月份: 2017 年 6 月

ACL 是 Access Control List 的縮寫，主要的目的在於解決 Linux 傳統只能以 owner,group,others 的 read,write,execute 來設定檔案或目錄的權限。。ACL 可以針對單一使用者，單一檔案或目錄來進行 r,w,x 的權限設定，使用彈性非常大，也更加靈活。
參考網頁：
鳥哥的 Linux 私房菜 — 第十三章、Linux 帳號管理與 ACL 權限設定

1. 新增三個測試帳號
# useradd usera -d /home/usera
# useradd userb -d /home/userb
# useradd userc -d /home/userc
# chmod 755 /home/user?

2. 切換帳號 usera
# su – usera

3. 建立測試檔案及目錄
$ touch acl_test_file
$ mkdir acl_test_dir
$ ll
drwxrwxr-x 2 usera usera 4096 Mar 12 23:24 acl_test_dir/
-rw-rw-r– 1 usera usera    0 Mar 12 23:21 acl_test_file
目錄 775  檔案是 664[@more@]
4. 設定檔案權限及查看
$ setfacl -m u:userb:rx acl_test_file
$ getfacl acl_test_file
# file: acl_test_file
# owner: usera
# group: usera
user::rw-
user:userb:r-x
group::rw-
mask::rwx
other::r–

$ setfacl -m u:userb:x acl_test_file
$ getfacl acl_test_file
# file: acl_test_file
# owner: usera
# group: usera
user::rw-
user:userb:–x
group::rw-
mask::rwx
other::r–

$ setfacl -m u:userb:r acl_test_file
$ getfacl acl_test_file
# file: acl_test_file
# owner: usera
# group: usera
user::rw-
user:userb:r–
group::rw-
mask::rw-
other::r–

$ setfacl -m u:userb:r,u:userc:rwx acl_test_file
$ getfacl acl_test_file
# file: acl_test_file
# owner: usera
# group: usera
user::rw-
user:userc:rwx
user:userb:r–
group::rw-
mask::rwx
other::r–

$ setfacl -m u:userb:—,u:userc:rwx acl_test_file
$ getfacl acl_test_file
# file: acl_test_file
# owner: usera
# group: usera
user::rw-
user:userc:rwx
user:userb:—
group::rw-
mask::rwx
other::r–

userb 無法存取 acl_test_file
# su – userb
$ cat acl_test_file
cat: acl_test_file: Permission denied

userc 可以存取 acl_test_file
# su – userc
$ echo 1 > acl_test_file
$ cat acl_test_file
1

5. 設定群組
$ setfacl -m g:userc:rwx acl_test_file
$ getfacl acl_test_file
# file: acl_test_file
# owner: usera
# group: usera
user::rw-
user:testuser:rwx
user:userb:—
group::rw-
group:userb:rwx
mask::rwx
other::r–

6. 設定 mask
$ setfacl -m m:r acl_test_file
$ getfacl acl_test_file
# file: acl_test_file
# owner: usera
# group: usera
user::rw-
user:userc:rwx               #effective:r–
user:userb:—
group::rw-                      #effective:r–
group:userb:rwx                 #effective:r–
mask::r–
other::r–

雖然 userc 對 acl_test_file 有 rwx 權限，但和 mask 組合起來之後，只剩下 -r 權限
# su – userc
$ echo 234 > acl_test_file
-bash: acl_test_file: Permission denied
$ cat acl_test_file
1

7. 設定目錄
$ setfacl -m u:userb:rwx acl_test_dir
$ getfacl acl_test_dir
# file: acl_test_dir
# owner: usera
# group: usera
user::rwx
user:userb:rwx
group::rwx
mask::rwx
other::r-x

# su – userb
$ cd /home/usera/acl_test_dir
$ mkdir 123
$ getfacl 123
# file: 123
# owner: userb
# group: userb
user::rwx
group::rwx
other::r-x

只有一般的權限，沒有 acl 預設權限

$ setfacl -m d:u:userb:rx acl_test_dir
$ getfacl acl_test_dir
# file: acl_test_dir
# owner: usera
# group: usera
user::rwx
user:userb:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:userb:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

# su – userb
$ cd /home/usera/acl_test_dir
$ mkdir 234
$ getfacl 234
# file: 234
# owner: userb
# group: userb
user::rwx
user:userb:r-x
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:userb:r-x
default:group::rwx
default:mask::rwx
default:other::r-x

$ ll
drwxrwxr-x  2 userb userb 4096 Mar 12 23:53 123/
drwxrwxr-x+ 2 userb userb 4096 Mar 12 23:59 234/

參考網頁：
Linux ． 無限: 在 CentOS7/RHEL7上，為 Nginx 加上 Perl CGI 模組

1. 安裝所需套件
# yum install nagios nagios-plugins-all

2. 設定開機時啟動服務
# systemctl disable httpd.service
# systemctl enable nagios.service
Created symlink from /etc/systemd/system/multi-user.target.wants/nagios.service to /usr/lib/systemd/system/nagios.service.
# systemctl stop httpd.service
# systemctl start nagios.service

3. 設定登入帳號及密碼
# /usr/bin/htpasswd -c /etc/nagios/passwd nagiosadmin
New password:
Re-type new password:
Adding password for user nagiosadmin[@more@]
4. 檢查設定是否正確
# /usr/sbin/nagios -v /etc/nagios/nagios.cfg
Nagios Core 4.2.4
Copyright (c) 2009-present Nagios Core Development Team and Community Contributors
Copyright (c) 1999-2009 Ethan Galstad
Last Modified: 12-07-2016
License: GPL

Website: https://www.nagios.org
Reading configuration data…
   Read main config file okay…
   Read object config files okay…

Running pre-flight check on configuration data…

Checking objects…
        Checked 8 services.
        Checked 1 hosts.
        Checked 1 host groups.
        Checked 0 service groups.
        Checked 1 contacts.
        Checked 1 contact groups.
        Checked 24 commands.
        Checked 5 time periods.
        Checked 0 host escalations.
        Checked 0 service escalations.
Checking for circular paths…
        Checked 1 hosts
        Checked 0 service dependencies
        Checked 0 host dependencies
        Checked 5 timeperiods
Checking global event handlers…
Checking obsessive compulsive processor commands…
Checking misc settings…

Total Warnings: 0
Total Errors:   0

Things look okay – No serious problems were detected during the pre-flight check

5. 下載套件庫設定檔
# wget https://copr.fedorainfracloud.org/coprs/jorti/fcgiwrap/repo/epel-7/jorti-fcgiwrap-epel-7.repo -P /etc/yum.repos.d -P /etc/yum.repos.d

6. 更新套件庫
# yum update

7. 安裝相關套件
# yum install fcgiwrap spawn-fcgi

8. 修改 /etc/sysconfig/spawn-fcgi 設定檔
# vim /etc/sysconfig/spawn-fcgi
FCGI_SOCKET=/var/run/fcgiwrap.socket
FCGI_PROGRAM=/usr/sbin/fcgiwrap
FCGI_USER=nginx
FCGI_GROUP=nginx
FCGI_EXTRA_OPTIONS=”-M 0700″
OPTIONS=”-u $FCGI_USER -g $FCGI_GROUP -s $FCGI_SOCKET -S $FCGI_EXTRA_OPTIONS -F 1 -P /var/run/spawn-fcgi.pid — $FCGI_PROGRAM”

9. 啟動 spawn-cfgi 服務
# systemctl enable spawn-fcgi
spawn-fcgi.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig spawn-fcgi on
# systemctl start spawn-fcgi

10. 開啟瀏覽器 http://Server’IP/nagios
輸入設定的帳號及密碼

11. 登入後畫面

Nagios 預設登入帳號是 nagiosadmin，如果想要進行更改
1. 修改 /etc/nagios/cgi.cfg，帳號改成 admin
# cp /etc/nagios/cgi.cfg /etc/nagios/cgi.cfg.$(date +%F)
# sed -i ‘s/nagiosadmin/admin/’ /etc/nagios/cgi.cfg[@more@]
2. 刪除原有的帳號資料
# /usr/bin/htpasswd -D /etc/nagios/passwd nagiosadmin
Deleting password for user nagiosadmin

3. 建立 admin 密碼
# /usr/bin/htpasswd -c /etc/nagios/passwd admin
New password:
Re-type new password:
Adding password for user admin

4. 檢查設定檔是否正確
# /usr/sbin/nagios -v /etc/nagios/nagios.cfg

Nagios Core 4.2.4
Copyright (c) 2009-present Nagios Core Development Team and Community Contributors
Copyright (c) 1999-2009 Ethan Galstad
Last Modified: 12-07-2016
License: GPL

Website: https://www.nagios.org
Reading configuration data…
   Read main config file okay…
   Read object config files okay…

Running pre-flight check on configuration data…

Checking objects…
        Checked 8 services.
        Checked 1 hosts.
        Checked 1 host groups.
        Checked 0 service groups.
        Checked 1 contacts.
        Checked 1 contact groups.
        Checked 24 commands.
        Checked 5 time periods.
        Checked 0 host escalations.
        Checked 0 service escalations.
Checking for circular paths…
        Checked 1 hosts
        Checked 0 service dependencies
        Checked 0 host dependencies
        Checked 5 timeperiods
Checking global event handlers…
Checking obsessive compulsive processor commands…
Checking misc settings…

Total Warnings: 0
Total Errors:   0

Things look okay – No serious problems were detected during the pre-flight check

在 CentOS 7.x 使用內建的套件庫安裝的 MariaDB SQL Server 版本是 5.x
# /usr/bin/mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 16
Server version: 5.5.52-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the current input statement.

MariaDB [(none)]> quit
Bye

安裝 10.x 版本
1. 使用 MariaDB 網站上的設定網頁
MariaDB – Setting up MariaDB Repositories – MariaDB

[@more@]2. 移除舊版套件
# systemctl disable mariadb.service
Removed symlink /etc/systemd/system/multi-user.target.wants/mariadb.service.
# systemctl stop mariadb.service
# yum remove mariadb mariadb-server mariadb-libs

3. 建立 mariadb.repo
# vim /etc/yum.repos.d/mariadb.repo
# MariaDB 10.1 CentOS repository list – created 2017-03-12 06:10 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

4. 更新套件庫
# yum update

5. 進行安裝
# yum install MariaDB-server MariaDB-client

6. 啟動 MariaDB SQL Server
# systemctl enable mariadb.service
# systemctl start mariadb.service

7. 版本
# /usr/bin/mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 2
Server version: 10.1.21-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the current input statement.

MariaDB [(none)]> quit
Bye

FTP Server 在傳輸資料時都是使用明碼，沒有加密傳輸，使用 SSL/TLS 加密傳輸，可以使 FTP Server 在傳輸資料時更加安全。
參考網頁：
Vsftpd Over SSL/TLS使用加密傳輸:::iThome Download-你要的軟體在這裡:::

1. 安裝 openssl / vsftpd 套件
# yum install openssl vsftpd

2. 建立憑證
# openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout /etc/pki/tls/certs/vsftpd.pem -out /etc/pki/tls/certs/vsftpd.pem
Generating a 1024 bit RSA private key
..++++++
…..++++++
writing new private key to ‘/etc/pki/tls/certs/vsftpd.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [Proxy Server]:FTP Server
Common Name (eg, your name or your server’s hostname) []:xxx.tces.ilc.edu.tw
Email Address []:xxx@gmail.com

[@more@]3. 更改檔案權限
# chmod 600 /etc/pki/tls/certs/vsftpd.pem

4. 修改 vsftp FTP Server 設定檔 /etc/vsftpd/vsftpd.conf
# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.$(date +%F)
# vim /etc/vsftpd/vsftpd.conf
在設定檔的最後面加上
# 憑證存放路徑
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
# 啟動 SSL
ssl_enable=YES
# 強制傳輸時使用 SSL
force_local_data_ssl=YES
# 登入時強制使用 SSL
force_local_logins_ssl=YES

可以使用的參數
ssl_enable=yes/no //是否啟用 SSL，預設為 no
allow_anon_ssl=yes/no //是否允許匿名使用者使用 SSL，預設為 no
rsa_cert_file=/path/to/file //rsa 證書的位置
dsa_cert_file=/path/to/file //dsa 證書的位置
force_local_logins_ssl=yes/no //非匿名使用者登陸時是否加密，預設為 yes
force_local_data_ssl=yes/no //非匿名使用者傳輸資料時是否加密，預設為 yes
force_anon_logins_ssl=yes/no //匿名使用者登錄時是否加密，預設為 no
force_anon_data_ssl=yes/no //匿名使用者資料傳輸時是否加密，預設為 no
ssl_sslv2=yes/no //是否啟動 ssl v2 加密，預設 no
ssl_sslv3=yes/no //是否啟動 ssl v3 加密，預設 no
ssl_tlsv1=yes/no //是否啟動 tls v1 加密，預設 yes
ssl_ciphers=HIGH //預設是 DES-CBC3-SHA

5. 重新啟動 vsftpd FTP Server
# systemctl restart vsftpd.service

6. 使用 FileZilla 進行測試

cpio 是一個在 Linux 上用來備份或是還原的工具，個人只有在客製化  initrd.img  時用過。
1. 解開
# /bin/cpio -idv < initrd.img
-i 解開檔案
-d 在需要時自動建立目錄
-v 將操作過程顯示在螢幕上

2. 壓縮
# find . | cpio -cov | gzip -9 > ../initrd.img
-c 相同於 -H newc，使用新的 SVR4 portable 格式，如果要使用舊版的 (ASCII) 壓縮格式，可以使用  “-H odc”
-o 建立檔案
-v 將操作過程顯示在螢幕上

3. 更多用法
# cpio –help

1. 新增使用者 testuser
# useradd testuser -d /home/testuser

2. 建立網頁目錄及測試網頁
# mkdir /home/testuser/www
# echo “<h2> Testuser’ Nginx UserDir Test Page</h2>” > /home/testuser/www/test.html

3. 更改目錄及檔案擁有者及群組
# chown -R testuser:testuser /home/testuser
# chmod 711 /home/testuser[@more@]
4. 加入設定
# vim /etc/nginx/conf.d/default.conf
     location ~ ^/~(.+?)(/.*)?$ {
         alias /home/$1/www$2;
         index  index.php index.html index.htm;
         autoindex on;
     }

5. 重新啟動 Nginx Web Server
# systemctl restart nginx.service

6. 觀看成果 http://Server’IP/~testuser/test.html