Difference between revisions of "Access Control Lists (Русский)"

From ArchWiki
Jump to navigation Jump to search
(Начало перевода оригинальной статьи)
 
(Прака категории статьи)
Line 4: Line 4:
 
{{i18n_links_start}}
 
{{i18n_links_start}}
 
{{i18n_entry|English|ACL}}
 
{{i18n_entry|English|ACL}}
{{i18n_entry|Русский|ACL (Русский)}}
+
{{i18n_entry|Русский|ACL_Русский}}
 
{{i18n_links_end}}
 
{{i18n_links_end}}
  

Revision as of 10:38, 8 December 2009


Template:I18n links start Template:I18n entry Template:I18n entry Template:I18n links end

Tango-preferences-desktop-locale.pngThis article or section needs to be translated.Tango-preferences-desktop-locale.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:Access Control Lists (Русский)#)

Введение

Access Control List предоставляет расширенный и более гибкий механизм распределения прав файловых систем. Он предназначен для расширения прав доступа к файлам UNIX. ACL позволяет устанавливать разрешения любым пользователям или группам для различных файловых ресурсов.

Установка

ACL is available from the /core repository:

# pacman -S acl

Настройка

Включение ACL

To enable ACL - edit /etc/fstab file and add acl attribute in options on the partition which you want to use ACL:

# 
# /etc/fstab: static file system information
#
# <file system>        <dir>         <type>    <options>          <dump> <pass>
none                   /dev/pts      devpts    defaults            0      0
none                   /dev/shm      tmpfs     defaults            0      0

/dev/cdrom /media/cdrom   auto    ro,user,noauto,unhide   0      0
/dev/dvd /media/dvd   auto    ro,user,noauto,unhide   0      0
UUID=5de01fca-7c63-49b0-9b2b-8b1790f8428e swap swap defaults 0 0
UUID=822dd720-e35f-424c-b012-2c84b4aa265a /data reiserfs defaults 0 1
UUID=8e5259dd-26fc-411a-88e2-f38d4dc36724 /home reiserfs defaults,acl 0 1
UUID=c18f753e-0039-49bd-930f-587d48b7e083 / reiserfs defaults 0 1
UUID=f64bfc77-7958-49c5-a244-1fa2517d676f /tmp reiserfs defaults 0 1

Save the file. Remount partition:

# mount -o remount /home

Установка прав ACL

To modify ACL use setfacl command. To add permissions use setfacl -m.

Add permissions to some user:

# setfacl -m "u:username:permissions"

or

# setfacl -m "u:uid:permissions"

Add permissions to some group:

# setfacl -m "g:groupname:permissions"

or

# setfacl -m "g:gid:permissions"

Remove all permissions:

# setfacl -b

Remove each entry:

# setfacl -x "entry"

To check permissions use:

# getfacl filename

Примеры

Set all permissions for user johny to file named "abc":

# setfacl -m "u:johny:rwx" abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:rwx
group::r--
mask::rwx
other::r--

Change permissions for user johny:

# setfacl -m "u:johny:r-x" abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
user:johny:r-x
group::r--
mask::r-x
other::r--

Remove all extended ACL entries:

# setfacl -b abc

Check permissions

# getfacl abc
# file: abc
# owner: someone
# group: someone
user::rw-
group::r--
other::r--

Вывод команды ls

You will notice that there is an ACL for a given file because it will exhibit a +(plus sign) after its unix rights in the output of of ls -l.

$ ls -l /dev/audio 
crw-rw----+ 1 root audio 14, 4 nov.   9 12:49 /dev/audio

$ getfacl /dev/audio
getfacl: Removing leading '/' from absolute path names
# file: dev/audio
# owner: root
# group: audio
user::rw-
user:solstice:rw-
group::rw-
mask::rw-
other::---

Повышение безопасности веб-сервера

You can now add permissions to our home directory or/and site directory only to nobody user any anyone else - without "whole world" to increase your security.

Go to the home directory:

# cd /home

Add permissions +x for nobody user on your home directory via ACL:

# setfacl -m "u:nobody:--x" homeusername/

Now you can remove whole world rx permissions:

# chmod o-rx homeusername/

Check our changes:

# file: username/
# owner: username
# group: users
user::rwx
user:nobody:--x
group::r-x
mask::r-x
other::---

As we can see others don't have any permissions but user nobody have "x" permission so they can "look" into users directory and give access to users pages from their home directories to www server. Of course if www server work as nobody user. But - whole world except nobody - don't have any permissions.

Дополнительные ресурсы

  • Man Page - man getfacl"
  • Man Page - man setfacl"