document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'LCTT/master'

Browse Source
This commit is contained in:
Xingyu Wang 2019-11-18 23:22:33 +08:00
commit 56ef9d4122
4 changed files with 319 additions and 332 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
sources/tech/20191025 How I used the wget Linux command to recover lost images.md
View File

@ -1,132 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (How I used the wget Linux command to recover lost images)
[#]: via: (https://opensource.com/article/19/10/how-community-saved-artwork-creative-commons)
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
How I used the wget Linux command to recover lost images
======
The story of the rise and fall of the Open Clip Art Library and the
birth of FreeSVG.org, a new library of communal artwork.
![White shoes on top of an orange tribal pattern][1]
In 2004, the Open Clip Art Library (OCAL) was launched as a source of free illustrations for anyone to use, for any purpose, without requiring attribution or anything in return. This site was the open source worlds answer to the big stacks of clip art CDs on the shelf of every home office in the 1990s, and to the art dumps provided by the closed-source office and artistic software titles.
In the beginning, the clip art library consisted mostly of work by a few contributors, but in 2010 it went live with a brand new interactive website, allowing anyone to create and contribute clip art with a vector illustration application. The site immediately garnered contributions from around the globe, and from all manner of free software and free culture projects. A special importer for this library was even included in [Inkscape][2].
However, in early 2019, the website hosting the Open Clip Art Library went offline with no warning or explanation. Its community, which had grown to number in the thousands, assumed at first that this was a temporary glitch. The site remained offline, however, for over six months without any clear explanation of what had happened.
Rumors started to swell. The site was being updated ("There is years of technical debt to pay off," said site developer Jon Philips in an email). The site had fallen to rampant DDOS attacks, claimed a Twitter account. The maintainer had fallen prey to identity theft, another Twitter account claimed. Today, as of this writing, the sites one and only remaining page declares that it is in "maintenance and protected mode," the meaning of which is unclear, except that users cannot access its content.
### Recovering the commons
Sites appear and disappear over the course of time, but the loss of the Open Clip Art Library was particularly surprising to its community because it was seen as a community project. Few community members understood that the site hosting the library had fallen into the hands of a single maintainer, so while the artwork in the library was owned by everyone due to its [Creative Commons 0 License][3], access to it was functionally owned by a single maintainer. And, because the sites community kept in touch with one another through the site, that same maintainer effectively owned the community.
When the site failed, the community lost access to its artwork as well as each other. And without the site, there was no community.
Initially, everything on the site was blocked when it went down. After several months, though, users started recognizing that the sites database was still online, which meant that a user could access an individual art file by entering its exact URL. In other words, you couldnt navigate to the art file through clicking around a website, but if you already knew the address, then you could bring it up in your browser. Similarly, technical (or lazy) users realized it was also possible to "scrape" the site with an automated web browser like **wget**.
The **wget** Linux command is _technically_ a web browser, although it doesnt let you browse interactively the way you do with Firefox. Instead, **wget** goes out onto the internet and retrieves a file or a collection of files and downloads them to your hard drive. You can then open those files in Firefox or a text editor, or whatever application is most appropriate, and view the content.
Usually, **wget** needs to know a specific file to fetch. If youre on Linux or macOS with **wget** installed, you can try this process by downloading the index page for [example.com][4]:
```
$ wget example.org/index.html
[...]
$ tail index.html
<body><div>
    <h1>Example Domain</h1>
    <p>This domain is for illustrative examples in documents.
    You may use this domain in examples without permission.</p>
        <p><a href="[http://www.iana.org/domains/example"\>More][5] info</a></p>
</div></body></html>
```
To scrape the Open Clip Art Library, I used the **\--mirror** option, so that I could point **wget** to just the directory containing the artwork so it could download everything within that directory. This action resulted in four straight days (96 hours) of constant downloading, ending with an excess of 100,000 SVG files that had been contributed by over 5,000 community members. Unfortunately, the author of any file that did not have proper metadata was irrecoverable because this information was locked in inaccessible files in the database, but the CC0 license meant that this issue _technically_ didnt matter (because no attribution is required with CC0 files).
A casual analysis of the downloaded files also revealed that nearly 45,000 of them were copies of the same single file (the sites logo). This was caused by redirects pointing to the site's logo (for reasons unknown), and careful parsing could extract the original destination. Another 96 hours, and all clip art posted on OCAL up to its last day was recovered: **a total of about 156,000 images.**
SVG files tend to be small, but this is still an enormous amount of work that poses a few very real problems. First of all, several gigabytes of online storage would be needed so the artwork could be made available to its former community. Secondly, a means of searching the artwork would be necessary, because its just not realistic to browse through 55,000 files manually.
It became apparent that what the community really needed was a platform.
### Building a new platform
For some time, the site [Public Domain Vectors][6] had been publishing vector art that was in the public domain. While it remains a popular site, open source users often used it only as a secondary source of art because most of the files there were in the EPS and AI formats, both of which are associated with Adobe. Both file formats can generally be converted to SVG but at a loss of features.
When the Public Domain Vectors sites maintainers (Vedran and Boris) heard about the loss of the Open Clip Art Library, they decided to create a site oriented toward the open source community. True to form, they chose the open source [Laravel][7] framework as the backend, which provided the site with an admin dashboard and user access. The framework, being robust and well-developed, also allowed them to respond quickly to bug reports and feature requests, and to upgrade the site as needed. The site they are building is called [FreeSVG.org][8], and is already a robust and thriving library of communal artwork.
Since then they have been uploading all of the clip art from the Open Clip Art Library, and they're even diligently tagging and categorizing the art as they go. As creators of Public Domain Vectors, they are also contributing their own images in SVG format. Their aim is to become the primary resource for SVG images with a CC0 license on the internet.
### Contributing
The maintainers of [FreeSVG.org][8] are aware that they have inherited significant stewardship. They are working to title and describe all images on the site so that users can easily find artwork, and will provide this file to the community once it is ready, believing strongly that the metadata about the art belongs to the people that create and use the art as much as the art itself does. They're also aware that unforeseen circumstances can arise, so they create regular backups of their site and content, and intend to make the most recent backup available to the public, should their site fail.
If you want to add to the Creative Commons content of [FreeSVG.org][9], then download [Inkscape][10] and start drawing. Theres plenty of public domain artwork out there in the world, like [historical advertisements][11], [tarot cards][12], and [storybooks][13] just waiting to be converted to SVG, so you can contribute even if you arent confident in your drawing skills. Visit the [FreeSVG forum][14] to connect with and support other contributors.
The concept of the _commons_ is important. [Creative Commons benefits everyone][15], whether youre a student, teacher, librarian, small business owner, or CEO. If you dont contribute directly, then you can always help promote it.
Thats a strength of free culture: It doesnt just scale, it gets better when more people participate.
### Hard lessons learned
From the demise of the Open Clip Art Library to the rise of FreeSVG.org, the open culture community has learned several hard lessons. For posterity, here are the ones that I believe are most important.
#### Maintain your metadata
If youre a content creator, help the archivists of the future and add metadata to your files. Most image, music, font, and video file formats can have EXIF data embedded into them, and others have metadata entry interfaces in the applications that create them. Be diligent in tagging your work with your name, website or public email, and license.
#### Make copies
Dont assume that somebody else is doing backups. If you care about communal digital content, then back it up yourself, or else dont count on having it available forever. The trope that _whatevers uploaded to the internet is forever_ may be true, but that doesnt mean its _available to you_ forever. If the Open Clip Art Library files hadnt become secretly available again, its unlikely that anyone would have ever successfully uncovered all 55,000 images from random places on the web, or from personal stashes on peoples hard drives around the globe.
#### Create external channels
If a community is defined by a single website or physical location, then that community is as good as dissolved should it lose access to that space. If youre a member of a community thats driven by a single organization or site, you owe it to yourselves to share contact information with those you care about and to establish a channel for communication even when that site is not available.
For example, [Opensource.com][16] itself maintains mailing lists and other off-site channels for its authors and correspondents to communicate with one another, with or without the intervention or even existence of the website.
#### Free culture is worth working for
The internet is sometimes seen as a lazy persons social club. You can log on when you want and turn it off when youre tired, and you can wander into whatever social circle you want.
But in reality, free culture can be hard work. Its not hard in the sense that its difficult to be a part of, but its something you have to work to maintain. If you ignore the community youre in, then the community may wither and fade before you realize it.
Take a moment to look around you and identify what communities youre a part of, and if nothing else, tell someone that you appreciate what they bring to your life. And just as importantly, keep in mind that youre contributing to the lives of your communities, too.
Creative Commons held its Gl obal Summit a few weeks ago in Warsaw, with amazing international...
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/10/how-community-saved-artwork-creative-commons
作者:[Seth Kenlon][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/seth
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/tribal_pattern_shoes.png?itok=e5dSf2hS (White shoes on top of an orange tribal pattern)
[2]: https://opensource.com/article/18/1/inkscape-absolute-beginners
[3]: https://creativecommons.org/share-your-work/public-domain/cc0/
[4]: http://example.com
[5]: http://www.iana.org/domains/example"\>More
[6]: http://publicdomainvectors.org
[7]: https://github.com/viralsolani/laravel-adminpanel
[8]: https://freesvg.org
[9]: http://freesvg.org
[10]: http://inkscape.org
[11]: https://freesvg.org/drinking-coffee-vector-drawing
[12]: https://freesvg.org/king-of-swords-tarot-card
[13]: https://freesvg.org/space-pioneers-135-scene-vector-image
[14]: http://forum.freesvg.org/
[15]: https://opensource.com/article/18/1/creative-commons-real-world
[16]: http://Opensource.com

200
sources/tech/20191029 What you probably didn-t know about sudo.md
View File

@ -1,200 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (What you probably didnt know about sudo)
[#]: via: (https://opensource.com/article/19/10/know-about-sudo)
[#]: author: (Peter Czanik https://opensource.com/users/czanik)
What you probably didnt know about sudo
======
Think you know everything about sudo? Think again.
![Command line prompt][1]
Everybody knows **sudo**, right? This tool is installed by default on most Linux systems and is available for most BSD and commercial Unix variants. Still, after talking to hundreds of **sudo** users, the most common answer I received was that **sudo** is a tool to complicate life.
There is a root user and there is the **su** command, so why have yet another tool? For many, **sudo** was just a prefix for administrative commands. Only a handful mentioned that when you have multiple administrators for the same system, you can use **sudo** logs to see who did what.
So, what is **sudo**? According to the [**sudo** website][2]:
> _"Sudo allows a system administrator to delegate authority by giving certain users the ability to run some commands as root or another user while providing an audit trail of the commands and their arguments."_
By default, **sudo** comes with a simple configuration, a single rule allowing a user or a group of users to do practically anything (more on the configuration file later in this article):
```
`%wheel ALL=(ALL) ALL`
```
In this example, the parameters mean the following:
* The first parameter defines the members of the group.
* The second parameter defines the host(s) the group members can run commands on.
* The third parameter defines the usernames under which the command can be executed.
* The last parameter defines the applications that can be run.
So, in this example, the members of the **wheel** group can run all applications as all users on all hosts. Even this really permissive rule is useful because it results in logs of who did what on your machine.
### Aliases
Of course, once it is not just you and your best friend administering a shared box, you will start to fine-tune permissions. You can replace the items in the above configuration with lists: a list of users, a list of commands, and so on. Most likely, you will copy and paste some of these lists around in your configuration.
This situation is where aliases can come handy. Maintaining the same list in multiple places is error-prone. You define an alias once and then you can use it many times. Therefore, when you lose trust in one of your administrators, you can remove them from the alias and you are done. With multiple lists instead of aliases, it is easy to forget to remove the user from one of the lists with elevated privileges. 
### Enable features for a certain group of users
The **sudo** command comes with a huge set of defaults. Still, there are situations when you want to override some of these. This is when you use the **Defaults** statement in the configuration. Usually, these defaults are enforced on every user, but you can narrow the setting down to a subset of users based on host, username, and so on. Here is an example that my generation of sysadmins loves to hear about: insults. These are just some funny messages for when someone mistypes a password:
```
czanik@linux-mewy:~> sudo ls
[sudo] password for root:
Hold it up to the light --- not a brain in sight!
[sudo] password for root:
My pet ferret can type better than you!
[sudo] password for root:
sudo: 3 incorrect password attempts
czanik@linux-mewy:~>
```
Because not everyone is a fan of sysadmin humor, these insults are disabled by default. The following example shows how to enable this setting only for your seasoned sysadmins, who are members of the **wheel** group:
```
Defaults !insults
Defaults:%wheel insults
```
I do not have enough fingers to count how many people thanked me for bringing these messages back.
### Digest verification
There are, of course, more serious features in **sudo** as well. One of them is digest verification. You can include the digest of applications in your configuration: 
```
`peter ALL = sha244:11925141bb22866afdf257ce7790bd6275feda80b3b241c108b79c88 /usr/bin/passwd`
```
In this case, **sudo** checks and compares the digest of the application to the one stored in the configuration before running the application. If they do not match, **sudo** refuses to run the application. While it is difficult to maintain this information in your configuration—there are no automated tools for this purpose—these digests can provide you with an additional layer of protection.
### Session recording
Session recording is also a lesser-known feature of **sudo**. After my demo, many people leave my talk with plans to implement it on their infrastructure. Why? Because with session recording, you see not just the command name, but also everything that happened in the terminal. You can see what your admins are doing even if they have shell access and logs only show that **bash** is started.
There is one limitation, currently. Records are stored locally, so with enough permissions, users can delete their traces. Stay tuned for upcoming features.
### Plugins
Starting with version 1.8, **sudo** changed to a modular, plugin-based architecture. With most features implemented as plugins, you can easily replace or extend the functionality of **sudo** by writing your own. There are both open source and commercial plugins already available for **sudo**.
In my talk, I demonstrated the **sudo_pair** plugin, which is available [on GitHub][3]. This plugin is developed in Rust, meaning that it is not so easy to compile, and it is even more difficult to distribute the results. On the other hand, the plugin provides interesting functionality, requiring a second admin to approve (or deny) running commands through **sudo**. Not just that, but sessions can be followed on-screen and terminated if there is suspicious activity.
In a demo I did during a recent talk at the All Things Open conference, I had the infamous:
```
`czanik@linux-mewy:~> sudo  rm -fr /`
```
command displayed on the screen. Everybody was holding their breath to see whether my laptop got destroyed, but it survived.
### Logs
As I already mentioned at the beginning, logging and alerting is an important part of **sudo**. If you do not check your **sudo** logs regularly, there is not much worth in using **sudo**. This tool alerts by email on events specified in the configuration and logs all events to **syslog**. Debug logs can be turned on and used to debug rules or report bugs.
### Alerts
Email alerts are kind of old-fashioned now, but if you use **syslog-ng** for collecting your log messages, your **sudo** log messages are automatically parsed. You can easily create custom alerts and send those to a wide variety of destinations, including Slack, Telegram, Splunk, or Elasticsearch. You can learn more about this feature from [my blog on syslong-ng.com][4].
### Configuration
We talked a lot about **sudo** features and even saw a few lines of configuration. Now, lets take a closer look at how **sudo** is configured. The configuration itself is available in **/etc/sudoers**, which is a simple text file. Still, it is not recommended to edit this file directly. Instead, use **visudo**, as this tool also does syntax checking. If you do not like **vi**, you can change which editor to use by pointing the **EDITOR** environment variable at your preferred option.
Before you start editing the **sudo** configuration, make sure that you know the root password. (Yes, even on Ubuntu, where root does not have a password by default.) While **visudo** checks the syntax, it is easy to create a syntactically correct configuration that locks you out of your system.
When you have a root password at hand in case of an emergency, you can start editing your configuration. When it comes to the **sudoers** file, there is one important thing to remember: This file is read from top to bottom, and the last setting wins. What this fact means for you is that you should start with generic settings and place exceptions at the end, otherwise exceptions are overridden by the generic settings.
You can find a simple **sudoers** file below, based on the one in CentOS, and add a few lines we discussed previously:
```
Defaults !visiblepw
Defaults always_set_home
Defaults match_group_by_gid
Defaults always_query_group_plugin
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
Defaults:%wheel insults
Defaults !insults
Defaults log_output
```
This file starts by changing a number of defaults. Then come the usual default rules: The **root** user and members of the **wheel** group have full permissions over the machine. Next, we enable insults for the **wheel** group, but disable them for everyone else. The last line enables session recording.
The above configuration is syntactically correct, but can you spot the logical error? Yes, there is one: Insults are disabled for everyone since the last, generic setting overrides the previous, more specific setting. Once you switch the two lines, the setup works as expected: Members of the **wheel** group receive funny messages, but the rest of the users do not receive them.
### Configuration management
Once you have to maintain the **sudoers** file on multiple machines, you will most likely want to manage your configuration centrally. There are two major open source possibilities here. Both have their advantages and drawbacks.
You can use one of the configuration management applications that you also use to configure the rest of your infrastructure. Red Hat Ansible, Puppet, and Chef all have modules to configure **sudo**. The problem with this approach is that updating configurations is far from real-time. Also, users can still edit the **sudoers** file locally and change settings.
The **sudo** tool can also store its configuration in LDAP. In this case, configuration changes are real-time and users cannot mess with the **sudoers** file. On the other hand, this method also has limitations. For example, you cannot use aliases or use **sudo** when the LDAP server is unavailable.
### New features
There is a new version of **sudo** right around the corner. Version 1.9 will include many interesting new features. Here are the most important planned features:
* A recording service to collect session recordings centrally, which offers many advantages compared to local storage:
* It is more convenient to search in one place.
* Recordings are available even if the sender machine is down.
* Recordings cannot be deleted by someone who wants to delete their tracks.
* The **audit** plugin does not add new features to **sudoers**, but instead provides an API for plugins to easily access any kind of **sudo** logs. This plugin enables creating custom logs from **sudo** events using plugins.
* The **approval** plugin enables session approvals without using third-party plugins.
* And my personal favorite: Python support for plugins, which enables you to easily extend **sudo** using Python code instead of coding natively in C.
### Conclusion
I hope this article proved to you that **sudo** is a lot more than just a simple prefix. There are tons of possibilities to fine-tune permissions on your system. You cannot just fine-tune permissions, but also improve security by checking digests. Session recordings enable you to check what is happening on your systems. You can also extend the functionality of **sudo** using plugins, either using something already available or writing your own. Finally, given the list of upcoming features you can see that even if **sudo** is decades old, it is a living project that is constantly evolving.
If you want to learn more about **sudo**, here are a few resources:
* [The **sudo** website][5]
* [The **sudo** blog][6]
* [Follow us on Twitter][7]
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/10/know-about-sudo
作者:[Peter Czanik][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/czanik
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/command_line_prompt.png?itok=wbGiJ_yg (Command line prompt)
[2]: https://www.sudo.ws
[3]: https://github.com/square/sudo_pair/
[4]: https://www.syslog-ng.com/community/b/blog/posts/alerting-on-sudo-events-using-syslog-ng
[5]: https://www.sudo.ws/
[6]: https://blog.sudo.ws/
[7]: https://twitter.com/sudoproject

132
translated/tech/20191025 How I used the wget Linux command to recover lost images.md Normal file
View File

@ -0,0 +1,132 @@
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (How I used the wget Linux command to recover lost images)
[#]: via: (https://opensource.com/article/19/10/how-community-saved-artwork-creative-commons)
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
我是如何使用 wget 命令恢复丢失的图像的
======
> 开放剪贴画库兴衰的故事以及一个新的公共艺术品图书馆 FreeSVG.org 的诞生。
![White shoes on top of an orange tribal pattern][1]
<ruby>开放剪贴画库<rt>Open Clip Art Library</rt></ruby>OCAL发布于 2004 年,成为了免费插图的来源,任何人都可以出于任何目的使用它们,而无需注明出处或提供任何回报。针对 1990 年代每个家庭办公室书架上的大量剪贴画 CD 以及由闭源公司和艺术品软件提供的艺术品转储,这个网站是开源世界的答复。
最初,这个剪贴画库主要由一些贡献者组成,但是在 2010 年,它重新打造成了一个全新的交互式网站,可以让任何人使用矢量插图应用程序创建和贡献剪贴画。该网站立即获得了来自全球的、各种形式的自由软件和自由文化项目的贡献。[Inkscape][2] 中甚至包含了该库的专用导入器。
但是,在 2019 年初,托管开放剪贴画库的网站离线,没有任何警告或解释。它已经成长为有着成千上万的人的社区,起初以为这是暂时的故障。 但是,这个站点一直离线已超过六个月,而没有任何清楚的解释。
谣言开始膨胀。该网站正在更新中(“要偿还数年的技术债务”,网站开发者 Jon Philips 在一封电子邮件中说)。一个 Twitter 帐户声称,该网站遭受了猖狂的 DDoS 攻击。另一个 Twitter 帐户声称,该网站维护者已经成为身份盗用的牺牲品。今天,在撰写本文时,该网站的一个且唯一的页面声明它处于“维护和保护模式”,其含义不清楚,只是用户无法访问其内容。
### 恢复公地
网站会随着时间的流逝而消失,但是对其社区而言开放剪贴画库的丢失尤其令人惊讶,因为它被视为一个社区项目。很少有社区成员知道托管该库的站点已经落入一个维护者手中,因此,由于 [CC0 许可证][3],该库中的艺术品归所有人所有,但对它的访问是功能性的由单个维护者执行。而且,由于该站点的社区通过该站点彼此保持联系,因此该维护者实际上拥有该社区。
当站点发生故障时,社区以及彼此之间都无法访问其艺术品。没有该站点,就没有社区。
最初,该网站离线后其上的所有东西都是被封挡的。不过,在几个月之后,用户开始意识到该网站的数据库仍然在线,这意味着用户能够通过输入精确的 URL 访问单个剪贴画。换句话说,你不能通过在网站上到处点击来流量剪贴画文件,但是如果你知道该地址,你就可以在浏览器中访问它。类似的,技术型(或偷懒的)用户意识到能够通过类似 `wget` 的自动 Web 浏览器将网站“抓取”下来。
Linux 的 `wget` 命令技术上是一个 Web 浏览器,虽然它不能让你像用 Firefox 一样交互式地浏览。相反,`wget` 可以连到互联网,获取文件或文件集,并下载到你的本次硬盘。然后,你可以在 Firefox 或文本编辑器或最合适的应用程序中打开这些文件,然后查看内容。
通常,`wget` 需要知道要提取的特定文件。如果你使用的是安装了 `wget` 的 Linux 或 macOS则可以通过下载 [example.com][4] 的索引页来尝试此过程:
```
$ wget example.org/index.html
[...]
$ tail index.html
<body><div>
<h1>Example Domain</h1>
<p>This domain is for illustrative examples in documents.
You may use this domain in examples without permission.</p>
<p><a href="http://www.iana.org/domains/example">More info</a></p>
</div></body></html>
```
为了抓取 OCAL我使用了 `--mirror` 选项,以便可以只是将 `wget` 指向到包含艺术品的目录就可以下载该目录中的所有内容。此操作导致连续四天96 个小时)持续下载,最终得到了超过 50000 个社区成员贡献的 100,000 个 SVG 文件。不幸的是,任何没有适当元数据的文件的作者信息都是无法恢复的,因为此信息被锁定在数据库中不可访问的文件中,但是 CC0 许可证意味着此问题*在技术上*无关紧要(因为 CC0 文件不需要属性)。
随意分析了一下下载的文件进行还显示,其中近 45,000 个文件是同一文件(该网站的徽标)的副本。这是由于指向该站点徽标的重定向(原因未知)引起的,仔细分析能够提取到原始的文件。又过了 96 个小时,并且恢复了直到最后一天发布在 OCAL 上的所有剪贴画:总共约有 156,000 张图像。
SVG 文件通常很小,但这仍然是大量工作,并且会带来一些非常实际的问题。首先,将需要数 GB 的在线存储空间,这样这些剪贴画才能供其先前的社区使用。其次,必须使用一种搜索艺术品的方法,因为手动浏览 55,000 个文件是不现实的。
很明显,社区真正需要的是一个平台。
### 构建新的平台
一段时间以来,[公共领域矢量图][6] 网站一直在发布公共领域的矢量图。虽然它仍然是一个受欢迎的网站,但是开源用户经常将其仅用作辅助的图片资源,因为其中大多数文件都是 EPS 和 AI 格式的,两者均与 Adobe 相关。两种文件格式通常都可以转换为 SVG但是特性有所损失。
当公共领域矢量图网站的维护者Vedran 和 Boris得知 OCAL 丢失时,他们决定创建一个面向开源社区的网站。诚然,他们选择了开源 [Laravel][7] 框架作为后端,该框架为网站提供了管理控制台和用户访问权限。该框架功能强大且开发完善,还使他们能够快速响应错误报告和功能请求,并根据需要升级站点。他们正在建立的站点称为 [FreeSVG.org][8],已经是一个强大而繁荣的公共艺术品图书馆。
从那时起,他们就一直从 OCAL 上载所有剪贴画,并且他们甚至在努力地对艺术品进行标记和分类。作为公共领域矢量图网站的创建者,他们还以 SVG 格式贡献了自己的图像。他们的目标是成为互联网上具有 CC0 许可证的 SVG 图像的主要资源。
### 贡献
[FreeSVG.org][8] 的维护者意识到他们已经继承了重要的管理权。他们正在努力对网站上的所有图像加上标题和描述,以便用户可以轻松找到这些艺术品,并在准备就绪后将其提供给社区,同时坚信与这些艺术品有关的元数据和艺术品属于创建和使用它们的人。他们还意识到可能会发生无法预料的情况,因此他们会定期为其网站和内容创建备份,并打算在其站点出现故障时向公众提供最新备份。
如果要为 [FreeSVG.org][9]的知识共享内容添砖加瓦,请下载 [Inkscape][10] 并开始绘制。世界上有很多公共领域的艺术品,例如[历史广告][11]、[塔罗牌][12]和[故事书][13],只是在等待转换为 SVG因此即使你对自己的绘画技巧没有信心你也可以做出贡献。访问 [FreeSVG 论坛][14]与其他贡献者联系并支持他们。
*公地*的概念很重要。无论你是学生、老师、图书馆员、小企业主还是首席执行官,[知识共享都会使所有人受益][15]。如果你不直接捐款,那么你随时可以帮助推广。
这是自由文化的力量:它不仅可以扩展,而且随着更多人的参与,它会变得更好。
### 艰难的教训
从 OCAL 的消亡到 FreeSVG.org 的兴起,开放文化社区已经吸取了一些艰辛的经验。对于以后,以下是我认为最重要的那些。
#### 维护你的元数据
如果你是内容创建者,请帮助将来的档案管理员,将元数据添加到文件中。大多数图像、音乐、字体和视频文件格式都可以嵌入 EXIF 数据,其他格式在创建它们的应用程序中具有元数据输入界面。勤于用你的姓名、网站或公共电子邮件以及许可证来标记你的作品。
#### 做个副本
不要以为别人在做备份。如果你关心公用数字内容,请自己备份,否则不要指望永远提供它。 无论*任何上传到互联网上的内容是永久的*的说法是不是正确的,但这并不意味着你永远可以使用。如果 OCAL 文件不再隐秘地可用,那么任何人都不太可能成功地从网络上的某个位置或从全球范围内的人们的硬盘中成功地发现所有的 55,000 张图像。Make copies
#### 创建外部渠道
如果一个社区是由单个网站或实际位置来定义的,那么该社区失去访问该空间的能力就如同解散了一样。如果你是由单个组织或网站驱动的社区的成员,则你应该自己与关心的人共享联系信息,并即使在该站点不可用时也可以建立沟通渠道。
例如,[Opensource.com][16] 本身维护其作者和通讯者的邮件列表和其他异地渠道,以便在有或没有网站干预或甚至没有网站的情况下相互交流。
#### 自由文化值得为此努力
互联网有时被视为懒人社交俱乐部。你可以在需要时登录并在感到疲倦时将其关闭,也可以漫步到所需的任何社交圈。
但实际上,自由文化可能是项艰难的工作。但是这种艰难从某种意义上讲并不是说要成为其中的一部分很困难,而是你必须努力维护。如果你忽略你所在的社区,那么该社区可能会在你才会意识到之前就枯萎并褪色。
花点时间环顾四周,确定你属于哪个社区,如果不是,那么请告诉某人你对他们带给你生活的意义表示赞赏。同样重要的是,请记住,这样你也为社区的生活做出了贡献。
几周前,知识共享组织在华沙举行了它的全球峰会,令人惊叹的国际盛会...
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/10/how-community-saved-artwork-creative-commons
作者:[Seth Kenlon][a]
选题:[lujun9972][b]
译者:[wxy](https://github.com/wxy)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/seth
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/tribal_pattern_shoes.png?itok=e5dSf2hS (White shoes on top of an orange tribal pattern)
[2]: https://opensource.com/article/18/1/inkscape-absolute-beginners
[3]: https://creativecommons.org/share-your-work/public-domain/cc0/
[4]: http://example.com
[5]: http://www.iana.org/domains/example"\>More
[6]: http://publicdomainvectors.org
[7]: https://github.com/viralsolani/laravel-adminpanel
[8]: https://freesvg.org
[9]: http://freesvg.org
[10]: http://inkscape.org
[11]: https://freesvg.org/drinking-coffee-vector-drawing
[12]: https://freesvg.org/king-of-swords-tarot-card
[13]: https://freesvg.org/space-pioneers-135-scene-vector-image
[14]: http://forum.freesvg.org/
[15]: https://opensource.com/article/18/1/creative-commons-real-world
[16]: http://Opensource.com

187
translated/tech/20191029 What you probably didn-t know about sudo.md Normal file
View File

@ -0,0 +1,187 @@
[#]: collector: (lujun9972)
[#]: translator: (wxy)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (What you probably didnt know about sudo)
[#]: via: (https://opensource.com/article/19/10/know-about-sudo)
[#]: author: (Peter Czanik https://opensource.com/users/czanik)
关于 sudo 你可能不知道的
======
> 认为你已经了解了 sudo 的所有知识吗?再想想。
![Command line prompt][1]
大家都知道 `sudo`,对吗?默认情况下,该工具已安装在大多数 Linux 系统上,并且可用于大多数 BSD 和商业 Unix 变体。不过,在与数百名 `sudo` 用户交谈之后,我得到的最常见的答案是 `sudo` 是一个使生活复杂化的工具。
有 root 用户和 `su` 命令,那么为什么还要使用另一个工具呢?对于许多人来说,`sudo` 只是管理命令的前缀。只有极少数人提到,当你在同一个系统上有多个管理员时,可以使用 `sudo` 日志查看谁做了什么。
那么,`sudo` 是什么? 根据 [sudo 网站] [2]
> “sudo 允许系统管理员通过授予某些用户以 root 用户或其他用户身份运行某些命令的能力,同时提供命令及其参数的审核记录,从而委派权限。”
默认情况下,`sudo` 带有简单的配置,一条规则允许一个用户或一组用户执行几乎所有操作(在本文后面的配置文件中有更多信息):
```
%wheel ALL=(ALL) ALL
```
在此示例中,参数表示以下含义:
* 第一个参数(`%wheel`)定义组的成员。
* 第二个参数(`ALL`)定义组成员可以在其上运行命令的主机。
* 第三个参数(`(ALL)`)定义了可以执行命令的用户名。
* 最后一个参数(`ALL`)定义可以运行的应用程序。
因此,在此示例中,`wheel` 组的成员可以以所有主机上的所有用户身份运行所有应用程序。即使这个一切允许的规则也很有用,因为它会记录谁在的计算机上做了什么。
### 别名
当然,它不仅可以让你和你最好的朋友管理一个共享机器,你还可以微调权限。你可以将以上配置中的项目替换为列表:用户列表、命令列表等。 多数情况下,你可能会复制并粘贴配置中的一些列表。
在这种情况下,别名可以派上用场。在多个位置维护相同的列表容易出错。你可以定义一次别名,然后可以多次使用。因此,当你对一位管理员失去信任时,可以将其从别名中删除就行了。使用多个列表而不是别名,很容易忘记从具有较高特权的列表之一中删除用户。
### 为特定组的用户启用功能
`sudo` 命令带有大量默认设置。不过,在某些情况下,你想覆盖其中的一些情况,这时你可以在配置中使用 `Defaults` 语句。通常,对每个用户都强制使用这些默认值,但是你可以根据主机、用户名等将设置缩小到一部分用户。这有个我那一代的系统管理员喜欢玩的一个示例:“羞辱”。这些只是一些有人输入错误密码时的有趣信息:
```
czanik@linux-mewy:~> sudo ls
[sudo] password for root:
Hold it up to the light --- not a brain in sight!
[sudo] password for root:
My pet ferret can type better than you!
[sudo] password for root:
sudo: 3 incorrect password attempts
czanik@linux-mewy:~>
```
由于并非所有人都喜欢系统管理员的这种幽默,因此默认情况下将禁用这些羞辱信息。以下示例说明了如何仅对经验丰富的系统管理员(即 `wheel` 组的成员)启用此设置:
```
Defaults !insults
Defaults:%wheel insults
```
我想感谢我将这些消息带回来的人用两只手也数不过来吧。
### 摘要验证
当然,`sudo` 还有更严肃的功能。其中之一是摘要验证。你可以在配置中包括应用程序的摘要:
```
peter ALL = sha244:11925141bb22866afdf257ce7790bd6275feda80b3b241c108b79c88 /usr/bin/passwd
```
在这种情况下,`sudo` 在运行应用程序之前检查应用程序摘要,并将其与配置中存储的摘要进行比较。如果不匹配,`sudo` 拒绝运行该应用程序。尽管很难在配置中维护此信息(没有用于此目的的自动化工具),但是这些摘要可以为你提供额外的保护层。
### 会话记录
会话记录也是 `sudo` 鲜为人知的功能。在演示之后,许多人离开我的演讲后就在计划在其基础设施上实施它。为什么?因为使用会话记录,你不仅可以看到命令名称,还可以看到终端中发生的所有事情。你可以看到你的管理员在做什么,即使他们具有 shell 访问权限,而日志仅显示启动了 `bash`
当前有一个限制。记录存储在本地,因此具有足够的权限的话,用户可以删除他们的痕迹。请继续关注即将推出的功能。
### 插件
从 1.8 版开始,`sudo` 更改为基于插件的模块化体系结构。通过将大多数功能实现为插件,你可以编写自己的功能轻松地替换或扩展 `sudo` 的功能。已有 `sudo` 可用的开源和商业插件。
在我的演讲中,我演示了 `sudo_pair` 插件,该插件可在 [GitHub][3] 上获得。这个插件是用 Rust 开发的,这意味着它不是那么容易编译,甚至更难以分发编译结果。另一方面,该插件提供了有趣的功能,需要第二个管理员通过 `sudo` 批准(或拒绝)运行命令。不仅如此,如果有可疑活动,可以在屏幕上跟踪会话并终止会话。
在最近的 All Things Open 会议上的一次演示中,我做了一个臭名昭著的演示:
```
czanik@linux-mewy:~> sudo  rm -fr /
```
看着屏幕上显示的命令。每个人都屏住呼吸,想看看我的笔记本电脑是否被毁了,但它仍然幸免了。
### 日志
正如我在开始时已经提到的,日志记录和警报是 `sudo` 的重要组成部分。如果你不会定期检查 `sudo` 日志,那么日志在使用 `sudo` 中并没有太多价值。该工具通过电子邮件提醒配置中指定的事件,并将所有事件记录到 syslog 中。可以打开调试日志用于调试规则或报告错误。
### 警报
电子邮件警报现在有点过时了,但是如果你使用 syslog-ng 来收集日志消息,则会自动解析 `sudo` 日志消息。你可以轻松创建自定义警报并将其发送到各种各样的目的地,包括 Slack、Telegram、Splunk 或 Elasticsearch。你可以从[我在 syslong-ng.com 上的博客][4]中了解有关此功能的更多信息。
### 配置
我们谈论了很多 `sudo` 功能,甚至看到了几行配置。现在,让我们仔细看看 `sudo` 的配置方式。配置本身可以在 `/etc/sudoers` 中获得,这是一个简单的文本文件。不过,不建议直接编辑此文件。相反,请使用 `visudo`,因为此工具还会执行语法检查。如果你不喜欢 `vi`,则可以通过将 `EDITOR` 环境变量指向你的首选编辑器来更改要使用的编辑器。
在开始编辑 `sudo` 配置之前,请确保你知道 root 密码。(是的,即使在默认情况下 root 用户没有密码的 Ubuntu 上也是如此。)虽然 `visudo` 会检查语法,但创建语法正确而将你锁定在系统之外的配置很容易。
如果在紧急情况下,而你手头有 root 密码,你也可以编辑配置。当涉及到 `sudoers` 文件时,有一件重要的事情要记住:从上到下读取该文件,以最后的设置为准。这个事实对你来说意味着你应该从通用设置开始,并在末尾放置例外情况,否则,通用设置会覆盖例外情况。
你可以在下面看到一个基于 CentOS 的简单 `sudoers` 文件,并添加我们之前讨论的几行:
```
Defaults !visiblepw
Defaults always_set_home
Defaults match_group_by_gid
Defaults always_query_group_plugin
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
Defaults:%wheel insults
Defaults !insults
Defaults log_output
```
该文件从更改多个默认值开始。然后是通常的默认规则:`root` 用户和 `wheel` 组的成员对计算机具有完全权限。接下来,我们对 `wheel` 组启用“羞辱”,但对其他所有人禁用它们。最后一行启用会话记录。
上面的配置在语法上是正确的,但是你可以发现逻辑错误吗?是的,有一个:上一个通用设置覆盖了先前的更具体设置,所有人均禁用了“羞辱”。一旦交换了这两行的位置,设置就会按预期进行:`wheel` 组的成员会收到有趣的消息,但其他用户则不会收到。
### 配置管理
一旦必须在多台机器上维护 `sudoers` 文件,你很可能希望集中管理配置。这里主要有两种可能的开源方法。两者都有其优点和缺点。
你可以使用也可以用来配置其余基础设施的配置管理应用程序之一Red Hat Ansible、Puppet 和 Chef 都具有用于配置 `sudo` 的模块。这种方法的问题在于更新配置远非实时。同样,用户仍然可以在本地编辑 `sudoers` 文件并更改设置。
`sudo` 工具也可以将其配置存储在 LDAP 中。在这种情况下,配置更改是实时的,用户不能弄乱`sudoers` 文件。另一方面,该方法也有局限性。例如,当 LDAP 服务器不可用时,你不能使用别名或使用 `sudo`
### 新功能
新版本的 `sudo` 即将推出。1.9 版将包含许多有趣的新功能。以下是最重要的计划功能:
* 记录服务可集中收集会话记录,与本地存储相比,它具有许多优点:
* 在一个地方搜索更方便。
* 即使发送记录的机器关闭,也可以进行记录。
* 记录不能被想要删除其痕迹的人删除。
* audit 插件没有向 `sudoers` 添加新功能,而是为插件提供了 API以方便地访问任何类型的 `sudo` 日志。这个插件允许使用插件从 `sudo` 事件创建自定义日志。
* approval 插件无需使用第三方插件即可启用会话批准。
* 以及我个人最喜欢的:插件的 Python 支持,这使你可以轻松地使用 Python 代码扩展 `sudo`,而不是使用 C 语言进行原生编码。
  
### 总结
希望本文能向你证明 `sudo` 不仅仅是一个简单的命令前缀。有无数种可能性可以微调系统上的权限。你不仅可以微调权限,还可以通过检查摘要来提高安全性。会话记录使你能够检查系统上正在发生的事情。你也可以使用插件扩展 `sudo` 的功能,或者使用已有的插件或编写自己的插件。最后,从即将发布的功能列表中,你可以看到,即使 `sudo` 已有数十年的历史,它也是一个不断发展的有生命的项目。
如果你想了解有关 `sudo` 的更多信息,请参考以下资源:
* [sudo `网站][5]
* [sudo 博客][6]
* [在 Twitter 上关注我们][7]
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/10/know-about-sudo
作者:[Peter Czanik][a]
选题:[lujun9972][b]
译者:[wxy](https://github.com/wxy)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/czanik
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/command_line_prompt.png?itok=wbGiJ_yg (Command line prompt)
[2]: https://www.sudo.ws
[3]: https://github.com/square/sudo_pair/
[4]: https://www.syslog-ng.com/community/b/blog/posts/alerting-on-sudo-events-using-syslog-ng
[5]: https://www.sudo.ws/
[6]: https://blog.sudo.ws/
[7]: https://twitter.com/sudoproject