|
58 | 58 | \pdfbookmark[1]{file access rights}{fsaccessrights} |
59 | 59 |
|
60 | 60 | \begin{slide} |
61 | | -\sltitle{P��stupov� pr�va} |
| 61 | +\sltitle{Access rights} |
62 | 62 | \begin{center} |
63 | 63 | \input{img/tex/prava.tex} |
64 | 64 | \end{center} |
65 | 65 | \begin{itemize} |
66 | | -\item \emsl{SGID} pro soubor bez pr�va spu�t�n� pro skupinu v System |
67 | | -V: kontrola z�mk� p�i ka�d�m p��stupu (\emsl{mandatory locking}) |
68 | | -\item \emsl{sticky bit} pro adres��e: pr�vo mazat a p�ejmenov�vat |
69 | | -soubory maj� jen vlastn�ci soubor� |
70 | | -\item \emsl{SGID} pro adres��: nov� soubory budou m�t stejnou |
71 | | -skupinu jako adres�� (System V; u BSD syst�m� to funguje jinak, viz |
72 | | -pozn�mky) |
| 66 | +\item \emsl{SGID} on a file without the executable bit for its group means |
| 67 | +\emsl{mandatory locking} in systems based on System~V |
| 68 | +\item \emsl{sticky bit} for directories: remove and renamed allowed for file |
| 69 | +owners only. |
| 70 | +\item \emsl{SGID} for directory: new files will have the same group as the |
| 71 | +directory (on System~V based systems; it works in a different way on BSD |
| 72 | +systems, see below) |
73 | 73 | \end{itemize} |
74 | 74 | \end{slide} |
75 | 75 |
|
76 | 76 | \begin{itemize} |
77 | | -\item SGID pro adres��e u BSD syst�m� zp�sob�, �e soubory a podadres��e |
78 | | -vytvo�en� v tomto adres��i budou m�t stejn�ho majitele jako je majitel dan�ho |
79 | | -adres��e. Nutn�m p�edpokladem je d�le to, �e dan� UFS filesyst�m mus� b�t |
80 | | -namontov�n s suiddir p��znakem a v j�dru je option SUIDDIR (a to nen� |
81 | | -default). Nav�c to nefunguje pro roota. Tato mo�nost existuje kv�li Samb� a |
82 | | -Nettalku. |
83 | | -\item sticky bit pro adres��e: p�ejmenovat nebo smazat soubor m��e jen jeho |
84 | | -vlastn�k (v~n�kter�ch implementac�ch sta�� i pr�vo z�pisu do souboru), |
85 | | -ne\-sta\-�� pr�vo z�pisu do adres��e. Toto nastaven� se pou��v� pro ve�ejn� |
86 | | -adres��e (nap�. \texttt{/tmp}). |
87 | | -\item p�vodn� m�l sticky bit v�znam i pro spustiteln� soubory: program s |
88 | | -nastaven�m sticky bitem z�stal po ukon�en� v pam�ti a jeho op�tovn� spu�t�n� |
89 | | -bylo rychlej��. Dnes se sticky bit v tomto v�znamu u� nepou��v�. |
90 | | -\item n�kter� filesyst�my (XFS, AFS, UFS2, ZFS) maj� tzv. access control lists |
91 | | -(ACLs), kter� dovoluj� jemn�j�� p�id�lov�n� pr�v jednotliv�m u�ivatel�m a |
92 | | -skupin�m. |
| 77 | +\item The sticky bit for directories means that when the directory is writable |
| 78 | +for a given user (possibly because all users can write), the user can create any |
| 79 | +file that does not exist in that directory yet. However, if the file exists but |
| 80 | +is not owned by the user, he/she can not remove nor rename it even that by |
| 81 | +itself he/she can write the directory. Sticky bit is denoted by ``t'' and is |
| 82 | +typically used for temporary directories: |
| 83 | + |
| 84 | +\begin{verbatim} |
| 85 | +$ ls -ld /tmp |
| 86 | +drwxrwxrwt 9 root root 356352 Jan 27 22:37 /tmp/ |
| 87 | +\end{verbatim} |
| 88 | + |
| 89 | +\item The SGID bit on directories on BSD based systems means that files and |
| 90 | +directories created in this directory will have the same owner as the directory |
| 91 | +itself. The filesystem must be mounted with an \texttt{suiddir} flag and |
| 92 | +the kernel may need an additional non-default option \texttt{SUIDDIR}. It also |
| 93 | +does not work for the root user. This functionality is there to support Samba. |
| 94 | +\item Originally, the sticky bit had a meaning for regular files as well but |
| 95 | +that is not used anymore. |
| 96 | +\item Some filesystems (XFS, AFS, UFS2, ZFS, and others) also support |
| 97 | +\emph{access control lists} (ACLs) that allow for finer access right management. |
93 | 98 | \end{itemize} |
94 | 99 | %%%%% |
95 | 100 |
|
|
118 | 123 | \end{slide} |
119 | 124 |
|
120 | 125 | \begin{itemize} |
121 | | -\item tyto funkce funguj� nez�visle na tom jak z jak� datab�ze byly |
122 | | -z�sk�ny informace o dan�m u�ivateli. |
123 | | -\item v�echny tyto funkce jsou sou��st� POSIX 1003.1-2008 (sekce XSH) |
124 | | -\item \funnm{setpwent} je t�eba zavolat p�ed prvn�m vol�n�m \funnm{getpwent} |
125 | | -\item analogicky exituj� funkce \funnm{getgrnam} a \funnm{getgrent} kter� |
126 | | -z�sk�vaj� informace o skupin�ch. |
127 | | -\item pro prohled�v�n� a v�pis databaz� lze pou��t program |
128 | | -\texttt{getent}. Nap�. k nalezen� z�znamu u�ivatele a skupiny |
129 | | -\texttt{root}: |
| 126 | +\item These functions work independently on what database was used to get the |
| 127 | +user information, see page \pageref{name_service_switch} for more information on |
| 128 | +naming databases. |
| 129 | +\item All these functions are part of POSIX 1003.1-2008. |
| 130 | +\item \funnm{setpwent}() is needed to call before first calling |
| 131 | +\funnm{getpwent}(). |
| 132 | +\item There are also functions \funnm{getgrnam}() and \funnm{getgrent}() which |
| 133 | +can be used to get group information. |
| 134 | +\item To search and list naming databases, you can use program \texttt{getent}. |
| 135 | +For example: |
130 | 136 |
|
131 | 137 | \begin{verbatim} |
132 | 138 | $ getent passwd root |
|
155 | 161 | \end{itemize} |
156 | 162 | \end{slide} |
157 | 163 |
|
| 164 | +\label{name_service_switch} |
| 165 | + |
158 | 166 | \begin{itemize} |
159 | 167 | \item Systems using the name service switch typically have |
160 | 168 | \texttt{nsswitch.conf(4)} where you can find information about what databases |
|
0 commit comments