. Don haka, an aiwatar da Lists Control (ACLs).

Bari mu ce, kuna da masu amfani guda uku, 'tecmint1', 'tecmint2' da 'tecmint3'. Kowanne yana da rukunin gama gari yana cewa 'acl'. Mai amfani 'tecmint1' yana son mai amfani da 'tecmint2' kawai zai iya karantawa da samun damar fayiloli mallakar'tecmint1'kuma babu wani wanda ya isa ya sami damar yin hakan.

ACLs (Jesisin Kula da Shiga) yana ba mu damar yin wannan dabara. Waɗannan ACLs suna ba mu damar ba da izini ga mai amfani, ƙungiya da kowane rukuni na kowane masu amfani waɗanda basa cikin jerin rukunin mai amfani.

Lura: Kamar yadda Takardun Samfuran Redhat, yana ba da tallafin ACL don tsarin fayil na ext3 da tsarin fayil ɗin da aka fitar da NFS.

Yadda ake Duba Tallafin ACL a cikin Linux Systems

Kafin ci gaba ya kamata ku sami goyan baya ga ACLs akan Kernel na yanzu da tsarin fayil ɗin da aka ɗora.

Gudun umarni mai zuwa don bincika Tallafin ACL don tsarin fayil da zaɓi na POSIX_ACL = Y (idan akwai N maimakon Y, to yana nufin Kernel baya goyan bayan ACL kuma yana buƙatar sake tarawa).

 grep -i acl /boot/config*

CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y

Kafin fara wasa da ACLs tabbatar cewa an shigar da fakitin da ake buƙata. A ƙasa akwai fakitin da ake buƙata waɗanda ke buƙatar shigarwa ta amfani da yum ko apt-get.

 yum install nfs4-acl-tools acl libacl		[on RedHat based systems]

 mount  | grep -i root

/dev/mapper/fedora-root on / type ext4 (rw,relatime,data=ordered)

Amma a cikin yanayin mu baya nuna acl ta tsohuwa. Don haka, gaba muna da zaɓi don sake hawa ɓangaren da aka ɗora ta amfani da zaɓi na acl. Amma, kafin ci gaba, muna da wani zaɓi don tabbatar da cewa an ɗora bangare tare da zaɓi na acl ko a'a, saboda tsarin kwanan nan yana iya haɗawa tare da zaɓin tsaunuka na asali.

 tune2fs -l /dev/mapper/fedora-root | grep acl

Default mount options:    user_xattr acl

A cikin fitarwar da ke sama, zaku iya ganin zaɓin tsauni na tsoho ya riga ya sami goyan baya ga acl. Wani zabin shine sake hawan bangare kamar yadda aka nuna a kasa.

 mount -o remount,acl /

Na gaba, ƙara shigarwar da ke ƙasa zuwa fayil '/etc/fstab' don sanya shi dindindin.

/dev/mapper/fedora-root /	ext4    defaults,acl 1 1

Bugu da kari, remount da bangare.

 mount -o remount  /

A kan uwar garken NFS, idan tsarin fayil wanda uwar garken NSF ke fitarwa yana goyan bayan ACL kuma ACLs na iya karantawa ta Abokan ciniki na NFS, to ACLs suna amfani da tsarin abokin ciniki.

Don kashe ACLs akan rabon NFS, dole ne ka ƙara zaɓi \no_acl a cikin '/etc/exportfs'fayil akan NFS Server. Don musaki shi a gefen abokin ciniki na NSF sake amfani da zaɓin no_acl yayin lokacin hawan.

Yadda ake Aiwatar da Tallafin ACL a cikin Tsarin Linux

Akwai nau'ikan ACL guda biyu:

1. Samar da ACLs: Ana amfani da damar ACLs don ba da izini akan kowane fayil ko kundin adireshi.
2. Tsoffin ACLs: Tsoffin ACLs ana amfani da su don ba da/saita lissafin ikon shiga akan takamaiman kundin adireshi kawai.

Bambanci tsakanin Access ACL da Default ACL:

1. Tsoffin ACL za a iya amfani da su akan matakin adireshi kawai.
2. Duk wani babban kundin adireshi ko fayil da aka ƙirƙira a cikin wannan kundin zai gaji ACLs daga kundin adireshi na iyaye. A gefe guda kuma fayil yana gaji tsohowar ACLs azaman hanyar shiga ACLs.
3. Muna amfani da \-d don saita tsoffin ACLs da Default ACLs zaɓi ne.

Don ƙayyade tsoffin ACLs don takamaiman fayil ko kundin adireshi, yi amfani da umarnin 'getfacl'. A cikin misalin da ke ƙasa, ana amfani da getfacl don samun tsoffin ACLs don babban fayil 'Music'.

 getfacl Music/

# file: Music/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::rw-

Don saita tsoffin ACLs don takamaiman fayil ko kundin adireshi, yi amfani da umarnin 'setfacl'. A cikin misalin da ke ƙasa, umarnin saitin zai saita sabon ACLs (karantawa da aiwatarwa) akan babban fayil 'Music'.

 setfacl -m d:o:rx Music/
 getfacl Music/
# file: Music/
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

Yi amfani da umarnin 'setfacl' don saiti ko gyara akan kowane fayil ko kundin adireshi. Misali, don ba da izinin karantawa da rubutawa ga mai amfani 'tecmint1'.

# setfacl -m u:tecmint1:rw /tecmint1/example

Yi amfani da umarnin 'getfacl'don duba ACL akan kowane fayil ko shugabanci. Misali, don duba ACL akan '/ tecmint1/misali' yi amfani da umarnin ƙasa.

# getfacl /tecmint1/example

# file: tecmint1/example/
# owner: tecmint1
# group: tecmint1
user::rwx
user:tecmint1:rwx
user:tecmint2:r--
group::rwx
mask::rwx
other::---

Don cire ACL daga kowane fayil/directory, muna amfani da zaɓuɓɓukan x da b kamar yadda aka nuna a ƙasa.

# setfacl -x ACL file/directory  	# remove only specified ACL from file/directory.

# setfacl -b  file/directory   		#removing all ACL from file/direcoty

Bari mu aiwatar da ACL akan bin yanayin.

Masu amfani biyu (tecmint1 da tecmint2), duka suna da rukunin sakandare gama gari mai suna 'acl'. Za mu ƙirƙiri adireshi ɗaya mallakar 'tecmint1' kuma za mu ba da izinin karantawa da aiwatar da izini akan waccan adireshin ga mai amfani'tecmint2'.

Mataki 1: Ƙirƙiri masu amfani biyu kuma cire kalmar sirri daga duka biyun

 for user in tecmint1 tecmint2

> do
> useradd $user
> passwd -d $user
> done
Removing password for user tecmint1.
passwd: Success
Removing password for user tecmint2.
passwd: Success

Mataki 2: Ƙirƙiri Ƙungiya da Masu Amfani zuwa Ƙungiya ta Sakandare.

 groupadd acl
 usermod -G acl tecmint1
 usermod -G acl tecmint2

Mataki 3: Ƙirƙiri Directory/tecmint kuma canza ikon mallakar zuwa tecmint1.

 mkdir /tecmint1
 chown tecmint1 /tecmint1/

 ls -ld /tecmint1/

drwxr-xr-x 2 tecmint1 root 4096 Apr 17 14:46 /tecmint1/

 getfacl /tecmint1

getfacl: Removing leading '/' from absolute path names
# file: tecmint1
# owner: tecmint1
# group: root
user::rwx
group::r-x
other::r-x

Mataki 4: Shiga tare da tecmint1 kuma ƙirƙiri Directory a /tecmint babban fayil.

[[email  ~]$ su - tecmint1

Last login: Thu Apr 17 14:49:16 IST 2014 on pts/4

[[email  ~]$ cd /tecmint1/
[[email  tecmint1]$ mkdir example

[[email  tecmint1]$ ll

total 4
drwxrwxr-x 2 tecmint1 tecmint1 4096 Apr 17 14:50 example

[[email  tecmint1]$ whoami 
tecmint1

Mataki 5: Yanzu saita ACL ta amfani da 'setfacl', ta yadda' tecmint1'zai sami duk izinin rwx,'tecmint2'zai karanta izini kawai akan babban fayil 'misali' kuma sauran ba za su sami izini ba.

$ setfacl -m u:tecmint1:rwx example/
$ setfacl -m u:tecmint2:r-- example/
$ setfacl -m  other:--- example/
$ getfacl example/

# file: example
# owner: tecmint1
# group: tecmint1
user::rwx
user:tecmint1:rwx
user:tecmint2:r--
group::r-x
mask::rwx
other::---

Mataki 6: Yanzu shiga tare da wani mai amfani watau 'tecmint2' akan wani tashar kuma canza directory zuwa '/ tecmint1'. Yanzu gwada duba abubuwan da ke ciki ta amfani da umarnin 'ls' sannan ku yi ƙoƙarin canza kundin adireshi kuma ku ga bambanci kamar ƙasa.

[[email  ~]$ su - tecmint2

Last login: Thu Apr 17 15:03:31 IST 2014 on pts/5

[[email  ~]$ cd /tecmint1/
[tecmi[email  tecmint1]$ ls -lR example/
example/:
total 0

[[email  tecmint1]$ cd example/

-bash: cd: example/: Permission denied

[[email  tecmint1]$ getfacl example/

# file: example
# owner: tecmint1
# group: tecmint1
user::rwx
user:tecmint1:rwx
user:tecmint2:r--
group::rwx
mask::rwx
other::---

Mataki 7: Yanzu ba da 'execute' izini don 'tecmint2' akan babban fayil 'misali' sannan yi amfani da umarnin 'cd' don ganin tasirin. Yanzu 'tecmint2' suna da izini don dubawa da canza kundin adireshi, amma ba ku da izini don rubuta wani abu.

[[email  tecmint1]$ setfacl -m u:tecmint2:r-x example/
[[email  tecmint1]$ getfacl example/

# file: example
# owner: tecmint1
# group: tecmint1
user::rwx
user:tecmint1:rwx
user:tecmint2:r-x
group::rwx
mask::rwx
other::---

[[email  ~]$ su - tecmint2

Last login: Thu Apr 17 15:09:49 IST 2014 on pts/5

[[email  ~]$ cd /tecmint1/
[[email  tecmint1]$ cd example/
[[email  example]$ getfacl .

[[email  example]$ mkdir test

mkdir: cannot create directory ‘test’: Permission denied

[[email  example]$ touch test

touch: cannot touch ‘test’: Permission denied

Lura: Bayan aiwatar da ACL, za ku ga ƙarin alamar '+' don fitarwa 'ls -l' kamar yadda ke ƙasa.

 ll

total 4
drwxrwx---+ 2 tecmint1 tecmint1 4096 Apr 17 17:01 example

Rubutun Magana

Bayanan Bayani na ACL