Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- content:serverbasics [2023/12/19 16:02] – Daniel
+++ content:serverbasics [2024/01/03 23:05] – [Mountpoints] Daniel
@@ Zeile 10: / Zeile 10: @@
 By default openSuSE will set some conservative mountoptions, that are save, but not best choice for homeoffice use and maybe could also improve company servers. Here are some proposals to think about.
+Basically i would recommend to use UEFI only in Bios and GPT- Partitiontable on at least two Harddrives. The Linux- Root- System AND the EFI- Partitions should be mirrored (raid1) for failsafe and mak it possible to have the system booting from ONE disk (which is not possible with raid5).
+The Data (like Home and program data) can have raid5 with 3 or more disks.
+Always use LVM, as this has many benefits. On OpenSuSE btrfs is the best Filesystem if you disable Quotas on datapartitions.
 ==== Raided EFIBOOT ====
@@ Zeile 235: / Zeile 242: @@
 F… what??? Yes: facl is the tool to do so. with that tool you can very much expand the rights per directory an on every file in detail. It ist also possible to have multiple group- access definitions, which are not possible otherwise.
-So lets do some facl- work:
+So lets do some facl- work
+=== FACL: get infos about settings ===
 <code>
@@ Zeile 250: / Zeile 259: @@
 As you can see, that directory has been created quite insecure. There is only the above permission preventing everyone to read the informations in it. Creating a new file in it, would make it the same way insecure, as it would have been before.
+=== FACL: set default permissions ===
 But now lets set the mode to better fit our needs:
@@ Zeile 269: / Zeile 280: @@
 Note, that we only changed the DEFAULT permissions to be more secure (d:).
+=== FACL: check new settings ===
 Now lets again create a file there as we did before just in that - safe - directory. Also we can use getfacl on that file to check if it works:
@@ Zeile 321: / Zeile 334: @@
 Its up to you to decide if this is more usable or not.
+=== FACL: full ACL- Sytnax ===
+The full Syntax is:
+<code>
+      [d[efault]:] [u[ser]:]uid [:perms]
+             Permissions of a named user. Permissions of the file owner if uid is empty.
+      [d[efault]:] g[roup]:gid [:perms]
+             Permissions of a named group. Permissions of the owning group if gid is empty.
+      [d[efault]:] m[ask][:] [:perms]
+             Effective rights mask
+      [d[efault]:] o[ther][:] [:perms]
+             Permissions of others.
+</code>
+That means you can only set the defaults per user or per group and only files or directories at once.
+=== FACL: use in batch and recursively ===
+FACLs do also have good ways to be used for whole directories, chek out:
+''setfacl'' has a //recursive// option (''-R'') just like ''chmod'':
+-R, –recursive Apply operations to all files and directories recursively. This option cannot be mixed with `–restore'.
+=== FACL: handle execute-bit with files and directories ===
+…it also allows for the use of the capital-x ''X'' **permission**, which means: execute only if the file is a directory or already has execute permission for some user (X)
+so doing the following should work:
+Set all Files AND the directories recursively to be readwriteable by user colleague and only give X to all Directories and only those Files, that already have x set:
+''setfacl -R -m u:colleague:rwX .''
+For setting the default permissions to be like that:
+''setfacl -R -m **d**:u:colleague:rwX .''
 ==== Last words ====