mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-13 22:30:37 +08:00
Merge branch 'LCTT:master' into TRANSLATING
This commit is contained in:
commit
09b2110b8c
@ -0,0 +1,137 @@
|
|||||||
|
[#]: subject: "Godot 4.2 Released: Taking The Open-Source Game Engine Up a Notch"
|
||||||
|
[#]: via: "https://news.itsfoss.com/godot-4-2/"
|
||||||
|
[#]: author: "Sourav Rudra https://news.itsfoss.com/author/sourav/"
|
||||||
|
[#]: collector: "lujun9972/lctt-scripts-1700446145"
|
||||||
|
[#]: translator: "geekpi"
|
||||||
|
[#]: reviewer: "wxy"
|
||||||
|
[#]: publisher: "wxy"
|
||||||
|
[#]: url: "https://linux.cn/article-16447-1.html"
|
||||||
|
|
||||||
|
Godot 4.2 发布:让开源游戏引擎更上一层楼
|
||||||
|
======
|
||||||
|
|
||||||
|
![][0]
|
||||||
|
|
||||||
|
> Godot 的又一次更新,其中包含了一些有用的更改,以更接近 Unreal、Unity 等专有引擎。
|
||||||
|
|
||||||
|
[Godot][1],社区最喜欢的 Unreal 和 Unity 等专有游戏引擎的替代品,有一个新的重大更新!
|
||||||
|
|
||||||
|
**Godot 4.2** “闪亮登场”,全面更新大量内容。它继续沿着 [Godot 4.0 版本][2] 铺平的道路,并在此基础上进行构建。
|
||||||
|
|
||||||
|
拿上你的饮料,让我来重点介绍一下这次发布的优点。☕
|
||||||
|
|
||||||
|
### Godot 4.2:有什么新内容?
|
||||||
|
|
||||||
|
Godot 4.2 版本有很多新东西。但是,我们将关注**关键亮点**:
|
||||||
|
|
||||||
|
* Linux 上的官方 ARM 支持
|
||||||
|
* 编辑器改进
|
||||||
|
* 更多版本控制友好
|
||||||
|
* 增强的图块地图
|
||||||
|
* 多人游戏/网络的改进
|
||||||
|
* 更好的导航系统
|
||||||
|
|
||||||
|
#### Linux 上的官方 ARM 支持
|
||||||
|
|
||||||
|
尽管可以在 Linux 上为基于 ARM 的设备手动构建 Godot,但**从来没有针对 Linux 的官方 ARM 构建**。
|
||||||
|
|
||||||
|
然而,随着 Godot 4.2 的发布,这种情况发生了变化。他们在下载页面上提供了 **32 位和 64 位版本的 Godot for ARM**。
|
||||||
|
|
||||||
|
请记住,这是**一项实验性工作**,因此可能会出现错误和问题。
|
||||||
|
|
||||||
|
#### 编辑器改进
|
||||||
|
|
||||||
|
![][5]
|
||||||
|
|
||||||
|
Godot 的编辑器方面有很多改进。
|
||||||
|
|
||||||
|
如上面的截图所示,第一个是代码编辑器中的新添加项,名为“<ruby>创建代码区域<rt>Create Code Region</rt></ruby>”。它允许你**将脚本分解为命名块**,然后可以将其最小化以减少混乱。
|
||||||
|
|
||||||
|
![][6]
|
||||||
|
|
||||||
|
Godot 的另一个新功能是**能够在编辑器视口中单独扩展方框图形的每一侧**。以前,这仅限于中心点和对称范围。
|
||||||
|
|
||||||
|
![][7]
|
||||||
|
|
||||||
|
**项目管理器也进行了更新**,改进了一般项目导入工作流程,并重新排列了按钮。
|
||||||
|
|
||||||
|
#### 更多版本控制友好
|
||||||
|
|
||||||
|
Godot 4.2 修复了在“就绪”期间更改场景或重命名节点会导致崩溃的问题,还修复了与重命名/移动文件相关的各种问题。
|
||||||
|
|
||||||
|
开发人员还补充道:
|
||||||
|
|
||||||
|
> 此外,场景中资源 ID 偶尔更改的一些情况已得到解决([GH-65011][8])。仍有改进的空间,但这已经使 4.2 的版本控制更加友好。
|
||||||
|
|
||||||
|
#### 增强的图块地图
|
||||||
|
|
||||||
|
![][9]
|
||||||
|
|
||||||
|
除了 Godot 的**图块/图块地图系统**的主要性能优化之外,还有一项新功能允许你在将图块/图块图案放置在任何地方时**旋转或翻转它们**。
|
||||||
|
|
||||||
|
#### 多人游戏/网络的改进
|
||||||
|
|
||||||
|
此版本还具有**高级多人游戏系统的改进**。“MultiplayerSynchronizer” 节点现在支持同步变换组件、子资源属性和其他类型的索引数据。
|
||||||
|
|
||||||
|
还有**针对拒绝服务漏洞的安全修复**,该漏洞之前在 Godot 4.0.4 RC1 版本中已披露。
|
||||||
|
|
||||||
|
> 📋 开发人员建议用户升级到 Godot 4.0.4、4.1.2 或 4.2 以避免出现问题。
|
||||||
|
|
||||||
|
#### 更好的导航系统
|
||||||
|
|
||||||
|
![][10]
|
||||||
|
|
||||||
|
Godot 4.2 带来了 **2D 导航网格烘焙**,它可以处理物理体、网格实例、普通多边形等。
|
||||||
|
|
||||||
|
此外,**添加了对 2D 和 3D 导航网格烘焙的多线程支持**,以提高性能并减少卡顿。
|
||||||
|
|
||||||
|
#### 🛠️ 其他更改和改进
|
||||||
|
|
||||||
|
还有许多其他值得注意的变化:
|
||||||
|
|
||||||
|
* 改进了 [GDExtension][11] 系统。
|
||||||
|
* 支持 AMD 的 [FSR 2.2][12] 技术。
|
||||||
|
* 图形构建节点的**重大修改**。
|
||||||
|
* **适用于 Linux、Windows 和 macOS 的原生文件选择**对话框。
|
||||||
|
* 现在可以为附加组件和资产**指定不同的安装文件夹**。
|
||||||
|
* **修复了 Steam 输入问题**,该问题导致某些游戏手柄事件被处理两次。
|
||||||
|
|
||||||
|
有关此版本的更多详细信息,你可以通过 [官方发行说明][13] 了解。
|
||||||
|
|
||||||
|
### 📥 下载Godot 4.2
|
||||||
|
|
||||||
|
前往 [官方网站][14] 获取 Linux 版 Godot 的最新版本。对于其他软件包,你还可以参考其 [GitHub 仓库][15]。
|
||||||
|
|
||||||
|
> [Godot 4.2(GitHub)][15]
|
||||||
|
|
||||||
|
💬 你对此版本有何看法? 已经试过这个精彩的开源游戏引擎了吗? 在评论中告诉我们!
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
via: https://news.itsfoss.com/godot-4-2/
|
||||||
|
|
||||||
|
作者:[Sourav Rudra][a]
|
||||||
|
选题:[lujun9972][b]
|
||||||
|
译者:[geekpi](https://github.com/geekpi)
|
||||||
|
校对:[wxy](https://github.com/wxy)
|
||||||
|
|
||||||
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||||
|
|
||||||
|
[a]: https://news.itsfoss.com/author/sourav/
|
||||||
|
[b]: https://github.com/lujun9972
|
||||||
|
[1]: https://godotengine.org/
|
||||||
|
[2]: https://news.itsfoss.com/godot-4-0-release/
|
||||||
|
[3]: https://news.itsfoss.com/content/images/size/w256h256/2022/08/android-chrome-192x192.png
|
||||||
|
[4]: https://news.itsfoss.com/content/images/2023/04/Follow-us-on-Google-News.png
|
||||||
|
[5]: https://news.itsfoss.com/content/images/2023/12/Godot_4.2_a.jpg
|
||||||
|
[6]: https://news.itsfoss.com/content/images/2023/12/Godot_4.2_b.jpg
|
||||||
|
[7]: https://news.itsfoss.com/content/images/2023/12/Godot_4.2_c.jpg
|
||||||
|
[8]: https://github.com/godotengine/godot/pull/65011
|
||||||
|
[9]: https://news.itsfoss.com/content/images/2023/12/Godot_4.2_d.jpg
|
||||||
|
[10]: https://news.itsfoss.com/content/images/2023/12/Godot_4.2_e.jpg
|
||||||
|
[11]: https://docs.godotengine.org/en/stable/tutorials/scripting/gdextension/what_is_gdextension.html
|
||||||
|
[12]: https://community.amd.com/t5/gaming/amd-fidelityfx-super-resolution-2-2-racing-into-more-games-and/ba-p/563910
|
||||||
|
[13]: https://godotengine.org/article/godot-4-2-arrives-in-style/
|
||||||
|
[14]: https://godotengine.org/download/linux/
|
||||||
|
[15]: https://github.com/godotengine/godot/releases/tag/4.2-stable
|
||||||
|
[0]: https://img.linux.net.cn/data/attachment/album/202312/06/162357bjz99b66jpnbqy6p.jpg
|
160
published/20231203 5 Most Privacy Focused Web Browsers.md
Normal file
160
published/20231203 5 Most Privacy Focused Web Browsers.md
Normal file
@ -0,0 +1,160 @@
|
|||||||
|
[#]: subject: "5 Most Privacy Focused Web Browsers"
|
||||||
|
[#]: via: "https://itsfoss.com/privacy-web-browsers/"
|
||||||
|
[#]: author: "Ankush Das https://itsfoss.com/author/ankush/"
|
||||||
|
[#]: collector: "lujun9972/lctt-scripts-1700446145"
|
||||||
|
[#]: translator: "ChatGPT"
|
||||||
|
[#]: reviewer: "wxy"
|
||||||
|
[#]: publisher: "wxy"
|
||||||
|
[#]: url: "https://linux.cn/article-16445-1.html"
|
||||||
|
|
||||||
|
注重隐私的五大网络浏览器
|
||||||
|
======
|
||||||
|
|
||||||
|
![][0]
|
||||||
|
|
||||||
|
> 这是你可以试用的一些最佳的隐私友好型网络浏览器!
|
||||||
|
|
||||||
|
对大多数互联网用户来说,网络浏览器应用是他们最常接触的工具。不论其在桌面或移动设备上工作,无论平台如何,总会用到网络浏览器。
|
||||||
|
|
||||||
|
通过浏览器,我们可以访问云存储、银行服务、社交媒体、电商平台,以及无数其他服务。
|
||||||
|
|
||||||
|
因此,选择一个尊重隐私,并能提供安全网络体验的浏览器对你来说至关重要。
|
||||||
|
|
||||||
|
下面我将为你重点展示一些在你选择的任何设备上可以使用的、最佳的注重隐私的浏览器。
|
||||||
|
|
||||||
|
### LibreWolf
|
||||||
|
|
||||||
|
[LibreWolf][2] 是 Firefox 的一个分支版本,它开箱即用地提供了隐私增强功能。
|
||||||
|
|
||||||
|
LibreWolf 不只是一个配置稍有不同的 Firefox。它完全清除了所有的遥测、DRM 保护,并在安全方面进行了各种改进。
|
||||||
|
|
||||||
|
比如说,每当你关闭浏览器时,它会自动删除浏览和下载历史。此外,你也可以根据 [文档][3] 调整这种行为并根据自己的喜好进行自定义。
|
||||||
|
|
||||||
|
再者,你还能得到像 DuckDuckGo 和 Qwant 这样的 [隐私友好搜索引擎][4]。同时,uBlock Origin 的扩展功能在该浏览器中默认就开启了。
|
||||||
|
|
||||||
|
它不仅能提供私密和安全的体验,LibreWolf 还去掉了一些可能会分散用户注意力的 Firefox 元素,例如一个更清爽的新标签页和 Firefox 同步功能。
|
||||||
|
|
||||||
|
亮点:
|
||||||
|
|
||||||
|
* 这是专门为了隐私定制的版本
|
||||||
|
* 可以根据需要调整定制选项
|
||||||
|
* 默认禁用 Firefox Sync 同步功能
|
||||||
|
* 仅支持桌面平台(Linux、Windows 和 macOS)
|
||||||
|
|
||||||
|
### Brave
|
||||||
|
|
||||||
|
[Brave][6] 是基于 Chromium 的知名版本。它以提供了飞快的网页用户体验而备受赞誉。
|
||||||
|
|
||||||
|
Brave 提供了大量以隐私为中心的设置,如:无需创建账户就能安全同步浏览器数据。该浏览器有效地阻止了跟踪器,给你带来了私密网络体验。
|
||||||
|
|
||||||
|
你还能获得一些附加功能,如奖励系统(用于选择性广告)和加密钱包。
|
||||||
|
|
||||||
|
虽然这个浏览器支持跨平台使用,但对于 Linux 系统,其安装过程与其他式有所不同。你可以参考我们的教程寻找帮助:
|
||||||
|
|
||||||
|
> **[在 Ubuntu 上安装 Brave 浏览器][6A]**
|
||||||
|
|
||||||
|
亮点:
|
||||||
|
|
||||||
|
* 快速的网页浏览体验
|
||||||
|
* 与 Chrome 相似的用户体验
|
||||||
|
* 提供安全的浏览器同步选项
|
||||||
|
* 提供了额外的功能,如加密钱包等
|
||||||
|
* 支持 Linux、安卓、iOS、Windows 和 macOS
|
||||||
|
|
||||||
|
### Firefox
|
||||||
|
|
||||||
|
[Mozilla Firefox][9] 是无数隐私爱好者的首选浏览器。
|
||||||
|
|
||||||
|
它有很多隐私保护功能,包括有阻止跟踪、设定不同 DNS 的能力。
|
||||||
|
|
||||||
|
Firefox 提供了独特的用户体验,整合了 νρη、电子邮件别名、Pocket 等实用功能,以及一个 Firefox 账户可以方便地同步所有你的浏览器数据。
|
||||||
|
|
||||||
|
使用 Firefox,你可以自定义用户界面,并通过 JavaScript 文件调整体验。如果你并不打算使用 Firefox,但仍希望提升隐私保护,你可以查看 GitHub 上的 [arkenfox 配置][10]。
|
||||||
|
|
||||||
|
如果你在 [Firefox 和 Brave][11] 之间感到困惑,我们的比较文章可以帮你深入了解、从而做出选择:
|
||||||
|
|
||||||
|
> **[Brave vs. Firefox:你的私人网络体验的终极浏览器选择][11]**
|
||||||
|
|
||||||
|
亮点:
|
||||||
|
|
||||||
|
* 考虑到可用性而设计出的以隐私为核心的功能
|
||||||
|
* 整合了 Firefox 同步和 Pocket 功能
|
||||||
|
* 支持 Linux、Windows、安卓、iOS 和 macOS 等平台
|
||||||
|
|
||||||
|
### Tor 浏览器
|
||||||
|
|
||||||
|
[Tor 浏览器][13] 是注重隐私的用户的最佳选择。
|
||||||
|
|
||||||
|
因为它基于 Firefox,所以你基本能获取同样的体验,同时进行了一些改动以更高级别提升安全特性和隐私。
|
||||||
|
|
||||||
|
与 LibreWolf 不同的是,Tor 浏览器让你能使用 [Tor 网络][14],这可能会影响你的网络体验,但对隐私方面的提升很大。你可以通过浏览 [洋葱网站][15] 来保证隐私。
|
||||||
|
|
||||||
|
如同 Brave,Tor 浏览器在 Linux 系统上的安装可能有点复杂。如果你是 Linux 用户,你可以参考我们的教程:
|
||||||
|
|
||||||
|
> **[在 Ubuntu 上安装 Tor 浏览器][7]**
|
||||||
|
|
||||||
|
亮点:
|
||||||
|
|
||||||
|
* 严格的隐私保护,尽管这可能降低可用性
|
||||||
|
* 连接 Tor 网络
|
||||||
|
* 支持 Linux、Windows、安卓 和 macOS 等平台
|
||||||
|
|
||||||
|
### Mullvad 浏览器
|
||||||
|
|
||||||
|
Mullvad 是最好的 [νρη 服务][17] 之一。[Mullvad 浏览器][18] 的开发是与 Tor 项目合作完成的,其特点是专门为使用 νρη 而非 Tor 网络而定制。
|
||||||
|
|
||||||
|
你也可以在 Mullvad 浏览器上结合使用其它的 νρη 服务。该浏览器内置了 uBlock Origin 和 NoScript 等扩展,提供他们所追求的私密体验。此外,浏览器并不支持 Firefox 同步。
|
||||||
|
|
||||||
|
虽然你不能移除这些扩展,但他们并不推荐你添加更多扩展。
|
||||||
|
|
||||||
|
亮点:
|
||||||
|
|
||||||
|
* 专为 νρη 使用而定制
|
||||||
|
* 预先安装了不能被移除的扩展
|
||||||
|
* 只支持桌面平台(Linux、Windows 和 macOS)
|
||||||
|
|
||||||
|
### 总结
|
||||||
|
|
||||||
|
随着网络的不断发展且需要处理各种问题,依赖于一个重视隐私的浏览器变得更加方便。
|
||||||
|
|
||||||
|
在上述提及的浏览器中,Firefox 和 Brave 是大多数人的首选。但如果你寻求更严格的保护和更多的配置,那么 LibreWolf 应该会符合你的需求。
|
||||||
|
|
||||||
|
当然,使用像 Tor 浏览器、LibreWolf 和 Mullvad 这样特别定制的浏览器,你将失去在移动设备上使用它们的灵活性。因此,你可以为你的智能手机选择一个单独的浏览器,或者选择一个支持你所有设备的浏览器。
|
||||||
|
|
||||||
|
💬 你最喜欢的是哪款注重隐私的网络浏览器呢?请在下方评论让我们知道!如果你对列表中的某些条目有异议,也可以优雅地表达你的看法。
|
||||||
|
|
||||||
|
*(题图:MJ/acc47c46-8923-482f-92f6-523516b2f450)*
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
via: https://itsfoss.com/privacy-web-browsers/
|
||||||
|
|
||||||
|
作者:[Ankush Das][a]
|
||||||
|
选题:[lujun9972][b]
|
||||||
|
译者:[ChatGPT](https://linux.cn/lctt/ChatGPT)
|
||||||
|
校对:[wxy](https://github.com/wxy)
|
||||||
|
|
||||||
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||||
|
|
||||||
|
[a]: https://itsfoss.com/author/ankush/
|
||||||
|
[b]: https://github.com/lujun9972
|
||||||
|
[1]: https://itsfoss.com/content/images/2023/12/librewolf.png
|
||||||
|
[2]: https://librewolf.net/
|
||||||
|
[3]: https://librewolf.net/docs/settings/
|
||||||
|
[4]: https://itsfoss.com/privacy-search-engines/
|
||||||
|
[5]: https://itsfoss.com/content/images/2023/12/brave.png
|
||||||
|
[6]: https://brave.com/en-in/
|
||||||
|
[6A]: https://itsfoss.com/brave-web-browser/
|
||||||
|
[7]: https://itsfoss.com/content/images/size/w256h256/2022/12/android-chrome-192x192.png
|
||||||
|
[8]: https://itsfoss.com/content/images/2023/12/firefox.png
|
||||||
|
[9]: https://www.mozilla.org/en-US/firefox/new/
|
||||||
|
[10]: https://github.com/arkenfox/user.js
|
||||||
|
[11]: https://linux.cn/article-13736-1.html
|
||||||
|
[12]: https://itsfoss.com/content/images/2023/12/tor-browser.png
|
||||||
|
[13]: https://www.torproject.org/download/
|
||||||
|
[14]: https://itsfoss.com/tor-guide/
|
||||||
|
[15]: https://en.wikipedia.org/wiki/List_of_Tor_onion_services
|
||||||
|
[16]: https://itsfoss.com/content/images/2023/12/mullvad-browser.png
|
||||||
|
[17]: https://itsfoss.com/best-vpn-linux/
|
||||||
|
[18]: https://mullvad.net/en/browser
|
||||||
|
[0]: https://img.linux.net.cn/data/attachment/album/202312/06/061704c88t0twgz0fo8o0b.png
|
@ -1,147 +0,0 @@
|
|||||||
[#]: subject: "Godot 4.2 Released: Taking The Open-Source Game Engine Up a Notch"
|
|
||||||
[#]: via: "https://news.itsfoss.com/godot-4-2/"
|
|
||||||
[#]: author: "Sourav Rudra https://news.itsfoss.com/author/sourav/"
|
|
||||||
[#]: collector: "lujun9972/lctt-scripts-1700446145"
|
|
||||||
[#]: translator: "geekpi"
|
|
||||||
[#]: reviewer: " "
|
|
||||||
[#]: publisher: " "
|
|
||||||
[#]: url: " "
|
|
||||||
|
|
||||||
Godot 4.2 Released: Taking The Open-Source Game Engine Up a Notch
|
|
||||||
======
|
|
||||||
Another update to Godot with useful changes to close-in on proprietary
|
|
||||||
options like Unreal, Unity, etc.
|
|
||||||
[Godot][1], the community favorite alternative to proprietary game engines such as Unreal and Unity, has a new major update!
|
|
||||||
|
|
||||||
**Godot 4.2** has “ _arrived in style_ ” with loads of updates across the board. It continues in the path that the [Godot 4.0 release][2] paved, and builds upon it.
|
|
||||||
|
|
||||||
Grab a beverage of your choice, as I highlight the good things about this release ☕
|
|
||||||
|
|
||||||
**Suggested Read** 📖
|
|
||||||
|
|
||||||
![][3]
|
|
||||||
|
|
||||||
### Godot 4.2: What's New?
|
|
||||||
|
|
||||||
There are plenty of new things with the Godot 4.2 release. But, we will focus on the **key highlights** :
|
|
||||||
|
|
||||||
* **Official ARM Support on Linux**
|
|
||||||
* **Editor Improvements**
|
|
||||||
* **More Version Control Friendly**
|
|
||||||
* **Enhanced Tilemaps**
|
|
||||||
* **Improvements to Multiplayer/Networking**
|
|
||||||
* **Better Navigation System**
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
#### Official ARM Support on Linux
|
|
||||||
|
|
||||||
Even though it was possible to manually build Godot for ARM-based devices on Linux, there was **never an official ARM build for Linux**.
|
|
||||||
|
|
||||||
However, that has now changed with the Godot 4.2 release. They have provided both **32-bit and 64-bit versions of Godot for ARM** on their downloads page.
|
|
||||||
|
|
||||||
Keep in mind that this is **an experimental undertaking** , so expect bugs and issues.
|
|
||||||
|
|
||||||
![][4]
|
|
||||||
|
|
||||||
#### Editor Improvements
|
|
||||||
|
|
||||||
![][5]
|
|
||||||
|
|
||||||
There have been many improvements on the editor side of Godot.
|
|
||||||
|
|
||||||
As illustrated by the screenshot above, the first one is a new addition to the code editor called “ **Code Region** ”. It allows you to **break up scripts into named blocks** , which can then be minimized to lessen clutter.
|
|
||||||
|
|
||||||
![][6]
|
|
||||||
|
|
||||||
Another new addition to Godot is the **ability to extend each side of box shapes individually within the editor viewport**. Previously, this was only limited to the center point and symmetrical extents.
|
|
||||||
|
|
||||||
![][7]
|
|
||||||
|
|
||||||
The **project manager also sees an update** , the general project import workflow has been improved alongside a rearrangement of buttons.
|
|
||||||
|
|
||||||
#### More Version Control Friendly
|
|
||||||
|
|
||||||
Godot 4.2 comes with a fix to an issue where changing scenes or renaming nodes during 'ready' would lead to crashes, various issues related to renaming/moving files were also fixed.
|
|
||||||
|
|
||||||
The developers also added:
|
|
||||||
|
|
||||||
> Also, some cases of sporadic changing of resource IDs in scenes have been solved ([GH-65011][8]). There is still room for improvement, but this already makes 4.2 way more version control friendly.
|
|
||||||
|
|
||||||
#### Enhanced Tilemaps
|
|
||||||
|
|
||||||
![][9]
|
|
||||||
|
|
||||||
Alongside **major performance optimizations to the tile/tilemap system** of Godot, there is a new feature that allows you to **rotate or flip a tile/tile pattern** while placing them anywhere.
|
|
||||||
|
|
||||||
#### Improvements to Multiplayer/Networking
|
|
||||||
|
|
||||||
This release also features **improvements for the high-level multiplayer system;** the ' _MultiplayerSynchronizer_ ' node now supports syncing of transform components, sub-resource properties, and other types of indexed data.
|
|
||||||
|
|
||||||
There is also **a security fix for a denial-of-service vulnerability** that was previously disclosed with the Godot 4.0.4 RC1 release.
|
|
||||||
|
|
||||||
📋
|
|
||||||
|
|
||||||
The developers recommend that users upgrade to Godot 4.0.4, 4.1.2, or 4.2 to avoid issues.
|
|
||||||
|
|
||||||
#### Better Navigation System
|
|
||||||
|
|
||||||
![][10]
|
|
||||||
|
|
||||||
Godot 4.2 brings about **navigation mesh baking for 2D** , it can handle physics bodies, mesh instances, plain polygons and more.
|
|
||||||
|
|
||||||
Furthermore, **support for multi-threading was added** for 2D and 3D navigation mesh baking for improving performance, and reducing stutters.
|
|
||||||
|
|
||||||
#### 🛠️ Other Changes and Improvements
|
|
||||||
|
|
||||||
There are plenty of other changes worth noting:
|
|
||||||
|
|
||||||
* Improvements to the [GDExtension][11] system.
|
|
||||||
* Support for AMD's [FSR 2.2][12] tech.
|
|
||||||
* A **major rework** of the graph-building nodes.
|
|
||||||
* **Native file selection** dialog for Linux, Windows, and macOS.
|
|
||||||
* It is now possible to **specify a different install folder** for add-ons and assets.
|
|
||||||
* **A fix for the Steam Input issue** that caused some gamepad events to be handled twice.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
For more details on this release, you can through the [official release notes][13].
|
|
||||||
|
|
||||||
### 📥 Download Godot 4.2
|
|
||||||
|
|
||||||
Head over to the [official website][14] to grab the latest release of Godot for Linux. For other packages, you could also refer to its [GitHub repo][15].
|
|
||||||
|
|
||||||
[Godot 4.2 (GitHub)][15]
|
|
||||||
|
|
||||||
_💬 What are your thoughts on this release? Giving a chance to this wonderful open-source game engine already? Tell us about it in the comments!_
|
|
||||||
|
|
||||||
* * *
|
|
||||||
|
|
||||||
--------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
via: https://news.itsfoss.com/godot-4-2/
|
|
||||||
|
|
||||||
作者:[Sourav Rudra][a]
|
|
||||||
选题:[lujun9972][b]
|
|
||||||
译者:[译者ID](https://github.com/译者ID)
|
|
||||||
校对:[校对者ID](https://github.com/校对者ID)
|
|
||||||
|
|
||||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
|
||||||
|
|
||||||
[a]: https://news.itsfoss.com/author/sourav/
|
|
||||||
[b]: https://github.com/lujun9972
|
|
||||||
[1]: https://godotengine.org/
|
|
||||||
[2]: https://news.itsfoss.com/godot-4-0-release/
|
|
||||||
[3]: https://news.itsfoss.com/content/images/size/w256h256/2022/08/android-chrome-192x192.png
|
|
||||||
[4]: https://news.itsfoss.com/content/images/2023/04/Follow-us-on-Google-News.png
|
|
||||||
[5]: https://news.itsfoss.com/content/images/2023/12/Godot_4.2_a.jpg
|
|
||||||
[6]: https://news.itsfoss.com/content/images/2023/12/Godot_4.2_b.jpg
|
|
||||||
[7]: https://news.itsfoss.com/content/images/2023/12/Godot_4.2_c.jpg
|
|
||||||
[8]: https://github.com/godotengine/godot/pull/65011
|
|
||||||
[9]: https://news.itsfoss.com/content/images/2023/12/Godot_4.2_d.jpg
|
|
||||||
[10]: https://news.itsfoss.com/content/images/2023/12/Godot_4.2_e.jpg
|
|
||||||
[11]: https://docs.godotengine.org/en/stable/tutorials/scripting/gdextension/what_is_gdextension.html
|
|
||||||
[12]: https://community.amd.com/t5/gaming/amd-fidelityfx-super-resolution-2-2-racing-into-more-games-and/ba-p/563910
|
|
||||||
[13]: https://godotengine.org/article/godot-4-2-arrives-in-style/
|
|
||||||
[14]: https://godotengine.org/download/linux/
|
|
||||||
[15]: https://github.com/godotengine/godot/releases/tag/4.2-stable
|
|
@ -0,0 +1,117 @@
|
|||||||
|
[#]: subject: "Zorin OS 17 is Redefining the Visual Experience in a Linux Distro"
|
||||||
|
[#]: via: "https://news.itsfoss.com/zorin-os-17-beta/"
|
||||||
|
[#]: author: "Sourav Rudra https://news.itsfoss.com/author/sourav/"
|
||||||
|
[#]: collector: "lujun9972/lctt-scripts-1700446145"
|
||||||
|
[#]: translator: "geekpi"
|
||||||
|
[#]: reviewer: " "
|
||||||
|
[#]: publisher: " "
|
||||||
|
[#]: url: " "
|
||||||
|
|
||||||
|
Zorin OS 17 is Redefining the Visual Experience in a Linux Distro
|
||||||
|
======
|
||||||
|
Zorin OS 17 will be an aesthetically pleasing experience. What do you
|
||||||
|
think?
|
||||||
|
The next upgrade for one of the [most beautiful Linux distributions][1], Zorin OS, is around the corner.
|
||||||
|
|
||||||
|
Before the release, they have revealed what you get with Zorin 17, along with the availability of its **first beta version** (for testers).
|
||||||
|
|
||||||
|
Let's get started and see what's in store.
|
||||||
|
|
||||||
|
**Suggested Read** 📖
|
||||||
|
|
||||||
|
![][2]
|
||||||
|
|
||||||
|
### Zorin OS 17: The Best Bits
|
||||||
|
|
||||||
|
![][3]
|
||||||
|
|
||||||
|
Set to be a major release, Zorin OS 17 is **a long-term support release** (until June 2027), and a packed one at that, with many new and exciting improvements.
|
||||||
|
|
||||||
|
According to the developers, Zorin OS 17 has been designed to be their “ _ **greatest and most refined computing experience ever**_ ”, and that claim seems well-founded.
|
||||||
|
|
||||||
|
Let's begin with their “ **Spatial Desktop** ” implementation, for instance. It is **meant to give users better contextual awareness** of what's happening on their desktop.
|
||||||
|
|
||||||
|
![][4]
|
||||||
|
|
||||||
|
A new ' **Desktop Cube** ' has been added that lets you switch between workspaces in a 3D cube-style view that employs a parallax effect to show you a floaty appearance of the app windows.
|
||||||
|
|
||||||
|
![][5]
|
||||||
|
|
||||||
|
This has also made way for a new “ **Spatial Window Switcher** ” that replaces the standard flat/2D Alt+Tab and Super+Tab window switching dialogs with a 3D window switcher that looks neat.
|
||||||
|
|
||||||
|
These do look nice in my opinion; however, these effects might not be everyone's cup of tea, luckily **these “Spatial Features” are not enabled by default**.
|
||||||
|
|
||||||
|
Having said that, it is **a bold move for a Linux distribution to include more things (or effects) that promote visual interactions through such features**. While Zorin OS was already a visually appealing distribution, the new multitasking workflow with the spatial desktop should take it up a notch.
|
||||||
|
|
||||||
|
A macOS user or a Windows user, who may not be a fan of a typical Linux distribution user interface, might just consider giving Linux a try with Zorin OS's visual approach.
|
||||||
|
|
||||||
|
Sure, it may not be rocket science (or a unique implementation) but I believe it makes a difference to countless users with visual experience as a priority.
|
||||||
|
|
||||||
|
Zorin OS is doing all that, while keeping the core benefit " _giving users the control for their experience_ ". I like how they are adding these visual goodies, making the computing experience fun 😄
|
||||||
|
|
||||||
|
You will have to manually enable these features from the new “Effects” section under the **Zorin Appearance** settings.
|
||||||
|
|
||||||
|
Then there's the **advanced window tiling experience,** one of the most requested features by the community.
|
||||||
|
|
||||||
|
![][6]
|
||||||
|
|
||||||
|
You can now tile windows to use quarter screen corner tiling, and even use keyboard shortcuts to tile windows around the screen. This **will make it easier to multitask effortlessly**.
|
||||||
|
|
||||||
|
Even the **Software Store has been revamped** to be faster, and features a new design with an updated homepage that lists out applications in a very intuitive manner. The **app details page has also been improved** to show bigger screenshots, and new information.
|
||||||
|
|
||||||
|
![][7]
|
||||||
|
|
||||||
|
Similarly, **a new quick settings menu** has been introduced that gives you handy access to important settings, and also **allows you to tweak your system's performance** with the new power modes option (performance/balanced). The power modes should be helpful for laptop users.
|
||||||
|
|
||||||
|
![][8]
|
||||||
|
|
||||||
|
The devs also showcased **a new screenshot and screen recording** tool that will feel familiar if you have used the native one on GNOME.
|
||||||
|
|
||||||
|
They also mentioned **two new desktop layouts** , one is a **ChromeOS-like** layout, the other is a **GNOME 2-like** layout.
|
||||||
|
|
||||||
|
![ChromeOS-like layout][9]
|
||||||
|
|
||||||
|
These layouts will be available upon the release of Zorin OS 17 Pro.
|
||||||
|
|
||||||
|
**So, wrapping up.**
|
||||||
|
|
||||||
|
It is nice to see what Zorin OS is trying to achieve, **a user experience like this is usually unseen on Linux distros**. This should act as a way for Zorin to stand out, and **may even encourage more Windows and macOS users to try Linux**.
|
||||||
|
|
||||||
|
For more details of the upcoming Zorin OS 17 release, you can refer to the [official blog][10].
|
||||||
|
|
||||||
|
Before you go, **would you be interested in an early sneak peek?**
|
||||||
|
|
||||||
|
📋
|
||||||
|
|
||||||
|
You can download the ****Zorin OS 17 Core Beta**** right now from the [official website][11]. Just keep in mind that this is ****not recommended for production/daily use****.
|
||||||
|
|
||||||
|
[Zorin OS 17 Core Beta][11]
|
||||||
|
|
||||||
|
_💬 Are you hyped for the Zorin 17 release? Let us know below!_
|
||||||
|
|
||||||
|
* * *
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
via: https://news.itsfoss.com/zorin-os-17-beta/
|
||||||
|
|
||||||
|
作者:[Sourav Rudra][a]
|
||||||
|
选题:[lujun9972][b]
|
||||||
|
译者:[译者ID](https://github.com/译者ID)
|
||||||
|
校对:[校对者ID](https://github.com/校对者ID)
|
||||||
|
|
||||||
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||||
|
|
||||||
|
[a]: https://news.itsfoss.com/author/sourav/
|
||||||
|
[b]: https://github.com/lujun9972
|
||||||
|
[1]: https://itsfoss.com/beautiful-linux-distributions/
|
||||||
|
[2]: https://itsfoss.com/content/images/size/w256h256/2022/12/android-chrome-192x192.png
|
||||||
|
[3]: https://news.itsfoss.com/content/images/2023/12/ZorinOS_17_beta_1.jpg
|
||||||
|
[4]: https://news.itsfoss.com/content/images/2023/12/ZorinOS_17_beta_2a.gif
|
||||||
|
[5]: https://news.itsfoss.com/content/images/2023/12/ZorinOS_17_beta_2b.jpg
|
||||||
|
[6]: https://news.itsfoss.com/content/images/2023/12/ZorinOS_17_beta_3.jpg
|
||||||
|
[7]: https://news.itsfoss.com/content/images/2023/12/ZorinOS_17_beta_4.jpg
|
||||||
|
[8]: https://news.itsfoss.com/content/images/2023/12/ZorinOS_17_beta_5.jpg
|
||||||
|
[9]: https://news.itsfoss.com/content/images/2023/12/layout-chromeos.jpg
|
||||||
|
[10]: https://blog.zorin.com/2023/12/04/a-sneak-peek-at-zorin-os-17/
|
||||||
|
[11]: https://zorin.com/os/download/17/core/beta/
|
@ -1,176 +0,0 @@
|
|||||||
[#]: subject: "5 Most Privacy Focused Web Browsers"
|
|
||||||
[#]: via: "https://itsfoss.com/privacy-web-browsers/"
|
|
||||||
[#]: author: "Ankush Das https://itsfoss.com/author/ankush/"
|
|
||||||
[#]: collector: "lujun9972/lctt-scripts-1700446145"
|
|
||||||
[#]: translator: " "
|
|
||||||
[#]: reviewer: " "
|
|
||||||
[#]: publisher: " "
|
|
||||||
[#]: url: " "
|
|
||||||
|
|
||||||
5 Most Privacy Focused Web Browsers
|
|
||||||
======
|
|
||||||
|
|
||||||
For many internet users, a web browser application is what they interact with the most. Whether you are on a desktop or mobile (and regardless of the platform), you will always end up using the web browser.
|
|
||||||
|
|
||||||
You access cloud storage, banking services, social media, e-commerce platforms, and numerous other services through it.
|
|
||||||
|
|
||||||
Hence, it is crucial for you to pick a web browser that respects privacy, and provides you a secure web experience.
|
|
||||||
|
|
||||||
Here, let me highlight the best privacy-focused options that you can utilize in any device of your choice.
|
|
||||||
|
|
||||||
### LibreWolf
|
|
||||||
|
|
||||||
![][1]
|
|
||||||
|
|
||||||
[LibreWolf][2] is a fork of Firefox with privacy enhancements out of the box.
|
|
||||||
|
|
||||||
It is not just Firefox with different configuration. LibreWolf get rids of all the telemetry, DRM protection, and adds various improvements to the security-side of things.
|
|
||||||
|
|
||||||
For instance, the browser deletes browsing and download history when you close it. However, you can always tweak this behavior and customize it to your liking following the [documentation][3].
|
|
||||||
|
|
||||||
Furthermore, you get [privacy-friendly search engines][4] like DuckDuckGo and Qwant. And, the uBlock Origin extension comes baked in by default.
|
|
||||||
|
|
||||||
Not just a private and secure experience, it also takes away some Firefox elements that some users may find distracting, like a cleaner new tab, and Firefox sync.
|
|
||||||
|
|
||||||
**Highlights:**
|
|
||||||
|
|
||||||
* A highly customized Firefox fork for privacy
|
|
||||||
* Customizations can be tweaked if needed
|
|
||||||
* Disables Firefox Sync by default
|
|
||||||
* Available for desktop platforms only (Linux, Windows, and macOS)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Brave
|
|
||||||
|
|
||||||
![][5]
|
|
||||||
|
|
||||||
[Brave][6] is a popular option based on Chromium. It is known for providing a blazing fast user experience with web pages.
|
|
||||||
|
|
||||||
Brave features numerous privacy-centric settings, like the ability to sync browser data securely, without needing to create an account. The browser effectively blocks trackers to give you a private web experience.
|
|
||||||
|
|
||||||
You also get extras like the reward system (for opt-in ads) and crypto wallets.
|
|
||||||
|
|
||||||
While this is available cross-platform, the installation procedure for Linux systems is a bit different from others. You can refer to our guide for help:
|
|
||||||
|
|
||||||
![][7]
|
|
||||||
|
|
||||||
**Highlights:**
|
|
||||||
|
|
||||||
* Fast web page experience
|
|
||||||
* Familiar user experience to Chrome
|
|
||||||
* Secure browser sync option
|
|
||||||
* Extras like crypto wallet
|
|
||||||
* Available for Linux, Android, iOS, Windows, and macOS
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Firefox
|
|
||||||
|
|
||||||
![][8]
|
|
||||||
|
|
||||||
[Mozilla Firefox][9] is the go-to browser for countless privacy enthusiasts.
|
|
||||||
|
|
||||||
It features many privacy protection features that include abilities to block trackers, and set a different DNS.
|
|
||||||
|
|
||||||
Firefox provides a unique user experience with useful integrations like VPN, email aliases, Pocket, and a Firefox account to sync all your browser data conveniently.
|
|
||||||
|
|
||||||
With Firefox, you can customize the user interface, and tweak the experience with a JavaScript file as well. If you would rather not use any Firefox fork but want to improve the privacy game, you can take a look at [arkenfox configuration][10] on GitHub.
|
|
||||||
|
|
||||||
If you are confused between [Firefox and Brave][11], our comparison article can give you an in-depth look to help decide:
|
|
||||||
|
|
||||||
![][7]
|
|
||||||
|
|
||||||
**Highlights:**
|
|
||||||
|
|
||||||
* Privacy-focused features keeping usability in mind
|
|
||||||
* Firefox sync and Pocket integrations
|
|
||||||
* Available for Linux, Windows, Android, iOS, and macOS
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Tor Browser
|
|
||||||
|
|
||||||
![][12]
|
|
||||||
|
|
||||||
[Tor Browser][13] is the best bet for a privacy-conscious user.
|
|
||||||
|
|
||||||
Considering it is based on Firefox, you get the same fundamental experience with tweaks to level-up the security and privacy.
|
|
||||||
|
|
||||||
Unlike LibreWolf, Tor Browser lets you utilize the [Tor network][14], which could affect your web experience but gives a big privacy boost. You can browse [onion sites][15] to fight against censorship, and keep things private at the same time.
|
|
||||||
|
|
||||||
Similar to Brave, Tor Browser can be a bit tricky to install on Linux systems. If you are a Linux user, you might want to follow our tutorial:
|
|
||||||
|
|
||||||
![][7]
|
|
||||||
|
|
||||||
**Highlights:**
|
|
||||||
|
|
||||||
* Strict privacy with compromises to usability
|
|
||||||
* Tor network connection
|
|
||||||
* Available for Linux, Windows, Android, and macOS
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Mullvad Browser
|
|
||||||
|
|
||||||
![][16]
|
|
||||||
|
|
||||||
Mullvad is one of the [best VPN services][17] out there. The [Mullvad browser][18] is built in collaboration with the Tor Project to provide a solution tailored to be used with VPNs instead of the Tor network.
|
|
||||||
|
|
||||||
You can use any VPN service with Mullvad, if not their own. The browser includes extensions like uBlock Origin and NoScript by default to give you the private experience they aim for. Additionally, the browser does not support Firefox sync.
|
|
||||||
|
|
||||||
While you cannot remove the extensions, they do not recommend adding more.
|
|
||||||
|
|
||||||
**Highlights:**
|
|
||||||
|
|
||||||
* Tailored for VPN usage
|
|
||||||
* Pre-installed extensions that cannot be removed
|
|
||||||
* Available for desktop platforms only (Linux, Windows, and macOS)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
**Suggested Read 📖**
|
|
||||||
|
|
||||||
![][7]
|
|
||||||
|
|
||||||
### Wrapping Up
|
|
||||||
|
|
||||||
The web is evolving and with various things to take care of, it is convenient to rely on a browser that focuses on privacy.
|
|
||||||
|
|
||||||
Among the browsers mentioned above, Firefox and Brave are popular picks for most. However, if you want a little more strict protection and configurations in your browser, LibreWolf should suffice.
|
|
||||||
|
|
||||||
Of course, with specially tailored browsers like Tor Browser, LibreWolf, and Mullvad, you lose the flexibility of accessing it on mobile devices. So, you can choose a separate browser for your smartphone, or pick one that supports all your devices.
|
|
||||||
|
|
||||||
_💬 What is your favorite privacy-focused web browser? Let us know in the comments below! And if you disagree with some entries in the list, express your views gracefully._
|
|
||||||
|
|
||||||
--------------------------------------------------------------------------------
|
|
||||||
|
|
||||||
via: https://itsfoss.com/privacy-web-browsers/
|
|
||||||
|
|
||||||
作者:[Ankush Das][a]
|
|
||||||
选题:[lujun9972][b]
|
|
||||||
译者:[译者ID](https://github.com/译者ID)
|
|
||||||
校对:[校对者ID](https://github.com/校对者ID)
|
|
||||||
|
|
||||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
|
||||||
|
|
||||||
[a]: https://itsfoss.com/author/ankush/
|
|
||||||
[b]: https://github.com/lujun9972
|
|
||||||
[1]: https://itsfoss.com/content/images/2023/12/librewolf.png
|
|
||||||
[2]: https://librewolf.net/
|
|
||||||
[3]: https://librewolf.net/docs/settings/
|
|
||||||
[4]: https://itsfoss.com/privacy-search-engines/
|
|
||||||
[5]: https://itsfoss.com/content/images/2023/12/brave.png
|
|
||||||
[6]: https://brave.com/en-in/
|
|
||||||
[7]: https://itsfoss.com/content/images/size/w256h256/2022/12/android-chrome-192x192.png
|
|
||||||
[8]: https://itsfoss.com/content/images/2023/12/firefox.png
|
|
||||||
[9]: https://www.mozilla.org/en-US/firefox/new/
|
|
||||||
[10]: https://github.com/arkenfox/user.js
|
|
||||||
[11]: https://itsfoss.com/brave-vs-firefox
|
|
||||||
[12]: https://itsfoss.com/content/images/2023/12/tor-browser.png
|
|
||||||
[13]: https://www.torproject.org/download/
|
|
||||||
[14]: https://itsfoss.com/tor-guide/
|
|
||||||
[15]: https://en.wikipedia.org/wiki/List_of_Tor_onion_services
|
|
||||||
[16]: https://itsfoss.com/content/images/2023/12/mullvad-browser.png
|
|
||||||
[17]: https://itsfoss.com/best-vpn-linux/
|
|
||||||
[18]: https://mullvad.net/en/browser
|
|
198
sources/tech/20231204 A Web Application Firewall for Nginx.md
Normal file
198
sources/tech/20231204 A Web Application Firewall for Nginx.md
Normal file
@ -0,0 +1,198 @@
|
|||||||
|
[#]: subject: "A Web Application Firewall for Nginx"
|
||||||
|
[#]: via: "https://fedoramagazine.org/a-web-application-firewall-for-nginx/"
|
||||||
|
[#]: author: "Roman Gherta https://fedoramagazine.org/author/romangherta/"
|
||||||
|
[#]: collector: "lujun9972/lctt-scripts-1700446145"
|
||||||
|
[#]: translator: " "
|
||||||
|
[#]: reviewer: " "
|
||||||
|
[#]: publisher: " "
|
||||||
|
[#]: url: " "
|
||||||
|
|
||||||
|
A Web Application Firewall for Nginx
|
||||||
|
======
|
||||||
|
|
||||||
|
![][1]
|
||||||
|
|
||||||
|
Red Bricks by [Kenny Eliason][2] on [Unsplash][3] (cropped), Fire by [Cullan Smith][4] on [Unsplash][5] (stretched, flipped)
|
||||||
|
|
||||||
|
A web application firewall (WAF) is an application that monitors network traffic at the application layer.
|
||||||
|
|
||||||
|
[OSI (Open Systems Interconnection)][6] is one of the most referenced network traffic frameworks across internet related discussions. When a package crosses Layer 6 (Presentation) and moves towards Layer 7 (Application) it undergoes decrypting/decoding operations. Each of these operations can be susceptible to faulty decoding and interpretation that can be used to break out of the standard application context. Injections are just one type of such vulnerabilities and for a long time have been the number one cause of concern especially since traditional [IDS/IPS][7] appliances cannot handle these threats.
|
||||||
|
|
||||||
|
### About ModSecurity
|
||||||
|
|
||||||
|
[ModSecurity][8] was historically the web application firewall engine itself. It is compatible with Apache, IIS, and Nginx and has been maintained by a third-party company. The firewall cross references a list of rules to a stream of HTTP headers provided by a webserver/proxy. As of now this repository was simplified and contains only the main library _LibModSecurity_. The library itself can be called from your own server implementation directly or via wrappers specific to individual programming languages.
|
||||||
|
|
||||||
|
The parent company’s support is scheduled to end on July 1 2024 at which time the project is supposed to be maintained by the open-source community.
|
||||||
|
|
||||||
|
### Install the Nginx connector
|
||||||
|
|
||||||
|
The [Nginx connector][9] is an Nginx dynamic module and it can be installed via the Fedora package _nginx-mod-modsecurity_. It has _libmodsecurity.so_ as a dependency so for this use-case this package is the firewall itself.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
[user@fedora ~]$ sudo dnf install -y nginx nginx-mod-modsecurity
|
||||||
|
[user@fedora ~]$ rpm -qR nginx-mod-modsecurity
|
||||||
|
config(nginx-mod-modsecurity) = 1.0.3-3.fc38
|
||||||
|
libc.so.6(GLIBC_2.4)(64bit)
|
||||||
|
libmodsecurity.so.3()(64bit)
|
||||||
|
nginx(abi) = 1.24.0
|
||||||
|
nginx-filesystem
|
||||||
|
...
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Once installed, you will see that the connector adds a few important files to /etc/nginx.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
[user@fedora ~]$ rpm -ql nginx-mod-modsecurity
|
||||||
|
/etc/nginx/modsecurity.conf # waf config
|
||||||
|
/etc/nginx/nginx.conf.modsecurity # nginx sample conf
|
||||||
|
/usr/lib64/nginx/modules/ngx_http_modsecurity_module.so
|
||||||
|
/usr/share/nginx/modules/mod-modsecurity.conf
|
||||||
|
/usr/share/doc/nginx-mod-modsecurity/README.md
|
||||||
|
...
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
The connector extends Nginx by providing some extra configuration directives. The following sections will demonstrate a few of the example directives in the _nginx.conf.modsecurity_ file. A complete list of the directives can be found in the _README.md_ file or on the project’s GitHub page.
|
||||||
|
|
||||||
|
### Enable the web application firewall
|
||||||
|
|
||||||
|
_nginx.conf.modsecurity_ is the Nginx configuration we are going to run. Uncomment the _modsec*_ lines as shown below.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
[user@fedora ~]$ sudo sed -i 's/#modsec/modsec/g' /etc/nginx/nginx.conf.modsecurity
|
||||||
|
[user@fedora ~]$ grep -C2 modsecurity /etc/nginx/nginx.conf.modsecurity
|
||||||
|
# Enable ModSecurity WAF, if need
|
||||||
|
modsecurity on;
|
||||||
|
# Load ModSecurity CRS, if need
|
||||||
|
modsecurity_rules_file /etc/nginx/modsecurity.conf;
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Start the server inside the shell and observe the logs to make sure the seven default rules defined in _modsecurity.conf_ are loaded.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
[user@fedora ~]$ sudo nginx -c /etc/nginx/nginx.conf.modsecurity
|
||||||
|
[user@fedora ~]$ head /var/log/nginx/error.log
|
||||||
|
2023/10/21 23:55:09 [notice] 46218#46218: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/7/0)
|
||||||
|
2023/10/21 23:55:09 [notice] 46218#46218: using the "epoll" event method
|
||||||
|
2023/10/21 23:55:09 [notice] 46218#46218: nginx/1.24.0
|
||||||
|
2023/10/21 23:55:09 [notice] 46218#46218: OS: Linux 6.5.7-200.fc38.x86_64
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Test the default rules by sending some data that does not respect the _content-type_ header format.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
[user@fedora ~]$ curl -X POST http://localhost -H "Content-Type: application/json" --data "<xml></xml>"
|
||||||
|
[user@fedora ~]$ tail /var/log/modsec_audit.log
|
||||||
|
...
|
||||||
|
---rH5bFain---H--
|
||||||
|
ModSecurity: Warning. Matched "Operator `Eq' with parameter `0' against variable `REQBODY_ERROR' (Value: `1' ) [file "/etc/nginx/modsecurity.conf"] [line "75"] [id "200002"] [rev ""] [msg "Failed to parse request body."] [data "JSON parsing error: lexical error: invalid char in json text.\x0a"] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [hostname "10.0.2.100"] [uri "/"] [unique_id "169795900388.487044"] [ref "v121,1"]
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### Extend your web application firewall with the OWASP core rule set
|
||||||
|
|
||||||
|
The default Nginx connector comes with seven rules. The OWASP [Core Rule Set v3.3.5][10] is more extensive and covers many scenarios.
|
||||||
|
|
||||||
|
Copy the archive and extract the rules.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
[user@fedora ~]$ curl -fSL https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.5.tar.gz --output /tmp/v3.3.5.tar.gz
|
||||||
|
[user@fedora ~]$ sudo tar -C /etc/nginx -xvf /tmp/v3.3.5.tar.gz
|
||||||
|
[user@fedora ~]$ tree -L 1 /etc/nginx/
|
||||||
|
/etc/nginx/
|
||||||
|
├── conf.d
|
||||||
|
├── default.d
|
||||||
|
├── modsecurity.conf # waf config
|
||||||
|
├── nginx.conf
|
||||||
|
├── nginx.conf.modsecurity # nginx waf enabled
|
||||||
|
├── coreruleset-3.3.5
|
||||||
|
├ ├── rules # rules directory
|
||||||
|
├ ...
|
||||||
|
├ ...
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
You now have a _rules_ directory within the nginx configuration folder with all the current OWASP rules. Next, make Nginx aware of these rules. The following instructions originate from the OWASP [./INSTALL][11] file.
|
||||||
|
|
||||||
|
Create a _crs.conf_ file and include all the relevant config files in the global web application firewall config file ( _modsecurity.conf_ ).
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
[user@fedora ~]$ sudo cp /etc/nginx/coreruleset-3.3.5/crs-setup.conf.example /etc/nginx/coreruleset-3.3.5/crs.conf
|
||||||
|
[user@fedora ~]$ echo -e "\nInclude /etc/nginx/coreruleset-3.3.5/crs.conf" | sudo tee -a /etc/nginx/modsecurity.conf
|
||||||
|
[user@fedora ~]$ echo -e "\nInclude /etc/nginx/coreruleset-3.3.5/rules/*.conf" | sudo tee -a /etc/nginx/modsecurity.conf
|
||||||
|
[user@fedora ~]$ tail /etc/nginx/modsecurity.conf
|
||||||
|
Include /etc/nginx/coreruleset-3.3.5/crs.conf
|
||||||
|
Include /etc/nginx/coreruleset-3.3.5/rules/*.conf
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
According to docs, the order of including these files is important. The _tee_ command shown above has placed the new _Include_ lines at the end of the _modsecurity.conf_ file. Now, reload Nginx with this new configuration.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
[user@fedora ~]$ sudo nginx -s stop && sudo nginx -c /etc/nginx/nginx.conf.modsecurity
|
||||||
|
[user@fedora ~]$ tail /var/log/nginx/error.log
|
||||||
|
2023/10/22 10:53:23 [notice] 202#202: exit
|
||||||
|
2023/10/22 10:53:50 [notice] 230#230: ModSecurity-nginx v1.0.3 (rules loaded inline/local/remote: 0/921/0)
|
||||||
|
2023/10/22 10:53:50 [notice] 230#230: using the "epoll" event method
|
||||||
|
2023/10/22 10:53:50 [notice] 230#230: nginx/1.24.0
|
||||||
|
2023/10/22 10:53:50 [notice] 230#230: OS: Linux 6.5.7-200.fc38.x86_64
|
||||||
|
2023/10/22 10:53:50 [notice] 230#230: getrlimit(RLIMIT_NOFILE): 524288:524288
|
||||||
|
2023/10/22 10:53:50 [notice] 231#231: start worker processes
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Notice Nginx loaded _921_ rules successfully. Some tests are also needed to make sure the rules are actually checked by the web application firewall. Here again, we reference the snippet _Testing the Installation_ from the _./INSTALL_ file.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
[user@fedora ~]$ curl 'http://localhost/?param=''><script>alert(1);</script>'
|
||||||
|
[user@fedora ~]$ tail /var/log/modsec_audit.log
|
||||||
|
...
|
||||||
|
---8NSpdnLe---H--
|
||||||
|
ModSecurity: Warning. detected XSS using libinjection. [file "/etc/nginx/coreruleset-3.3.5/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "38"] [id "941100"] [rev ""] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: XSS data found within ARGS:param: ><script>alert(1);</script>"] [severity "2"] [ver "OWASP_CRS/3.3.5"]
|
||||||
|
...
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### Conclusions
|
||||||
|
|
||||||
|
How to configure a web application firewall for an Nginx server has been demonstrated. This deployment uses standard rules plus the _OWASP Core Rule Set v3.3.5._ The firewall demonstrated above is running in **detection mode** and logging unusual actions. Running the firewall in **prevention mode** requires further changes to _modsecurity.conf._ Refer to [ModSecurity Reference Manual v3.x][12] for instructions on how to enable prevention mode and much more.
|
||||||
|
|
||||||
|
All the best.
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
via: https://fedoramagazine.org/a-web-application-firewall-for-nginx/
|
||||||
|
|
||||||
|
作者:[Roman Gherta][a]
|
||||||
|
选题:[lujun9972][b]
|
||||||
|
译者:[译者ID](https://github.com/译者ID)
|
||||||
|
校对:[校对者ID](https://github.com/校对者ID)
|
||||||
|
|
||||||
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||||
|
|
||||||
|
[a]: https://fedoramagazine.org/author/romangherta/
|
||||||
|
[b]: https://github.com/lujun9972
|
||||||
|
[1]: https://fedoramagazine.org/wp-content/uploads/2023/11/waf-nginx-816x345.jpg
|
||||||
|
[2]: https://unsplash.com/@neonbrand?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
|
||||||
|
[3]: https://unsplash.com/photos/red-bricks-wall-XEsx2NVpqWY?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
|
||||||
|
[4]: https://unsplash.com/@cullansmith?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
|
||||||
|
[5]: https://unsplash.com/photos/red-fire-digital-wallpaper-BdTtvBRhOng?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash
|
||||||
|
[6]: https://osi-model.com/
|
||||||
|
[7]: https://en.wikipedia.org/wiki/Intrusion_detection_system
|
||||||
|
[8]: https://github.com/SpiderLabs/ModSecurity
|
||||||
|
[9]: https://github.com/SpiderLabs/ModSecurity-nginx
|
||||||
|
[10]: https://github.com/coreruleset/coreruleset/tree/v3.3.5/rules
|
||||||
|
[11]: https://github.com/coreruleset/coreruleset/blob/v3.3.5/INSTALL
|
||||||
|
[12]: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v3.x)
|
260
sources/tech/20231204 How to Install Docker on Ubuntu.md
Normal file
260
sources/tech/20231204 How to Install Docker on Ubuntu.md
Normal file
@ -0,0 +1,260 @@
|
|||||||
|
[#]: subject: "How to Install Docker on Ubuntu"
|
||||||
|
[#]: via: "https://itsfoss.com/install-docker-ubuntu/"
|
||||||
|
[#]: author: "Sagar Sharma https://itsfoss.com/author/sagar/"
|
||||||
|
[#]: collector: "lujun9972/lctt-scripts-1700446145"
|
||||||
|
[#]: translator: " "
|
||||||
|
[#]: reviewer: " "
|
||||||
|
[#]: publisher: " "
|
||||||
|
[#]: url: " "
|
||||||
|
|
||||||
|
How to Install Docker on Ubuntu
|
||||||
|
======
|
||||||
|
|
||||||
|
Using Docker means opening a new realm of computing but if you are just getting started with Docker, the installation may seem a huge task.
|
||||||
|
|
||||||
|
There are two recommended ways of installing Docker on Ubuntu:
|
||||||
|
|
||||||
|
* **Installing Docker from Ubuntu's repository** : Easy, single line command but gives a little old version
|
||||||
|
* **Using Docker's official repository:** Slightly more work but gives the most recent stable release
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
And I will be discussing both of them in this tutorial.
|
||||||
|
|
||||||
|
### Method 1: Install Docker using Ubuntu's repository
|
||||||
|
|
||||||
|
If you don't care about having a little older version and don't want to get into setting and managing repositories, then this is the best method for you.
|
||||||
|
|
||||||
|
Start with updating the repository index:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo apt update
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Now, you can use the following command to install Docker as well as [Docker Compose][1] in Ubuntu:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo apt install docker.io docker-compose
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
📋
|
||||||
|
|
||||||
|
The Docker package is named docker.io because there existed a transitional package named docker (for docklet applications) even before Docker came into existence. For this reason, the Docker package had to be named something else.
|
||||||
|
|
||||||
|
Once you are done with the installation, you can check the installed version using the following command:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
docker -v
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
![][2]
|
||||||
|
|
||||||
|
As you can see, it gave me Docker version 24.0.5.
|
||||||
|
|
||||||
|
### Method 2: Install the latest stable version of Docker in Ubuntu
|
||||||
|
|
||||||
|
If you want the most recent stable version of Docker, then you can install Docker from their official repository.
|
||||||
|
|
||||||
|
#### Step 1: Remove any existing Docker packages
|
||||||
|
|
||||||
|
But before you jump to the installation part, it is necessary to remove any old installation of Docker.
|
||||||
|
|
||||||
|
To [uninstall the old Docker installation][3], use the following command.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo apt remove docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Step 2: Install dependencies
|
||||||
|
|
||||||
|
The first step is to install some essential packages which will be used to install Docker later in this tutorial:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo apt install ca-certificates curl gnupg lsb-release
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
You may already have some or all of these packages installed but no harm in ensuring that. The above command won't harm you.
|
||||||
|
|
||||||
|
#### Step 3: Add GPG key of Docker repository and add it to sources.list
|
||||||
|
|
||||||
|
Now, create a directory with special permissions suitable for storing cryptographic keyrings by the apt package manager for package verification:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo install -m 0755 -d /etc/apt/keyrings
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Next, [use the curl command][4] as shown below to download and import GPG keyring for Docker:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
After downloading the GPG keyring, [change the file permissions using the chmod command][5] so every user on the system can read the GPG keyring:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo chmod a+r /etc/apt/keyrings/docker.gpg
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Finally, add the Docker repository to the `sources.list.d` file:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
echo \
|
||||||
|
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
|
||||||
|
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
|
||||||
|
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
That's it!
|
||||||
|
|
||||||
|
#### Step 4: Installing Docker and Docker Compose
|
||||||
|
|
||||||
|
Now, to take effect from the changes you've made to the system, update the system repository:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo apt update
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Grab the latest version of Docker along with other Docker components and dependencies using the following command:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
📋
|
||||||
|
|
||||||
|
While the docker.io package installs most of the necessary Docker components, you'll need to do it individually here.
|
||||||
|
|
||||||
|
To check the installed version, use the following command:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
docker -v
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
![][6]
|
||||||
|
|
||||||
|
Another great way to test the installation is to use the Hello World image in Docker.
|
||||||
|
|
||||||
|
Lemme show you how to do it.
|
||||||
|
|
||||||
|
### Use a hello-world image to verify the Docker installation
|
||||||
|
|
||||||
|
Running a Hello World program is a standard practice that we all follow to kick-start any programming journey and the same goes for Docker.
|
||||||
|
|
||||||
|
Docker provides you with a Hello World image that you can use to test the installation.
|
||||||
|
|
||||||
|
To install and run the Hello World image, simply use the following:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo docker run hello-world
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
![][7]
|
||||||
|
|
||||||
|
Some users may get an error while executing the above command saying "Cannot connect to the Docker daemon":
|
||||||
|
|
||||||
|
![][8]
|
||||||
|
|
||||||
|
In that case, **reboot your system** and try again to install the Docker Hello World image and it'll work just fine.
|
||||||
|
|
||||||
|
### 💡Bonus Tip: Use docker without sudo in Ubuntu
|
||||||
|
|
||||||
|
If you noticed, I used sudo to pull the docker image which is not the most convenient way to use the Docker.
|
||||||
|
|
||||||
|
If you try to use Docker without sudo, it will give you an error:
|
||||||
|
|
||||||
|
![][9]
|
||||||
|
|
||||||
|
Well, in this section, I will show you how you can use Docker without sudo.
|
||||||
|
|
||||||
|
📋
|
||||||
|
|
||||||
|
To perform the shown steps, superuser privileges are a must!
|
||||||
|
|
||||||
|
The first step is to [create a new group][10] named `Docker` using the following:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo groupadd docker
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Once done, add the user to the Docker group using the following:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo usermod -aG docker <username>
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
🚧
|
||||||
|
|
||||||
|
Make sure you only mention the user who has super-user privileges.
|
||||||
|
|
||||||
|
Now, log out and log back in to take effect from the changes. But if you are using a VM then reboot is a must.
|
||||||
|
|
||||||
|
That's it! From now on, you can use the docker commands without sudo like I did to run the Docker Hello World image:
|
||||||
|
|
||||||
|
![][11]
|
||||||
|
|
||||||
|
There you go.
|
||||||
|
|
||||||
|
### Here's what to do after installing Docker
|
||||||
|
|
||||||
|
If you are just getting started, then refer to the [list of essential Docker commands][12] that every user must know:
|
||||||
|
|
||||||
|
![][13]
|
||||||
|
|
||||||
|
I hope you will find this helpful.
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
via: https://itsfoss.com/install-docker-ubuntu/
|
||||||
|
|
||||||
|
作者:[Sagar Sharma][a]
|
||||||
|
选题:[lujun9972][b]
|
||||||
|
译者:[译者ID](https://github.com/译者ID)
|
||||||
|
校对:[校对者ID](https://github.com/校对者ID)
|
||||||
|
|
||||||
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||||
|
|
||||||
|
[a]: https://itsfoss.com/author/sagar/
|
||||||
|
[b]: https://github.com/lujun9972
|
||||||
|
[1]: https://linuxhandbook.com/docker-compose-quick-start/
|
||||||
|
[2]: https://itsfoss.com/content/images/2023/12/Check-the-installed-version-of-docker-in-Ubuntu.png
|
||||||
|
[3]: https://learnubuntu.com/uninstall-docker/
|
||||||
|
[4]: https://learnubuntu.com/install-curl/
|
||||||
|
[5]: https://learnubuntu.com/chmod-command/
|
||||||
|
[6]: https://itsfoss.com/content/images/2023/12/Install-the-latest-version-of-Docker-in-Ubuntu-using-Docker-s-official-repository.png
|
||||||
|
[7]: https://itsfoss.com/content/images/2023/12/Run-hello-world-docker-image-in-Ubuntu.png
|
||||||
|
[8]: https://itsfoss.com/content/images/2023/12/Docker-error.png
|
||||||
|
[9]: https://itsfoss.com/content/images/2023/12/Docker-sudo-error-in-Ubuntu.png
|
||||||
|
[10]: https://learnubuntu.com/add-group/
|
||||||
|
[11]: https://itsfoss.com/content/images/2023/12/Use-docker-without-sudo-in-Ubuntu.png
|
||||||
|
[12]: https://linuxhandbook.com/essential-docker-commands/
|
||||||
|
[13]: https://linuxhandbook.com/content/images/size/w256h256/2021/08/Linux-Handbook-New-Logo.png
|
@ -0,0 +1,219 @@
|
|||||||
|
[#]: subject: "Mounting git commits as folders with NFS"
|
||||||
|
[#]: via: "https://jvns.ca/blog/2023/12/04/mounting-git-commits-as-folders-with-nfs/"
|
||||||
|
[#]: author: "Julia Evans https://jvns.ca/"
|
||||||
|
[#]: collector: "lujun9972/lctt-scripts-1700446145"
|
||||||
|
[#]: translator: " "
|
||||||
|
[#]: reviewer: " "
|
||||||
|
[#]: publisher: " "
|
||||||
|
[#]: url: " "
|
||||||
|
|
||||||
|
Mounting git commits as folders with NFS
|
||||||
|
======
|
||||||
|
|
||||||
|
Hello! The other day, I started wondering – has anyone ever made a FUSE filesystem for a git repository where all every commit is a folder? It turns out the answer is yes! There’s [giblefs][1], [GitMounter][2], and [git9][3] for Plan 9.
|
||||||
|
|
||||||
|
But FUSE is pretty annoying to use on Mac – you need to install a kernel extension, and Mac OS seems to be making it harder and harder to install kernel extensions for security reasons. Also I had a few ideas for how to organize the filesystem differently than those projects.
|
||||||
|
|
||||||
|
So I thought it would be fun to experiment with ways to mount filesystems on Mac OS other than FUSE, so I built a project that does that called [git-commit-folders][4]. It works (at least on my computer) with both FUSE and NFS, and there’s a broken WebDav implementation too.
|
||||||
|
|
||||||
|
It’s pretty experimental (I’m not sure if this is actually a useful piece of software to have or just a fun toy to think about how git works) but it was fun to write and I’ve enjoyed using it myself on small repositories so here are some of the problems I ran into while writing it.
|
||||||
|
|
||||||
|
### goal: show how commits are like folders
|
||||||
|
|
||||||
|
The main reason I wanted to make this was to give folks some intuition for how git works under the hood. After all, git commits really _are_ very similar to folders – every Git commit [contains a directory listing][5] of the files in it, and that directory can have subdirectories, etc.
|
||||||
|
|
||||||
|
It’s just that git commits aren’t _actually_ implemented as folders to save disk space.
|
||||||
|
|
||||||
|
So in `git-commit-folders`, every commit is actually a folder, and if you want to explore your old commits, you can do it just by exploring the filesystem! For example, if I look at the initial commit for my blog, it looks like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
$ ls commits/8d/8dc0/8dc0cb0b4b0de3c6f40674198cb2bd44aeee9b86/
|
||||||
|
README
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
and a few commits later, it looks like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
$ ls /tmp/git-homepage/commits/c9/c94e/c94e6f531d02e658d96a3b6255bbf424367765e9/
|
||||||
|
_config.yml config.rb Rakefile rubypants.rb source
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### branches are symlinks
|
||||||
|
|
||||||
|
In the filesystem mounted by `git-commit-folders`, commits are the only real folders – everything else (branches, tags, etc) is a symlink to a commit. This mirrors how git works under the hood.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
$ ls -l branches/
|
||||||
|
lr-xr-xr-x 59 bork bazil-fuse -> ../commits/ff/ff56/ff563b089f9d952cd21ac4d68d8f13c94183dcd8
|
||||||
|
lr-xr-xr-x 59 bork follow-symlink -> ../commits/7f/7f73/7f73779a8ff79a2a1e21553c6c9cd5d195f33030
|
||||||
|
lr-xr-xr-x 59 bork go-mod-branch -> ../commits/91/912d/912da3150d9cfa74523b42fae028bbb320b6804f
|
||||||
|
lr-xr-xr-x 59 bork mac-version -> ../commits/30/3008/30082dcd702b59435f71969cf453828f60753e67
|
||||||
|
lr-xr-xr-x 59 bork mac-version-debugging -> ../commits/18/18c0/18c0db074ec9b70cb7a28ad9d3f9850082129ce0
|
||||||
|
lr-xr-xr-x 59 bork main -> ../commits/04/043e/043e90debbeb0fc6b4e28cf8776e874aa5b6e673
|
||||||
|
$ ls -l tags/
|
||||||
|
lr-xr-xr-x - bork 31 Dec 1969 test-tag -> ../commits/16/16a3/16a3d776dc163aa8286fb89fde51183ed90c71d0
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
This definitely doesn’t completely explain how git works (there’s a lot more to it than just “a commit is like a folder!”), but my hope is that it makes thie idea that every commit is like a folder with an old version of your code” feel a little more concrete.
|
||||||
|
|
||||||
|
### why might this be useful?
|
||||||
|
|
||||||
|
Before I get into the implementation, I want to talk about why having a filesystem with a folder for every git commit in it might be useful. A lot of my projects I end up never really using at all (like [dnspeep][6]) but I did find myself using this project a little bit while I was working on it.
|
||||||
|
|
||||||
|
The main uses I’ve found so far are:
|
||||||
|
|
||||||
|
* searching for a function I deleted – I can run `grep someFunction branch_histories/main/*/commit.go` to find an old version of it
|
||||||
|
* quickly looking at a file on another branch to copy a line from it, like `vim branches/other-branch/go.mod`
|
||||||
|
* searching every branch for a function, like `grep someFunction branches/*/commit.go`
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
All of these are through symlinks to commits instead of referencing commits directly.
|
||||||
|
|
||||||
|
None of these are the most efficient way to do this (you can use `git show` and `git log -S` or maybe `git grep` to accomplish something similar), but personally I always forget the syntax and navigating a filesystem feels easier to me. `git worktree` also lets you have multiple branches checked out at the same time, but to me it feels weird to set up an entire worktree just to look at 1 file.
|
||||||
|
|
||||||
|
Next I want to talk about some problems I ran into.
|
||||||
|
|
||||||
|
### problem 1: webdav or NFS?
|
||||||
|
|
||||||
|
The two filesystems I could that were natively supported by Mac OS were WebDav and NFS. I couldn’t tell which would be easier to implement so I just tried both.
|
||||||
|
|
||||||
|
At first webdav seemed easier and it turns out that golang.org/x/net has a [webdav implementation][7], which was pretty easy to set up.
|
||||||
|
|
||||||
|
But that implementation doesn’t support symlinks, I think because it uses the `io/fs` interface and `io/fs` doesn’t [support symlinks yet][8]. Looks like that’s in progress though. So I gave up on webdav and decided to focus on the NFS implementation, using this [go-nfs][9] NFSv3 library.
|
||||||
|
|
||||||
|
Someone also mentioned that there’s [FileProvider][10] on Mac but I didn’t look into that.
|
||||||
|
|
||||||
|
### problem 2: how to keep all the implementations in sync?
|
||||||
|
|
||||||
|
I was implementing 3 different filesystems (FUSE, NFS, and WebDav), and it wasn’t clear to me how to avoid a lot of duplicated code.
|
||||||
|
|
||||||
|
My friend Dave suggested writing one core implementation and then writing adapters (like `fuse2nfs` and `fuse2dav`) to translate it into the NFS and WebDav verions. What this looked like in practice is that I needed to implement 3 filesystem interfaces:
|
||||||
|
|
||||||
|
* `fs.FS` for FUSE
|
||||||
|
* `billy.Filesystem` for NFS
|
||||||
|
* `webdav.Filesystem` for webdav
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
So I put all the core logic in the `fs.FS` interface, and then wrote two functions:
|
||||||
|
|
||||||
|
* `func Fuse2Dav(fs fs.FS) webdav.FileSystem`
|
||||||
|
* `func Fuse2NFS(fs fs.FS) billy.Filesystem`
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
All of the filesystems were kind of similar so the translation wasn’t too hard, there were just 1 million annoying bugs to fix.
|
||||||
|
|
||||||
|
### problem 3: I didn’t want to list every commit
|
||||||
|
|
||||||
|
Some git repositories have thousands or millions of commits. My first idea for how to address this was to make `commits/` appear empty, so that it works like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
$ ls commits/
|
||||||
|
$ ls commits/80210c25a86f75440110e4bc280e388b2c098fbd/
|
||||||
|
fuse fuse2nfs go.mod go.sum main.go README.md
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
So every commit would be available if you reference it directly, but you can’t list them. This is a weird thing for a filesystem to do but it actually works fine in FUSE. I couldn’t get it to work in NFS though. I assume what’s going on here is that if you tell NFS that a directory is empty, it’ll interpret that the directory is actually empty, which is fair.
|
||||||
|
|
||||||
|
I ended up handling this by:
|
||||||
|
|
||||||
|
* organizing the commits by their 2-character prefix the way `.git/objects` does (so that `ls commits` shows `0b 03 05 06 07 09 1b 1e 3e 4a`), but doing 2 levels of this so that a `18d46e76d7c2eedd8577fae67e3f1d4db25018b0` is at `commits/18/18df/18d46e76d7c2eedd8577fae67e3f1d4db25018b0`
|
||||||
|
* listing all the packed commits hashes only once at the beginning, caching them in memory, and then only updating the loose objects afterwards. The idea is that almost all of the commits in the repo should be packed and git doesn’t repack its commits very often.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
This seems to work okay on the Linux kernel which has ~1 million commits. It takes maybe a minute to do the initial load on my machine and then after that it just needs to do fast incremental updates.
|
||||||
|
|
||||||
|
Each commit hash is only 20 bytes so caching 1 million commit hashes isn’t a big deal, it’s just 20MB.
|
||||||
|
|
||||||
|
I think a smarter way to do this would be to load the commit listings lazily – Git sorts its packfiles by commit ID, so you can pretty easily do a binary search to find all commits starting with `1b` or `1b8c`. The [git library][11] I was using doesn’t have great support for this though, because listing all commits in a Git repository is a really weird thing to do. I spent maybe a couple of days [trying to implement it][12] but I didn’t manage to get the performance I wanted so I gave up.
|
||||||
|
|
||||||
|
### problem 4: “not a directory”
|
||||||
|
|
||||||
|
I kept getting this error:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
"/tmp/mnt2/commits/59/59167d7d09fd7a1d64aa1d5be73bc484f6621894/": Not a directory (os error 20)
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
This really threw me off at first but it turns out that this just means that there was an error while listing the directory, and the way the NFS library handles that error is with “Not a directory”. This happened a bunch of times and I just needed to track the bug down every time.
|
||||||
|
|
||||||
|
There were a lot of weird errors like this. I also got `cd: system call interrupted` which was pretty upsetting but ultimately was just some other bug in my program.
|
||||||
|
|
||||||
|
Eventually I realized that I could use Wireshark to look at all the NFS packets being sent back and forth, which made some of this stuff easier to debug.
|
||||||
|
|
||||||
|
### problem 5: inode numbers
|
||||||
|
|
||||||
|
At first I was accidentally setting all my directory inode numbers to 0. This was bad because if if you run `find` on a directory where the inode number of every directory is 0, it’ll complain about filesystem loops and give up, which is very fair.
|
||||||
|
|
||||||
|
I fixed this by defining an `inode(string)` function which hashed a string to get the inode number, and using the tree ID / blob ID as the string to hash.
|
||||||
|
|
||||||
|
### problem 6: stale file handles
|
||||||
|
|
||||||
|
I kept getting this “Stale NFS file handle” error. The problem is that I need to be able to take an opaque 64-byte NFS “file handle” and map it to the right directory.
|
||||||
|
|
||||||
|
The way the NFS library I’m using works is that it generates a file handle for every file and caches those references with a fixed size cache. This works fine for small repositories, but if there are too many files then it’ll overflow the cache and you’ll start getting stale file handle errors.
|
||||||
|
|
||||||
|
This is still a problem and I’m not sure how to fix it. I don’t understand how real NFS servers do this, maybe they just have a really big cache?
|
||||||
|
|
||||||
|
The NFS file handle is 64 bytes (64 bytes! not bits!) which is pretty big, so it does seem like you could just encode the entire file path in the handle a lot of the time and not cache it at all. Maybe I’ll try to implement that at some point.
|
||||||
|
|
||||||
|
### problem 7: branch histories
|
||||||
|
|
||||||
|
The `branch_histories/` directory only lists the latest 100 commits for each branch right now. Not sure what the right move is there – it would be nice to be able to list the full history of the branch somehow. Maybe I could use a similar subfolder trick to the `commits/` directory.
|
||||||
|
|
||||||
|
### problem 8: submodules
|
||||||
|
|
||||||
|
Git repositories sometimes have submodules. I don’t understand anything about submodules so right now I’m just ignoring them. So that’s a bug.
|
||||||
|
|
||||||
|
### problem 9: is NFSv4 better?
|
||||||
|
|
||||||
|
I built this with NFSv3 because the only Go library I could find at the time was an NFSv3 library. After I was done I discovered that the buildbarn project has an [NFSv4 server][13] in it. Would it be better to use that?
|
||||||
|
|
||||||
|
I don’t know if this is actually a problem or how big of an advantage it would be to use NFSv4. I’m also a little unsure about using the buildbarn NFS library because it’s not clear if they expect other people to use it or not.
|
||||||
|
|
||||||
|
### that’s all!
|
||||||
|
|
||||||
|
There are probably more problems I forgot but that’s all I can think of for now. I may or may not fix the NFS stale file handle problem or the “it takes 1 minute to start up on the linux kernel” problem, who knows!
|
||||||
|
|
||||||
|
Thanks to my friend [vasi][14] who explained one million things about filesystems to me.
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
via: https://jvns.ca/blog/2023/12/04/mounting-git-commits-as-folders-with-nfs/
|
||||||
|
|
||||||
|
作者:[Julia Evans][a]
|
||||||
|
选题:[lujun9972][b]
|
||||||
|
译者:[译者ID](https://github.com/译者ID)
|
||||||
|
校对:[校对者ID](https://github.com/校对者ID)
|
||||||
|
|
||||||
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||||
|
|
||||||
|
[a]: https://jvns.ca/
|
||||||
|
[b]: https://github.com/lujun9972
|
||||||
|
[1]: https://github.com/fanzeyi/giblefs
|
||||||
|
[2]: https://belkadan.com/blog/2023/11/GitMounter/
|
||||||
|
[3]: https://orib.dev/git9.html
|
||||||
|
[4]: https://github.com/jvns/git-commit-folders
|
||||||
|
[5]: https://jvns.ca/blog/2023/09/14/in-a-git-repository--where-do-your-files-live-/#commit-step-2-look-at-the-tree
|
||||||
|
[6]: https://github.com/jvns/dnspeep
|
||||||
|
[7]: https://pkg.go.dev/golang.org/x/net/webdav
|
||||||
|
[8]: https://github.com/golang/go/issues/49580
|
||||||
|
[9]: https://github.com/willscott/go-nfs/
|
||||||
|
[10]: https://developer.apple.com/documentation/fileprovider/
|
||||||
|
[11]: https://github.com/go-git/go-git
|
||||||
|
[12]: https://github.com/jvns/git-commit-folders/tree/fast-commits
|
||||||
|
[13]: https://github.com/buildbarn/bb-adrs/blob/master/0009-nfsv4.md
|
||||||
|
[14]: https://github.com/vasi
|
302
sources/tech/20231205 7 Sudo Tips and Tweaks for Linux Users.md
Normal file
302
sources/tech/20231205 7 Sudo Tips and Tweaks for Linux Users.md
Normal file
@ -0,0 +1,302 @@
|
|||||||
|
[#]: subject: "7 Sudo Tips and Tweaks for Linux Users"
|
||||||
|
[#]: via: "https://itsfoss.com/sudo-tips/"
|
||||||
|
[#]: author: "Abhishek Prakash https://itsfoss.com/author/abhishek/"
|
||||||
|
[#]: collector: "lujun9972/lctt-scripts-1700446145"
|
||||||
|
[#]: translator: " "
|
||||||
|
[#]: reviewer: " "
|
||||||
|
[#]: publisher: " "
|
||||||
|
[#]: url: " "
|
||||||
|
|
||||||
|
7 Sudo Tips and Tweaks for Linux Users
|
||||||
|
======
|
||||||
|
|
||||||
|
You know sudo, right? You must have used it at some point in the time.
|
||||||
|
|
||||||
|
For most Linux users, it is the magical tool that gives you the ability to run any command as root or switch to the root user.
|
||||||
|
|
||||||
|
But that's only half-truth. See, sudo is not an absolute command. **sudo is a tool that can be configured to your need and liking**.
|
||||||
|
|
||||||
|
Ubuntu, Debian and other distros come preconfigured with sudo in a way that allows to them to run any command as root. That makes many users believe that sudo is some kind of magical switch that instantly gives you the root access.
|
||||||
|
|
||||||
|
**For example, a sysadmin can configure it in a way that users that are part of a certain 'dev' group can run only nginx command with sudo. Those users won't be able to run any other command with sudo or switch to root.**
|
||||||
|
|
||||||
|
If that surprises you, it's because you might have used sudo forever but never gave much thought about its underlying mechanism.
|
||||||
|
|
||||||
|
I am not going to explain how sudo works in this tutorial. I'll keep that for some other day.
|
||||||
|
|
||||||
|
In this article, you'll see how different aspects of sudo can be tweaked. Some are useful and some are pretty useless but fun.
|
||||||
|
|
||||||
|
🚧
|
||||||
|
|
||||||
|
Please do not start following all the mentioned tweaks blindly. You do it wrong and you may end up with a messed up system that cannot run sudo. For most part, just read and enjoy. And if you decide to try some of the tweaks, [make a system settings backup][1] so that you can restore things back to normal.
|
||||||
|
|
||||||
|
### 1\. Always use visudo for editing sudo config
|
||||||
|
|
||||||
|
The sudo command is configured through the `/etc/sudoers` file.
|
||||||
|
|
||||||
|
While you may edit this file with your [favorite terminal-based text editor][2] like Micro, NeoVim etc, you **MUST NOT** do that.
|
||||||
|
|
||||||
|
Why? Because any incorrect syntax in this file will leave you with a screwed up system where sudo won't work. Which may render your Linux system useless.
|
||||||
|
|
||||||
|
Just use it like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo visudo
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
The `visudo` command traditionally opens the `/etc/sudoers` file in the Vi editor. Ubuntu will open it in Nano.
|
||||||
|
|
||||||
|
![][3]
|
||||||
|
|
||||||
|
The advantage here is that **visudo performs a syntax check when you try to save your changes**. This ensures that you don't mess up the sudo configuration due to incorrect syntax.
|
||||||
|
|
||||||
|
![visudo checks the syntax before saving the changes to the sudoers file][4]
|
||||||
|
|
||||||
|
Alright! Now you can see some sudo configuration changes.
|
||||||
|
|
||||||
|
💡
|
||||||
|
|
||||||
|
I would recommend making a backup of the /etc/sudoers file. So that if you are unsure what changes you made or if you want to revert to the default sudo configuration, you copy it from the backup.
|
||||||
|
|
||||||
|
sudo cp /etc/sudoers /etc/sudoers.bak
|
||||||
|
|
||||||
|
### 2\. Show asterisks while entering password with sudo
|
||||||
|
|
||||||
|
We have this behavior inherited from UNIX. When you enter your password for sudo in the terminal, it doesn't display anything. This lack of visual feedback makes new Linux users think that their system hanged.
|
||||||
|
|
||||||
|
Elders say that this is a security feature. This might have been the case in the last century but I don't think we should continue with it anymore. That's just my opinion.
|
||||||
|
|
||||||
|
Anyway, some distributions, like Linux Mint, have sudo tweaked in a way that it displays asterisks when you enter the password.
|
||||||
|
|
||||||
|
Now that's more in line with the behavior we see everywhere.
|
||||||
|
|
||||||
|
To show asterisks with sudo, run `sudo visudo` and look for the line:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Defaults env_reset
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Change it to:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Defaults env_reset,pwfeedback
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
![][5]
|
||||||
|
|
||||||
|
💡
|
||||||
|
|
||||||
|
You may not find the Defaults env_reset line in some distributions like Arch. If that's the case, just add a new line with text Defaults env_reset, pwfeedback
|
||||||
|
|
||||||
|
Now, if you try using sudo and it asks for a password, you should see asterisks when you enter the password.
|
||||||
|
|
||||||
|
![][6]
|
||||||
|
|
||||||
|
✋
|
||||||
|
|
||||||
|
If you notice any issues with password not being accepted even when correct with graphical applications like software center, revert this change. Some old forum posts mentioned it. I haven't encountered it though.
|
||||||
|
|
||||||
|
### 3\. Increase sudo password timeout
|
||||||
|
|
||||||
|
So, you use sudo for the first time and it asks for the password. But for the subsequent commands with sudo, you don't have to enter the password for a certain time.
|
||||||
|
|
||||||
|
Let's call it sudo password timeout (or SPT, I just made it up. Don't call it that 😁).
|
||||||
|
|
||||||
|
Different distributions have different timeout. It could be 5 minutes or 15 minutes.
|
||||||
|
|
||||||
|
You can change the behavior and set a sudo password timeout of your choice.
|
||||||
|
|
||||||
|
Edit the sudoer file as you have seen above and look for the line with `Defaults env_reset` and add `timestamp_timeout=XX` to the line so that it becomes this:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Defaults env_reset, timestamp_timeout=XX
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Where XX is the timeout in minutes.
|
||||||
|
|
||||||
|
If you had other parameters like the asterisk feedback you saw in the previous section, they all can be combined:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Defaults env_reset, timestamp_timeout=XX, pwfeedback
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
💡
|
||||||
|
|
||||||
|
Similarly, you can control the password retries limit. Use the passwd_tries=N to change the number of times a user can enter incorrect passwords.
|
||||||
|
|
||||||
|
### 4\. Use sudo without password
|
||||||
|
|
||||||
|
Alright! So you increased the sudo password timeout (or the SPT. Wow! you are still calling it that 😛).
|
||||||
|
|
||||||
|
That's fine. I mean who likes to enter the password every few minutes.
|
||||||
|
|
||||||
|
Increasing the timeout is one thing. The other thing is to not use it all.
|
||||||
|
|
||||||
|
Yes, you read that right. You can use sudo without entering the password.
|
||||||
|
|
||||||
|
That sounds risky from security point of view, right? Well it is but there are genuine cases where you are (productively) better off using sudo without password.
|
||||||
|
|
||||||
|
For example, if you manage several Linux servers remotely and you have created sudo users on them to avoid using root all the time. The trouble is that you'll have too many passwords. You don't want to use the same sudo password for all the servers.
|
||||||
|
|
||||||
|
In such a case, you can set up only key-based SSH access to the servers and allow using sudo with password. This way, only the authorized user access the remote server and sudo password doesn't need to be remembered.
|
||||||
|
|
||||||
|
I do this on the test servers I deploy on [DigitalOcean][7] for testing open source tools and services.
|
||||||
|
|
||||||
|
The good thing is that this can be allowed per user basis. Open the `/etc/sudoer` file for editing with:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo visudo
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
And then add a line like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
user_name ALL=(ALL) NOPASSWD:ALL
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Of course, you need to replace the `user_name` with actual user name in the above line.
|
||||||
|
|
||||||
|
Save the file and enjoy sudo life without passwords.
|
||||||
|
|
||||||
|
### 5\. Create separate sudo log files
|
||||||
|
|
||||||
|
You can always read the syslog or the journal logs for sudo related entries.
|
||||||
|
|
||||||
|
However, if you want a separate entry for sudo, you can create a custom log file dedicated to sudo.
|
||||||
|
|
||||||
|
Let's say, you want to use `/var/sudo.log` file for this purpose. You don't need to create the new log file before hand. It will be created for you if it does not exist.
|
||||||
|
|
||||||
|
Edit the /etc/sudoers file using visudo and add the following line to it:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Defaults logfile="/var/log/sudo.log"
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Save it and you can start seeing which commands were run by sudo at what time and by what user in this file:
|
||||||
|
|
||||||
|
![][8]
|
||||||
|
|
||||||
|
### 6\. Only allow a certain commands with sudo to a specific group of users
|
||||||
|
|
||||||
|
This is more of an advanced solution that sysadmin use in a multi-user environment where people across departments are working on the same server.
|
||||||
|
|
||||||
|
A developer may need to run web server or some other program with root permission but giving them complete sudo access will be a security issue.
|
||||||
|
|
||||||
|
While this can be done at user level, I recommend doing it at group level. Let's say you create a group called `coders` and you allow them to run the commands (or binaries) from the `/var/www` and `/opt/bin/coders` directories and the [inxi command][9] (binary `/usr/bin/inxi`).
|
||||||
|
|
||||||
|
This is a hypothetical scenario. Please don't take it verbatim.
|
||||||
|
|
||||||
|
Now, edit the sudoer file with `sudo visudo` (yeah, you know it by now). Add the following line to it:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
%coders ALL=(ALL:ALL) /var/www,/opt/bin/coders,/usr/bin/inxi
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
You can add the NOPASSWD parameter if you want so that sudo for the above allowed commands can be run with sudo but without password.
|
||||||
|
|
||||||
|
More on ALL ALL ALL in some other article as this one is getting longer than usual anyway.
|
||||||
|
|
||||||
|
### 7\. Check the sudo access for a user
|
||||||
|
|
||||||
|
Alright! This one is more of a tip than a tweak.
|
||||||
|
|
||||||
|
How do you know if a user has sudo access? Check if they are member of the sudo group, you say. But that's not a guarantee. Some distros use wheel group name instead of sudo.
|
||||||
|
|
||||||
|
A better way is to use the built-in functionality of sudo and see what kind of sudo access a user has:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
sudo -l -U user_name
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
It will show if the user has sudo access for some commands or for all commands.
|
||||||
|
|
||||||
|
![][10]
|
||||||
|
|
||||||
|
As you can see above, it shows that I have a custom log file and password feedback on apart from sudo access for all commands.
|
||||||
|
|
||||||
|
If the user doesn't have sudo access at all, you'll see an output like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
User prakash is not allowed to run sudo on this-that-server.
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
### 🎁 Bonus: Let sudo insult you for incorrect password attempts
|
||||||
|
|
||||||
|
This one is the 'useless' tweak I mentioned at the beginning of this article.
|
||||||
|
|
||||||
|
I guess you must have mistyped the password while using sudo some time in the past, right?
|
||||||
|
|
||||||
|
This little [tweak let sudo throw a random insult at you][11] for entering incorrect passwords.
|
||||||
|
|
||||||
|
Use `sudo visudo` to edit the sudo config file and add the following line to it:
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
Defaults insults
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
And then you can test the changes by entering incorrect passwords:
|
||||||
|
|
||||||
|
![][12]
|
||||||
|
|
||||||
|
You may wonder who likes to be insulted? OnlyFans can answer that in a graphic manner 😇
|
||||||
|
|
||||||
|
### How do you sudo?
|
||||||
|
|
||||||
|
![][13]
|
||||||
|
|
||||||
|
I know there is no end to customization. Although, sudo is not something a regular Linux user customizes.
|
||||||
|
|
||||||
|
Still, I like to share such things with you because you may discover something new and useful.
|
||||||
|
|
||||||
|
💬 _So, did you discover something new? Tell me in the comments, please. And do you have some secret sudo trick up your sleeve? Why not share it with the rest of us?_
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
via: https://itsfoss.com/sudo-tips/
|
||||||
|
|
||||||
|
作者:[Abhishek Prakash][a]
|
||||||
|
选题:[lujun9972][b]
|
||||||
|
译者:[译者ID](https://github.com/译者ID)
|
||||||
|
校对:[校对者ID](https://github.com/校对者ID)
|
||||||
|
|
||||||
|
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||||
|
|
||||||
|
[a]: https://itsfoss.com/author/abhishek/
|
||||||
|
[b]: https://github.com/lujun9972
|
||||||
|
[1]: https://itsfoss.com/backup-restore-linux-timeshift/
|
||||||
|
[2]: https://itsfoss.com/command-line-text-editors-linux/
|
||||||
|
[3]: https://itsfoss.com/content/images/2023/02/save-file-in-nano-editor.png
|
||||||
|
[4]: https://itsfoss.com/content/images/2023/12/visudo-syntax-validation.png
|
||||||
|
[5]: https://itsfoss.com/content/images/2023/12/sudo-password-feedback.png
|
||||||
|
[6]: https://itsfoss.com/content/images/2023/12/sudo-password-with-asterisk-display.png
|
||||||
|
[7]: https://digitalocean.pxf.io/JzK74r
|
||||||
|
[8]: https://itsfoss.com/content/images/2023/12/sudo-log-file.png
|
||||||
|
[9]: https://itsfoss.com/inxi-system-info-linux/
|
||||||
|
[10]: https://itsfoss.com/content/images/2023/12/check-sudo-access.png
|
||||||
|
[11]: https://itsfoss.com/sudo-insult-linux/
|
||||||
|
[12]: https://itsfoss.com/content/images/2023/12/sudo-insults.png
|
||||||
|
[13]: https://itsfoss.com/content/images/2023/12/sudo-meme.png
|
Loading…
Reference in New Issue
Block a user