Linux:“传输”/镜像符号链接的只读权限(用于网络服务器)

发布于 2024-10-20 09:33:11 字数 4031 浏览 8 评论 0原文

请让我解释一下这个问题的含义:

这是上下文:我是网络服务器上的用户,我安装了 phpicalendar;然后,我选择一个目录(例如 /webroot/mylogin/phpicalendar/mycals)来托管我的 .ics 日历文本文件。

编辑:以前,我使用的是“/root”,而不是“/webroot” - 但我真的不是指 > Linux '/root' 目录 - 我只是想用它作为网络服务器上真实位置的替代(所以它只是作为一个公共参考点)。否则,我所说的共同参考点只是 /webroot = /media/some/path ..

然后,我可以在 phpicalendar 中输入此目录code> 的 config.inc.php

$configs = array(
 'calendar_path'        => '/webroot/mylogin/phpicalendar/mycals;
 ...

然后,phpicalendar 将运行此目录,获取其中的 .ics 文件(例如 mycal.ics) code> 和 mycal2.ics)并渲染它们 - 到目前为止,一切顺利。

问题是,我现在想添加一个第二日历目录,位于同一网络服务器上,但我具有只读权限,例如/webroot/protected/cals。我知道我有读取权限,因为我可以在 shell 中执行操作,比如说

$ less /webroot/protected/cals/maincal.ics

我可以很好地读取内容。所以现在:

  • 如果我输入 /webroot/protected/cals 作为“calendar_path” , phpicalendar 可以毫无问题地读取并渲染那里的文件(例如“maincal.ics”、“maincal2.ics”)
  • 但是, phpicalendar 只能有一个calendar_path”,因此我可以使用受保护的日历或我的自定义日历 - 但不能同时使用两者
  • 所以,我我想,我可以在我的自定义目录中对受保护的日历进行符号链接 - 并获得两全其美的效果:)

因此,这里是我要做的事情的 shell 片段

$ cd /webroot/mylogin/phpicalendar/mycals
$ ls -la 
drwxrwxrwx  2 myself myself 4096 2011-03-03 12:50 .
-rw-r--r--  1 myself myself 1234 2011-01-20 07:32 mycal.ics
-rw-r--r--  1 myself myself 1234 2011-01-20 07:32 mycal2.ics
...

$ ln /webroot/protected/cals/maincal.ics .    # try a hard link first
ln: creating hard link `./maincal.ics' => `/webroot/protected/cals/maincal.ics': Invalid cross-device link'

$ ln -s /webroot/protected/cals/maincal.ics .                  # symlink - works
$ ln -s ../../../protected/cals/maincal.ics relmaincal.ics  # symlink via relative
$ ln -s mycal.ics testcal.ics                               # try a symlink to a local file

$ ls -la                                                    # check contents of dir now
drwxrwxrwx  2 myself myself 4096  .
-rw-r--r--  1 myself myself 1234  mycal.ics
-rw-r--r--  1 myself myself 1234  mycal2.ics
lrwxrwxrwx  1 myself myself   21  testcal.ics -> mycal.ics
lrwxrwxrwx  1 myself myself   56  maincal.ics -> /webroot/protected/cals/maincal.ics
lrwxrwxrwx  1 myself myself   66  relmaincal.ics -> ../../../protected/cals/maincal.ics

好吧,所以这就是发生的事情:

  • less maincal.ics 在 shell 上工作
  • less relmaincal.ics 失败,并显示“relmaincal.ics: No such file or directory”(即使相对路径的 shell 自动完成功能确实有效在执行符号链接命令期间!
  • 当您现在打开 phpicalendar 时,它将呈现 mycal.icsmycal2.icstestcal.ics (它们会起作用)
    • 但是,maincal.ics 和 relmaincal.ics 将不会被解析或显示

- 这可能是 PHP 无法解析符号链接;但是我推测情况是这样的:

  • 当我执行 less maincal.ics 时 - myself 是用户,拥有 /webroot/protected 的读取权限/cals
  • phpicalendar (因此 Apache Web 服务器用户)在给定“硬编码”路径时也可以以只读方式访问 /webroot/protected/cals
  • phpicalendar 也能够很好地读取本地符号链接

因此,我怀疑问题是:当尝试读取受保护的 cals 的符号链接时,在该操作期间对 shell 可见的用户是 Apache Web 用户,然后它就无法获得访问受保护/cals 位置的符号链接的权限!

现在的问题是 - 我可以轻松地将 .ics 文件复制到本地;然而它们正在被其他人改变,这就是为什么我更喜欢符号链接。

我的问题是:我可以做一些欺骗,这样当 phpicalendar/Apache 尝试访问 protected/cals 的符号链接时,它“认为”它是一个本地文件 - 否则, protected/cals 文件的内容被“管道”回 phpicalendar/Apache?我想我正在考虑以下方面的问题:

$ mkfifo mypipe
$ ln -s mypipe testpipe.ics
$ cat ./testpipe.ics                                 # in one terminal
$ cat /webroot/protected/cals/maincal.ics > mypipe      # in other terminal

...否则(我认为)可以处理权限问题 - 除此之外,我不想手动 cat ;每次应用程序请求读取 testpipe.ics 时,这都必须在后台完成:)

好吧,提前感谢对此的任何评论 - 期待听到一些评论,
干杯!

Please let me explain what I mean by the question:

This is the context: I'm a user on a webserver, where I have phpicalendar installed; then, I choose a directory, say /webroot/mylogin/phpicalendar/mycals to host my .ics calendar text files.

EDIT: Previously, instead of '/webroot', I had used '/root' - but I really didn't mean the Linux '/root' directory - I'm just wanted to use it as a stand in for the real location on the webserver (so it serves just as a common point of reference). Otherwise, what I mean by common point of reference, is simply /webroot = /media/some/path ..

Then, I can enter this directory in the phpicalendar's config.inc.php:

$configs = array(
 'calendar_path'        => '/webroot/mylogin/phpicalendar/mycals;
 ...

Then, phpicalendar will run through this directory, grab the .ics files there (say, mycal.ics and mycal2.ics) and render them - so far, so good.

The thing is, I would now like to add a second calendar directory, located at the same webserver, but where I have read-only permissions, say /webroot/protected/cals. I know that I have read permissions, because I can do in the shell, say

$ less /webroot/protected/cals/maincal.ics

and I can read the contents fine.. So now:

  • If I enter /webroot/protected/cals as a 'calendar_path', phpicalendar can read and render the files there (say, 'maincal.ics', 'maincal2.ics') without a problem
  • However, phpicalendar can have only one 'calendar_path', so I can either use the protected calendars, or my customized calendars - but not both
  • So, I thought, I could symlink the protected calendars in my customized directory - and get the best of both worlds :)

So, here is a shell snippet of what I would do

$ cd /webroot/mylogin/phpicalendar/mycals
$ ls -la 
drwxrwxrwx  2 myself myself 4096 2011-03-03 12:50 .
-rw-r--r--  1 myself myself 1234 2011-01-20 07:32 mycal.ics
-rw-r--r--  1 myself myself 1234 2011-01-20 07:32 mycal2.ics
...

$ ln /webroot/protected/cals/maincal.ics .    # try a hard link first
ln: creating hard link `./maincal.ics' => `/webroot/protected/cals/maincal.ics': Invalid cross-device link'

$ ln -s /webroot/protected/cals/maincal.ics .                  # symlink - works
$ ln -s ../../../protected/cals/maincal.ics relmaincal.ics  # symlink via relative
$ ln -s mycal.ics testcal.ics                               # try a symlink to a local file

$ ls -la                                                    # check contents of dir now
drwxrwxrwx  2 myself myself 4096  .
-rw-r--r--  1 myself myself 1234  mycal.ics
-rw-r--r--  1 myself myself 1234  mycal2.ics
lrwxrwxrwx  1 myself myself   21  testcal.ics -> mycal.ics
lrwxrwxrwx  1 myself myself   56  maincal.ics -> /webroot/protected/cals/maincal.ics
lrwxrwxrwx  1 myself myself   66  relmaincal.ics -> ../../../protected/cals/maincal.ics

Ok, so here's what happens:

  • less maincal.ics works on shell
  • less relmaincal.ics fails with 'relmaincal.ics: No such file or directory' (even if shell autocompletion for the relative path did work during the execution of the symlink command!)
  • When you open phpicalendar now, it will render mycal.ics, mycal2.ics and testcal.ics (and they will work)
    • however, maincal.ics and relmaincal.ics will not be parsed or displayed

Now - this could be that PHP cannot resolve symlinks; however I speculate that the situation is this:

  • When I do less maincal.ics - it is myself who is user, who has read permission for /webroot/protected/cals
  • phpicalendar (so Apache webserver user) can otherwise also access /webroot/protected/cals as read-only, when given 'hardcoded' path
  • phpicalendar is also capable of reading local symlinks fine

Thus, I suspect, that the problem is: when trying to read the symlinks to protected cals, the user that is visible to the shell during that operation is Apache web user, which then doesn't get permissions to access a symlink to the protected/cals location!

The thing now is - I can easily copy the .ics files locally; however they are being changed by someone else, which is why I'd have preferred a symlink.

And my question is: can I do some sort of trickery, so that when phpicalendar/Apache tries to access a symlink to protected/cals, it 'thinks' that it is a local file - and otherwise, the contents of the protected/cals file are being 'piped' back to phpicalendar/Apache?? I guess I'm thinking something in terms of:

$ mkfifo mypipe
$ ln -s mypipe testpipe.ics
$ cat ./testpipe.ics                                 # in one terminal
$ cat /webroot/protected/cals/maincal.ics > mypipe      # in other terminal

... which would otherwise (I think) handle the permissions problem - except that, I don't want to cat manually; that would be something that would have to be done in the background, each time an application requests to read testpipe.ics:)

Well, thanks in advance for any comments on this - looking forward to hearing some,
Cheers!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

怼怹恏 2024-10-27 09:33:11

嗯,我真的怀疑运行网络服务器的帐户是否可以读取 /root 下的任何内容。该目录通常是模式 0700、用户 root、组 root 或类似的目录 - 意味着不允许非 root 访问。如果您以 root 身份运行 Web 服务器,那么文件读取权限是最不重要的问题...

那么您最好的选择是将只读日历文件放置在公开可用的位置,并从 / 下的任何位置符号链接到该位置root 您希望能够访问它们。

Umm, I really doubt that the account the web server runs under can read anything under /root. That directory is usually mode 0700, user root, group root, or something very similar to that - meaning no non-root access is allowed. If you're running the web server as root, file read permissions are the least of your problems...

Your best bet then would be to place the read-only calendar files somewhere publicly available, and symlink to that location from wherever under /root you want to be able to access them.

墨落成白 2024-10-27 09:33:11

首先检查 Apache 用户是否可以查看您的日历:

you@host $ sudo -i -u <apache-user> -s /bin/bash
apache@host $ less /root/protected/cals/maincal.ics

Start by checking whether the Apache user can view your calendars:

you@host $ sudo -i -u <apache-user> -s /bin/bash
apache@host $ less /root/protected/cals/maincal.ics
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文