Linux:“传输”/镜像符号链接的只读权限(用于网络服务器)
请让我解释一下这个问题的含义:
这是上下文:我是网络服务器上的用户,我安装了 phpicalendar;然后,我选择一个目录(例如 /webroot/mylogin/phpicalendar/mycals)来托管我的 .ics 日历文本文件。
编辑:以前,我使用的是“/root”,而不是“/webroot” - 但我真的不是指 > Linux '/root' 目录 - 我只是想用它作为网络服务器上真实位置的替代(所以它只是作为一个公共参考点)。否则,我所说的共同参考点只是 /webroot = /media/some/path ..
然后,我可以在 phpicalendar 中输入此目录code> 的 config.inc.php:
$configs = array(
'calendar_path' => '/webroot/mylogin/phpicalendar/mycals;
...
然后,phpicalendar 将运行此目录,获取其中的 .ics 文件(例如 mycal.ics) code> 和 mycal2.ics)并渲染它们 - 到目前为止,一切顺利。
问题是,我现在想添加一个第二日历目录,位于同一网络服务器上,但我具有只读权限,例如/webroot/protected/cals。我知道我有读取权限,因为我可以在 shell 中执行操作,比如说
$ less /webroot/protected/cals/maincal.ics
我可以很好地读取内容。所以现在:
- 如果我输入
/webroot/protected/cals作为“calendar_path” ,phpicalendar可以毫无问题地读取并渲染那里的文件(例如“maincal.ics”、“maincal2.ics”) - 但是,
phpicalendar只能有一个“calendar_path”,因此我可以使用受保护的日历或我的自定义日历 - 但不能同时使用两者 - 所以,我我想,我可以在我的自定义目录中对受保护的日历进行符号链接 - 并获得两全其美的效果:)
因此,这里是我要做的事情的 shell 片段
$ cd /webroot/mylogin/phpicalendar/mycals
$ ls -la
drwxrwxrwx 2 myself myself 4096 2011-03-03 12:50 .
-rw-r--r-- 1 myself myself 1234 2011-01-20 07:32 mycal.ics
-rw-r--r-- 1 myself myself 1234 2011-01-20 07:32 mycal2.ics
...
$ ln /webroot/protected/cals/maincal.ics . # try a hard link first
ln: creating hard link `./maincal.ics' => `/webroot/protected/cals/maincal.ics': Invalid cross-device link'
$ ln -s /webroot/protected/cals/maincal.ics . # symlink - works
$ ln -s ../../../protected/cals/maincal.ics relmaincal.ics # symlink via relative
$ ln -s mycal.ics testcal.ics # try a symlink to a local file
$ ls -la # check contents of dir now
drwxrwxrwx 2 myself myself 4096 .
-rw-r--r-- 1 myself myself 1234 mycal.ics
-rw-r--r-- 1 myself myself 1234 mycal2.ics
lrwxrwxrwx 1 myself myself 21 testcal.ics -> mycal.ics
lrwxrwxrwx 1 myself myself 56 maincal.ics -> /webroot/protected/cals/maincal.ics
lrwxrwxrwx 1 myself myself 66 relmaincal.ics -> ../../../protected/cals/maincal.ics
好吧,所以这就是发生的事情:
less maincal.ics 在 shell 上工作less relmaincal.ics失败,并显示“relmaincal.ics: No such file or directory”(即使相对路径的 shell 自动完成功能确实有效在执行符号链接命令期间!)- 当您现在打开
phpicalendar时,它将呈现mycal.ics、mycal2.ics和testcal.ics(它们会起作用)- 但是,maincal.ics 和 relmaincal.ics 将不会被解析或显示
- 这可能是 PHP 无法解析符号链接;但是我推测情况是这样的:
- 当我执行
less maincal.ics时 -myself是用户,拥有/webroot/protected 的读取权限/cals phpicalendar(因此 Apache Web 服务器用户)在给定“硬编码”路径时也可以以只读方式访问/webroot/protected/calsphpicalendar也能够很好地读取本地符号链接
因此,我怀疑问题是:当尝试读取受保护的 cals 的符号链接时,在该操作期间对 shell 可见的用户是 Apache Web 用户,然后它就无法获得访问受保护/cals 位置的符号链接的权限!
现在的问题是 - 我可以轻松地将 .ics 文件复制到本地;然而它们正在被其他人改变,这就是为什么我更喜欢符号链接。
我的问题是:我可以做一些欺骗,这样当 phpicalendar/Apache 尝试访问 protected/cals 的符号链接时,它“认为”它是一个本地文件 - 否则, protected/cals 文件的内容被“管道”回 phpicalendar/Apache?我想我正在考虑以下方面的问题:
$ mkfifo mypipe
$ ln -s mypipe testpipe.ics
$ cat ./testpipe.ics # in one terminal
$ cat /webroot/protected/cals/maincal.ics > mypipe # in other terminal
...否则(我认为)可以处理权限问题 - 除此之外,我不想手动 cat ;每次应用程序请求读取 testpipe.ics 时,这都必须在后台完成:)
好吧,提前感谢对此的任何评论 - 期待听到一些评论,
干杯!
Please let me explain what I mean by the question:
This is the context: I'm a user on a webserver, where I have phpicalendar installed; then, I choose a directory, say /webroot/mylogin/phpicalendar/mycals to host my .ics calendar text files.
EDIT: Previously, instead of '/webroot', I had used '/root' - but I really didn't mean the Linux '/root' directory - I'm just wanted to use it as a stand in for the real location on the webserver (so it serves just as a common point of reference). Otherwise, what I mean by common point of reference, is simply /webroot = /media/some/path ..
Then, I can enter this directory in the phpicalendar's config.inc.php:
$configs = array(
'calendar_path' => '/webroot/mylogin/phpicalendar/mycals;
...
Then, phpicalendar will run through this directory, grab the .ics files there (say, mycal.ics and mycal2.ics) and render them - so far, so good.
The thing is, I would now like to add a second calendar directory, located at the same webserver, but where I have read-only permissions, say /webroot/protected/cals. I know that I have read permissions, because I can do in the shell, say
$ less /webroot/protected/cals/maincal.ics
and I can read the contents fine.. So now:
- If I enter
/webroot/protected/calsas a 'calendar_path',phpicalendarcan read and render the files there (say, 'maincal.ics', 'maincal2.ics') without a problem - However,
phpicalendarcan have only one 'calendar_path', so I can either use the protected calendars, or my customized calendars - but not both - So, I thought, I could symlink the protected calendars in my customized directory - and get the best of both worlds :)
So, here is a shell snippet of what I would do
$ cd /webroot/mylogin/phpicalendar/mycals
$ ls -la
drwxrwxrwx 2 myself myself 4096 2011-03-03 12:50 .
-rw-r--r-- 1 myself myself 1234 2011-01-20 07:32 mycal.ics
-rw-r--r-- 1 myself myself 1234 2011-01-20 07:32 mycal2.ics
...
$ ln /webroot/protected/cals/maincal.ics . # try a hard link first
ln: creating hard link `./maincal.ics' => `/webroot/protected/cals/maincal.ics': Invalid cross-device link'
$ ln -s /webroot/protected/cals/maincal.ics . # symlink - works
$ ln -s ../../../protected/cals/maincal.ics relmaincal.ics # symlink via relative
$ ln -s mycal.ics testcal.ics # try a symlink to a local file
$ ls -la # check contents of dir now
drwxrwxrwx 2 myself myself 4096 .
-rw-r--r-- 1 myself myself 1234 mycal.ics
-rw-r--r-- 1 myself myself 1234 mycal2.ics
lrwxrwxrwx 1 myself myself 21 testcal.ics -> mycal.ics
lrwxrwxrwx 1 myself myself 56 maincal.ics -> /webroot/protected/cals/maincal.ics
lrwxrwxrwx 1 myself myself 66 relmaincal.ics -> ../../../protected/cals/maincal.ics
Ok, so here's what happens:
less maincal.icsworks on shellless relmaincal.icsfails with 'relmaincal.ics: No such file or directory' (even if shell autocompletion for the relative path did work during the execution of the symlink command!)- When you open
phpicalendarnow, it will rendermycal.ics,mycal2.icsandtestcal.ics(and they will work)- however, maincal.ics and relmaincal.ics will not be parsed or displayed
Now - this could be that PHP cannot resolve symlinks; however I speculate that the situation is this:
- When I do
less maincal.ics- it ismyselfwho is user, who has read permission for/webroot/protected/cals phpicalendar(so Apache webserver user) can otherwise also access/webroot/protected/calsas read-only, when given 'hardcoded' pathphpicalendaris also capable of reading local symlinks fine
Thus, I suspect, that the problem is: when trying to read the symlinks to protected cals, the user that is visible to the shell during that operation is Apache web user, which then doesn't get permissions to access a symlink to the protected/cals location!
The thing now is - I can easily copy the .ics files locally; however they are being changed by someone else, which is why I'd have preferred a symlink.
And my question is: can I do some sort of trickery, so that when phpicalendar/Apache tries to access a symlink to protected/cals, it 'thinks' that it is a local file - and otherwise, the contents of the protected/cals file are being 'piped' back to phpicalendar/Apache?? I guess I'm thinking something in terms of:
$ mkfifo mypipe
$ ln -s mypipe testpipe.ics
$ cat ./testpipe.ics # in one terminal
$ cat /webroot/protected/cals/maincal.ics > mypipe # in other terminal
... which would otherwise (I think) handle the permissions problem - except that, I don't want to cat manually; that would be something that would have to be done in the background, each time an application requests to read testpipe.ics:)
Well, thanks in advance for any comments on this - looking forward to hearing some,
Cheers!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
嗯,我真的怀疑运行网络服务器的帐户是否可以读取
/root下的任何内容。该目录通常是模式 0700、用户 root、组 root 或类似的目录 - 意味着不允许非 root 访问。如果您以 root 身份运行 Web 服务器,那么文件读取权限是最不重要的问题...那么您最好的选择是将只读日历文件放置在公开可用的位置,并从 / 下的任何位置符号链接到该位置root 您希望能够访问它们。
Umm, I really doubt that the account the web server runs under can read anything under
/root. That directory is usually mode 0700, user root, group root, or something very similar to that - meaning no non-root access is allowed. If you're running the web server as root, file read permissions are the least of your problems...Your best bet then would be to place the read-only calendar files somewhere publicly available, and symlink to that location from wherever under /root you want to be able to access them.
首先检查 Apache 用户是否可以查看您的日历:
Start by checking whether the Apache user can view your calendars: