Fix many functions

3 years ago · b5d4225b9e
parent 31a4319541
commit b5d4225b9e
13 changed files with 697 additions and 182 deletions
--- a/ublinux/rc.halt.pre/76-save-rootcopy
+++ b/ublinux/rc.halt.pre/76-save-rootcopy
@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+
+ENABLED=yes
+[ "$ENABLED" != "yes" ] && exit 0
+DEBUGMODE=no
+
+unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
+SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+debug_mode "$0" "$@"
+
+SYSCONF="${ROOTFS}/${SYSCONF}"
+SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
+SOURCE=${SYSCONF}/save; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
+
+PATH_CHANGES="/memory/changes"
+NAME_ROOTCOPY="rootcopy"
+
+exec_save_rootcopy(){
+## При перезагрузке/выключении, сохранить/перезаписать указанные каталоги/файлы <SAVE_ROOTCOPY_INCLUDE>, кроме <SAVE_ROOTCOPY_EXCLUDE> в /ublinux-data/rootcopy/
+    if [[ -n ${SAVE_ROOTCOPY_INCLUDE} || -n ${SAVE_ROOTCOPY_CHANGES} ]]; then
+	PATH_ROOTCOPY=$(find ${ROOTFS}/memory/layer-base/*/ -maxdepth 1 -type d -name "${NAME_ROOTCOPY}" | head -1)
+	[[ -n ${PATH_ROOTCOPY} ]] || PATH_ROOTCOPY="$(find ${ROOTFS}/memory/layer-base/*/ -maxdepth 1 -type f -name "ublinux-data*.sgn" | head -1)"
+	[[ -n ${PATH_ROOTCOPY} ]] && PATH_ROOTCOPY="${PATH_ROOTCOPY%/*}/${NAME_ROOTCOPY}" || exit 0
+
+	[[ -e ${PATH_ROOTCOPY} ]] || install -dm0755 -o root -g root "${PATH_ROOTCOPY}"
+	if [[ -w ${PATH_ROOTCOPY} ]]; then
+	    if [[ -n ${SAVE_ROOTCOPY_EXCLUDE} ]]; then
+		while read -r SELECT_EXCLUDE; do
+		    ROOTCOPY_EXCLUDE+=",'${SELECT_EXCLUDE}'"
+		done <<< ${SAVE_ROOTCOPY_EXCLUDE//,/$'\n'}
+	    fi
+    	    cd ${ROOTFS}/${PATH_CHANGES}
+	    [[ -n ${SAVE_ROOTCOPY_CHANGES} ]] && while read -r SELECT_CHANGES; do
+		[[ -e ${SELECT_CHANGES#/*} ]] \
+		&& eval rsync --quiet --update --archive --recursive --acls --xattrs --relative --delete --delete-excluded --exclude={''${ROOTCOPY_EXCLUDE}} ${SELECT_CHANGES#/*} ${PATH_ROOTCOPY}
+		# --dry-run --verbose --quiet 
+    	    done <<< ${SAVE_ROOTCOPY_CHANGES//,/$'\n'}
+	    [[ -n ${SAVE_ROOTCOPY_INCLUDE} ]] && while read -r SELECT_INCLUDE; do
+		[[ -e ${ROOTFS}/${SELECT_INCLUDE} ]] \
+		&& eval rsync --quiet --update --archive --recursive --acls --xattrs --relative --delete --delete-excluded --exclude={''${ROOTCOPY_EXCLUDE}} ${ROOTFS}/${SELECT_INCLUDE} ${PATH_ROOTCOPY}
+		# --dry-run --verbose --quiet 
+    	    done <<< ${SAVE_ROOTCOPY_INCLUDE//,/$'\n'}
+	fi
+
+    fi
+}
+
+################
+##### MAIN #####
+################
+
+    [[ ${SYSTEMBOOT_STATEMODE} == "changes" ]] && exit 0
+    exec_save_rootcopy $@
--- a/ublinux/rc.post.d/23-publicdir
+++ b/ublinux/rc.post.d/23-publicdir
@ -1,14 +1,8 @@
 #!/bin/bash
-#
-# Initial script for Live operating system
-# This script are launching before starting init from linux-live script.
-# Current dir allways must be set to root (/)
-# All system path must be relative, except initrd dirs

 ENABLED=yes
 [ "$ENABLED" != "yes" ] && exit 0

-#PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
 DEBUGMODE=no

 . /usr/lib/ublinux/functions
--- a/ublinux/rc.post.d/42-access-suid-sgid
+++ b/ublinux/rc.post.d/42-access-suid-sgid
@ -0,0 +1,60 @@
+#!/bin/bash
+
+ENABLED=yes
+[ "$ENABLED" != "yes" ] && exit 0
+DEBUGMODE=no
+
+SELF_NAME="42-access-suid-sgid"
+
+unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
+SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+debug_mode "$0" "$@"
+
+SYSCONF="${ROOTFS}/${SYSCONF}"
+SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
+SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
+
+exec_access_allowed_suid(){
+## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID
+    if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then
+	for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do
+	    EXCLUDE_SUID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]})
+	    [[ ${PATH_WORK_SUID} == 0 ]] && PATH_WORK_SUID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
+	    find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod --quiet u-s {} +
+#	    find ${PATH_WORK_SUID} -type f -perm /u=s $(printf " -name %s " ${EXCLUDE_SUID})
+	done
+    fi
+}
+exec_access_allowed_sgid(){
+## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID
+    if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then
+	for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do
+	    EXCLUDE_SGID=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]})
+	    [[ ${PATH_WORK_SGID} == 0 ]] && PATH_WORK_SGID="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
+	    find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod --quiet g-s {} +
+	done
+    fi
+}
+
+################
+##### MAIN #####
+################
+
+# Возможность подключить как source из любого скрипта и вызов встроенных функций
+
+    if [[ ${0##*/} == ${SELF_NAME} && -z $@ ]]; then
+        while read -r FUNCTION; do
+            $"${FUNCTION##* }"
+        done < <(declare -F | grep "declare -f exec_")
+    elif [[ ${0##*/} == ${SELF_NAME} ]]; then
+#        for FUNCTION in $@; do
+#            declare -f ${FUNCTION} &>/dev/null && ${FUNCTION}
+#        done
+	while [[ $# -gt 0 ]]; do
+	    declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" && shift || { FUNCTION+=" ${1}" && shift; }
+	done
+	eval ${FUNCTION#*; }
+    else
+	true
+    fi
--- a/ublinux/rc.post.d/43-access-interpreter
+++ b/ublinux/rc.post.d/43-access-interpreter
@ -0,0 +1,33 @@
+#!/bin/bash
+
+ENABLED=yes
+[ "$ENABLED" != "yes" ] && exit 0
+DEBUGMODE=no
+
+unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
+SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+debug_mode "$0" "$@"
+
+SYSCONF="${ROOTFS}/${SYSCONF}"
+SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
+SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
+
+exec_access_denied_interpreter(){
+## Ограничить запуск интерпретаторов языков программирования в интерактивном режиме
+    if [[ -n ${ACCESS_DENIED_INTERPRETER[@]} ]]; then
+	for PATH_WORK_INTERPRETER in "${!ACCESS_DENIED_INTERPRETER[@]}"; do
+	    DENIED_INTERPRETER=$(tr [[:space:]],\; $'\n' <<< ${ACCESS_DENIED_INTERPRETER[${PATH_WORK_INTERPRETER}]})
+	    [[ ${DENIED_INTERPRETER,,} == "all" ]] && DENIED_INTERPRETER="gbr3,python,python2,python3,perl,perl6,php,ruby,node,awk,gawk"
+	    [[ ${PATH_WORK_INTERPRETER} == 0 ]] && PATH_WORK_INTERPRETER="${ROOTFS}/usr/bin ${ROOTFS}/usr/local/bin ${ROOTFS}/usr/local/sbin ${ROOTFS}/home"
+	    LIST_INTERPRETER=$(printf " -name %s -o" ${DENIED_INTERPRETER})
+	    find ${PATH_WORK_INTERPRETER} -type f -perm /g=x \( ${LIST_INTERPRETER%-o*} \) -exec chmod --quiet o-x {} +
+	done
+    fi
+}
+
+################
+##### MAIN #####
+################
+
+    exec_access_denied_interpreter $@
--- a/ublinux/rc.post.d/44-mountattr
+++ b/ublinux/rc.post.d/44-mountattr
@ -0,0 +1,32 @@
+#!/bin/bash
+
+ENABLED=yes
+[ "$ENABLED" != "yes" ] && exit 0
+DEBUGMODE=no
+
+unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
+SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+debug_mode "$0" "$@"
+
+SYSCONF="${ROOTFS}/${SYSCONF}"
+SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
+SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
+
+exec_mount_attr(){
+## Отключить пользовательские nosuid nodev noexec на смонтированные цели
+    if [[ -n ${MOUNT_ATTR[@]} ]]; then
+	for ALL_PATH_WORK_ATTR in "${!MOUNT_ATTR[@]}"; do
+	    tr [[:space:]],\; $'\n' <<< ${ALL_PATH_WORK_ATTR} | while read PATH_WORK_ATTR; do
+		WORK_ATTR=$(tr \; , <<< ${MOUNT_ATTR[${ALL_PATH_WORK_ATTR}]})
+		mount -o remount,${WORK_ATTR} ${PATH_WORK_ATTR}
+	    done	    
+	done
+    fi
+}
+
+################
+##### MAIN #####
+################
+
+    exec_mount_attr $@
--- a/ublinux/rc.post.d/45-disk-quota
+++ b/ublinux/rc.post.d/45-disk-quota
@ -0,0 +1,242 @@
+#!/bin/bash
+
+ENABLED=yes
+[ "$ENABLED" != "yes" ] && exit 0
+DEBUGMODE=no
+
+unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
+SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+debug_mode "$0" "$@"
+
+SYSCONF="${ROOTFS}/${SYSCONF}"
+SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
+SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
+
+#declare -A DISK_QUOTA
+#DISK_QUOTA[usrquota:/dev/sdc1]=enable
+#DISK_QUOTA[usrquota:/dev/sdc1]=disable
+#DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:7M:8M:0:0:86400:86400
+#DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:5M:6M:0:0
+#DISK_QUOTA[usrquota:/mnt/MyExt4]=user-1,user-2:5M:6M:0:0
+#DISK_QUOTA[usrquota:/dev/sdc1]=:0:0:0:0:604800:604800
+#DISK_QUOTA[grpquota:/dev/sdc1]=enable
+#DISK_QUOTA[grpquota:/dev/sdc1]=users:5M:6M:0:0:604800:604800
+#DISK_QUOTA[grpquota:/mnt/MyExt4]=users:5M:6M:0:0:604800:604800
+#DISK_QUOTA[prjquota:/tmp/5/dir23]=3,MyPN-3:3M:4M:10:20:3600:3600
+#DISK_QUOTA[prjquota:/mnt/MyExt4/test1]=1,PN-1:2M:3M:0:0:3600:3600
+#DISK_QUOTA[prjquota:/mnt/MyExt4/test2]=2,PN-2:3M:4M:10:12:3600:3600
+#DISK_QUOTA[quota]=disable
+#DISK_QUOTA[quota]=enable
+
+## Назначение квот на дисковые ресурсы
+## Может принимать входящий параметр: 
+##   exec_disk_quota DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:5M:6M:0:0 DISK_QUOTA[usrquota:/dev/sdc2]=enable 
+exec_disk_quota(){
+## Использовать дисковые квоты на файловые системы
+    enable_quota(){
+    # Включить поддержку квоты
+    ##   Варианты опций mount для квотирования:
+    ##     noquota                  # Отключить простые квоты на пользователя и группу
+    ##     quota                    # Включить простые квоты на пользователя и группу
+    ##     usrquota                 # Включить простые квоты на пользователя
+    ##     grpquota                 # Включить простые квоты на группу
+    ##     prjquota                 # Включить квоты на проект
+    ##     usrjquota=aquota.user    # Включить журналируемые квоты на пользователя
+    ##     grpjquota=aquota.group   # Включить журналируемые квоты на группу
+    ##     jqfmt=vfsold             # Использовать БД для простых квот V1
+    ##     jqfmt=vfsv0              # Выключить журналирование. Использовать БД для журналируемых квот V2
+    ##     jqfmt=vfsv1              # Включить журналирование. Использовать БД для журналируемых квот V2
+	cat /proc/mounts | grep -q "${PATH_DEVICE}.*${ATTR_QUOTA}" && return 0
+	MOUNT_DISK_ATTR[${PATH_DEVICE}]=${MOUNT_DISK_ATTR[${PATH_DEVICE}]#,*}
+	if cat /proc/mounts | grep -q "${PATH_DEVICE}"; then		
+    		if [[ ${ISFS_EXT234_FEATURES} == no  && ! ${PATH_DEVICE} =~ ^/dev/loop* ]] && umount --quiet ${PATH_DEVICE} 2>/dev/null; then
+		    ${ROOTFS}/usr/bin/tune2fs -Q ${MOUNT_DISK_ATTR[${PATH_DEVICE}]} ${PATH_DEVICE} && ISFS_EXT234_FEATURES=yes
+		    mount --all
+		    mount -o ${MOUNT_DISK_ATTR[${PATH_DEVICE}]} ${PATH_DEVICE} ${MOUNT_POINT}
+	    	    rm -f ${MOUNT_POINT}/{aquota.user,aquota.group,quota.user,quota.group}
+	        elif [[ ${ISFS_EXT234_FEATURES} == yes ]]; then
+	    	    mount -o remount,${ATTR_QUOTA} ${PATH_DEVICE}
+		    [[ ${ATTR_QUOTA} == usrquota ]] && rm -f ${MOUNT_POINT}/{aquota.user,quota.user}
+		    [[ ${ATTR_QUOTA} == grpquota ]] && rm -f ${MOUNT_POINT}/{aquota.group,quota.group}
+		elif [[ ${ISFS_EXT234_FEATURES} == no && ${ATTR_QUOTA} != prjquota ]]; then
+		    mount -o remount,${ATTR_QUOTA} ${PATH_DEVICE}
+		    #${ROOTFS}/usr/bin/quotaoff -${ARG_CMD} ${PATH_DEVICE} 2>/dev/null
+		    [[ ${ATTR_QUOTA} == @(usrquota|quota) && ! -f ${MOUNT_POINT}/aquota.user ]] && quotacheck -${ARG_CMD}cm ${PATH_DEVICE}
+		    [[ ${ATTR_QUOTA} == grpquota && ! -f ${MOUNT_POINT}/aquota.group ]] && quotacheck -${ARG_CMD}cm ${PATH_DEVICE}
+		    ${ROOTFS}/usr/bin/quotacheck -${ARG_CMD} ${PATH_DEVICE}
+		fi
+    	else
+		[[ -n ${ISFS_EXT234} && ${ISFS_EXT234_FEATURES} == no ]] && ${ROOTFS}/usr/bin/tune2fs -Q ${MOUNT_DISK_ATTR[${PATH_DEVICE}]} ${PATH_DEVICE} #2>/dev/null
+		echo "ERROR: Device '${PATH_DEVICE}' not mounted."
+	fi
+	[[ -z ${ROOTFS} ]] && ubconfig --target system set config SERVICESSTART+=,systemd-quotacheck \
+	|| chroot . ubconfig --target system set config SERVICESSTART+=,systemd-quotacheck
+    }
+    disable_quota(){
+    # Отключить поддержку квот
+	cat /proc/mounts | grep -q "${PATH_DEVICE}.*${ATTR_QUOTA}" || return 0
+	${ROOTFS}/usr/bin/quotaoff -${ARG_CMD} ${PATH_DEVICE} 2>/dev/null
+	if [[ ${ATTR_QUOTA} == quota ]]; then
+	    [[ -z ${ROOTFS} ]] && ubconfig --target system set config SERVICESSTART-=,systemd-quotacheck \
+    	    || chroot . ubconfig --target system set config SERVICESSTART-=,systemd-quotacheck
+	    cat /proc/mounts | grep -q "${PATH_DEVICE}.*${ATTR_QUOTA}" && mount -o remount,noquota ${PATH_DEVICE}
+	fi
+    }
+    set_quota(){
+    # Установить квоту
+	QUOTA_LIMITS=$(cut -d: -f1,2,3,4 <<< ${ALL_VALUE_QUOTA} | tr : ' ')
+	QUOTA_GRACE=$(cut -d: -f5,6 <<< ${ALL_VALUE_QUOTA} | tr : ' ')
+	#${ROOTFS}/usr/bin/quotaoff -${ARG_CMD} ${PATH_DEVICE} #2>/dev/null
+	[[ -n ${QUOTA_GRACE} ]] && setquota -${ARG_CMD}t ${QUOTA_GRACE} ${MOUNT_POINT}
+	if [[ ${ATTR_QUOTA} == @(usrquota|grpquota) && -n ${UGP_QUOTA} ]]; then
+	    tr , '\n' <<< ${UGP_QUOTA} | while read SELECT_UG_QUOTA; do
+		${ROOTFS}/usr/bin/setquota -${ARG_CMD} ${SELECT_UG_QUOTA} ${QUOTA_LIMITS} ${PATH_DEVICE}
+	    done 
+	elif [[ ${ATTR_QUOTA} == prjquota && -n ${UGP_QUOTA} ]]; then
+	    ID_PROJECT=${UGP_QUOTA%%,*}
+	    NAME_PROJECT=${UGP_QUOTA#*,}
+	    [[ ${ID_PROJECT,,} == auto ]] && ID_PROJECT=${RANDOM}
+	    sed  "\|^${ID_PROJECT}:.*|d; \|.*:${PATH_PRJ}$|d" -i /etc/projects
+	    echo "${ID_PROJECT}:${PATH_PRJ}" >> /etc/projects
+	    sed "/.*:${ID_PROJECT}$/d" -i /etc/projid
+	    if [[ -n ${NAME_PROJECT} ]]; then
+		sed "/^${NAME_PROJECT}:.*/d" -i /etc/projid
+		echo "${NAME_PROJECT}:${ID_PROJECT}" >> /etc/projid
+	    fi
+	    if [[ -n ${ISFS_EXT234} || -n ${ISFS_XFS} || -n ${ISFS_BTRFS} ]]; then
+		${ROOTFS}/usr/bin/chattr -p ${ID_PROJECT} ${PATH_PRJ}
+		${ROOTFS}/usr/bin/chattr +P ${PATH_PRJ}
+	    fi
+	    ${ROOTFS}/usr/bin/setquota -${ARG_CMD} ${ID_PROJECT} ${QUOTA_LIMITS} ${PATH_DEVICE}
+	fi
+    }
+    clean_quota(){
+    # Очистить данные квот
+	#disable_quota
+	if cat /proc/mounts | grep -q ${PATH_DEVICE}; then
+	    ${ROOTFS}/usr/bin/quotaoff -ugP ${PATH_DEVICE} 2>/dev/null
+	    cat /proc/mounts | grep -q "${PATH_DEVICE}.*${ATTR_QUOTA}" && mount -o remount,noquota ${PATH_DEVICE}
+	    rm -f ${MOUNT_POINT}/{aquota.user,aquota.group,quota.user,quota.group}
+	    if [[ ${ISFS_EXT234_FEATURES} == yes ]] && umount --quiet ${PATH_DEVICE} 2>/dev/null; then
+	        ${ROOTFS}/usr/bin/tune2fs -Q ^usrquota,^grpquota,^prjquota ${PATH_DEVICE} 2>/dev/null
+	        #${ROOTFS}/usr/bin/tune2fs -Q quota,project ${PATH_DEVICE} 2>/dev/null
+	        mount --all
+	        mount ${PATH_DEVICE} ${MOUNT_POINT}
+	    fi
+    	else
+	    if [[ ${ISFS_EXT234_FEATURES} == yes ]]; then
+	        ${ROOTFS}/usr/bin/tune2fs -Q ^quota,^project ${PATH_DEVICE} 2>/dev/null
+	        #${ROOTFS}/usr/bin/tune2fs -Q quota,project ${PATH_DEVICE} 2>/dev/null
+	    fi
+	fi
+    }
+    debug(){
+	echo "--------------------------"
+	echo "ATTR_QUOTA=${ATTR_QUOTA}"
+	echo "UGP_QUOTA=${UGP_QUOTA}"
+	echo "ALL_VALUE_QUOTA=${ALL_VALUE_QUOTA}"
+	echo "IDENT_DEVICE=${IDENT_DEVICE}"
+	echo "PATH_DEVICE_LSBLK=${PATH_DEVICE_LSBLK}"
+	echo "PATH_DEVICE=${PATH_DEVICE}"
+	echo "MOUNT_POINT=${MOUNT_POINT}"
+	echo "PATH_PRJ=${PATH_PRJ}"
+	echo "ISFS_EXT234=${ISFS_EXT234}"
+	echo "ISFS_EXT234_FEATURES=${ISFS_EXT234_FEATURES}"
+    }
+    # Если заданы входящие параметр имя переменной со значением, то применяются параметры как основной DISK_QUOTA
+    [[ -n $@ ]] && declare -A DISK_QUOTA && eval $@
+    if [[ -n ${DISK_QUOTA[@]} ]]; then
+	local -A MOUNT_DISK_ATTR
+	KNOW_LSBLK=$("${ROOTFS}"/usr/bin/lsblk --raw --fs --output PATH,FSTYPE,LABEL,PARTLABEL,UUID,PARTUUID,MOUNTPOINT,MOUNTPOINTS --exclude 11,253)
+	for SELECT_DISK_QUOTA in "${!DISK_QUOTA[@]}"; do
+	    ATTR_QUOTA=${SELECT_DISK_QUOTA%%:*}	    
+	    IDENT_DEVICE=${SELECT_DISK_QUOTA#*:}
+	    [[ ${IDENT_DEVICE} == quota ]] && continue
+	    if [[ ${ATTR_QUOTA} == @(usrquota|grpquota|quota) && -n ${IDENT_DEVICE} ]]; then		
+		PATH_DEVICE_LSBLK=$(grep "${IDENT_DEVICE}" <<< ${KNOW_LSBLK} | cut -d' ' -f1)
+		[[ -n ${PATH_DEVICE_LSBLK} ]] && PATH_DEVICE=${PATH_DEVICE_LSBLK} || PATH_DEVICE=${IDENT_DEVICE}
+	    elif [[ ${ATTR_QUOTA} == prjquota && -n ${IDENT_DEVICE} ]]; then
+		PATH_PRJ=${SELECT_DISK_QUOTA#*:}
+		[[ -d ${PATH_PRJ} ]] || continue
+		PATH_DEVICE=$("${ROOTFS}"/usr/bin/findmnt -n -o SOURCE --target ${PATH_PRJ})
+		[[ -n ${PATH_DEVICE} ]] || PATH_DEVICE=${IDENT_DEVICE}
+	    fi
+	    MOUNT_DISK_ATTR[${PATH_DEVICE}]+=",${ATTR_QUOTA}"
+	done
+	for SELECT_DISK_QUOTA in "${!DISK_QUOTA[@]}"; do
+	    local ISFS_EXT234 MOUNT_POINT PATH_PRJ
+	    local ISFS_EXT234_FEATURES	# Данные квот храняться в служебных данных файловой системы
+	    ATTR_QUOTA=${SELECT_DISK_QUOTA%%:*}
+	    case ${ATTR_QUOTA} in
+		quota)		ARG_CMD="ugP"; ARG_TUNE2FS=" quota inode:" ;;
+		usrquota)	ARG_CMD="u"; ARG_TUNE2FS="User quota inode:" ;;
+		grpquota)	ARG_CMD="g"; ARG_TUNE2FS="Group quota inode:" ;;
+		prjquota)	ARG_CMD="P"; ARG_TUNE2FS="Project quota inode:" ;;
+		*)		exit 1 ;;
+	    esac
+	    UGP_QUOTA=${DISK_QUOTA[${SELECT_DISK_QUOTA}]%%:*}
+	    ALL_VALUE_QUOTA="${DISK_QUOTA[${SELECT_DISK_QUOTA}]#*:}"
+	    IDENT_DEVICE=${SELECT_DISK_QUOTA#*:}
+	    [[ ${IDENT_DEVICE} == quota ]] && unset IDENT_DEVICE
+	    if [[ ${ATTR_QUOTA} == @(usrquota|grpquota|quota) && -n ${IDENT_DEVICE} ]]; then		
+		KNOW_LSBLK=$("${ROOTFS}"/usr/bin/lsblk --raw --fs --output PATH,FSTYPE,LABEL,PARTLABEL,UUID,PARTUUID,MOUNTPOINT,MOUNTPOINTS --exclude 11,253)
+		PATH_DEVICE_LSBLK=$(grep "${IDENT_DEVICE}" <<< ${KNOW_LSBLK} | cut -d' ' -f1)
+		[[ -n ${PATH_DEVICE_LSBLK} ]] && PATH_DEVICE=${PATH_DEVICE_LSBLK} || PATH_DEVICE=${IDENT_DEVICE}
+		MOUNT_POINT=$(grep "${PATH_DEVICE}" <<< ${KNOW_LSBLK} | cut -d' ' -f7)
+	    elif [[ ${ATTR_QUOTA} == prjquota && -n ${IDENT_DEVICE} ]]; then
+		PATH_PRJ=${SELECT_DISK_QUOTA#*:}		
+		[[ -d ${PATH_PRJ} ]] || { echo "ERROR: The specified project directory '${PATH_PRJ}' does not exist." && continue; }
+		KNOW_LSBLK=$("${ROOTFS}"/usr/bin/findmnt -n -o SOURCE,FSTYPE,TARGET --target ${PATH_PRJ} | xargs)
+		PATH_DEVICE=$("${ROOTFS}"/usr/bin/findmnt -n -o SOURCE --target ${PATH_PRJ})
+		[[ -n ${PATH_DEVICE} ]] || PATH_DEVICE=${IDENT_DEVICE}
+		MOUNT_POINT=$("${ROOTFS}"/usr/bin/findmnt -n -o TARGET --target ${PATH_PRJ})
+	    fi
+	    [[ -n ${KNOW_LSBLK} ]] && ISFS_EXT234=$(grep -oE "${PATH_DEVICE} (ext2|ext3|ext4)" <<< ${KNOW_LSBLK}) #"
+	    [[ -n ${KNOW_LSBLK} && -z ${ISFS_EXT234} ]] && ISFS_XFS=$(grep -oE "${PATH_DEVICE} xfs" <<< ${KNOW_LSBLK})
+	    # Проверить ФС на поддержку SW|HW режимов квот
+	    [[ -n ${ISFS_EXT234} ]] && { ${ROOTFS}/usr/bin/tune2fs -l ${PATH_DEVICE} | grep -q "${ARG_TUNE2FS}" && ISFS_EXT234_FEATURES=yes || ISFS_EXT234_FEATURES=no; }	    
+	    # TODO: Уточнить получение атрибутов у ФС XFS
+	    [[ -n ${ISFS_XFS} ]] && { ${ROOTFS}/usr/bin/tune2fs -l ${PATH_DEVICE} | grep -q "${ARG_TUNE2FS}" && ISFS_XFS_FEATURES=yes || ISFS_XFS_FEATURES=no; }
+#debug
+	    if [[ ${UGP_QUOTA,,} == enable ]]; then	    
+		if [[ -n ${PATH_DEVICE} ]]; then
+		    enable_quota
+		    ${ROOTFS}/usr/bin/quotaon -${ARG_CMD}vp ${PATH_DEVICE} | grep -qi 'is on (enforced)' || ${ROOTFS}/usr/bin/quotaon -${ARG_CMD} ${PATH_DEVICE}
+		else
+		    ${ROOTFS}/usr/bin/quotaoff -augP 2>/dev/null
+		    ${ROOTFS}/usr/bin/quotacheck -aug 2>/dev/null
+		    ${ROOTFS}/usr/bin/quotaon -augP 2>/dev/null
+		    #${ROOTFS}/usr/bin/ubconfig set config SERVICESSTART+=,quotaon.service
+		fi
+		
+	    elif [[ ${UGP_QUOTA,,} == disable ]]; then
+		if [[ -n ${PATH_DEVICE} ]]; then
+		    disable_quota
+		else
+		    disable_quota
+		    ${ROOTFS}/usr/bin/quotaoff -augP 2>/dev/null
+		    #${ROOTFS}/usr/bin/ubconfig set config SERVICESSTART-=,quotaon.service
+		fi
+	    elif [[ ${UGP_QUOTA,,} == clean ]]; then
+		[[ -n ${PATH_DEVICE} ]] && clean_quota
+	    elif [[ ${ALL_VALUE_QUOTA} =~ .*:.*:.*:.* ]]; then
+		if [[ -n ${PATH_DEVICE} ]]; then
+		    enable_quota
+		    [[ ${ATTR_QUOTA} == prjquota && ${ISFS_EXT234_FEATURES} == no ]] && { echo "ERROR: Project '${UGP_QUOTA}' quota feature not enabled. Cannot enable project quota enforcement." && continue; }
+		    [[ ${ATTR_QUOTA} == prjquota && ${ISFS_XFS_FEATURES} == no ]] && { echo "ERROR: Project '${UGP_QUOTA}' quota feature not enabled. Cannot enable project quota enforcement." && continue; }
+		    if [[ -n ${MOUNT_POINT} ]]; then
+			set_quota
+			${ROOTFS}/usr/bin/quotaon -${ARG_CMD}vp ${PATH_DEVICE} | grep -qi 'is on (enforced)' || ${ROOTFS}/usr/bin/quotaon -${ARG_CMD} ${PATH_DEVICE} 2>/dev/null || echo "ERROR: Quota '${ATTR_QUOTA}' not enabled on device '${PATH_DEVICE}'"
+		    fi
+		fi
+	    fi
+	done
+    fi
+}
+
+################
+##### MAIN #####
+################
+
+    exec_disk_quota $@
--- a/ublinux/rc.post.d/46-cgroup-quota
+++ b/ublinux/rc.post.d/46-cgroup-quota
@ -0,0 +1,26 @@
+#!/bin/bash
+
+ENABLED=yes
+[ "$ENABLED" != "yes" ] && exit 0
+DEBUGMODE=no
+
+unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
+SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+debug_mode "$0" "$@"
+
+SYSCONF="${ROOTFS}/${SYSCONF}"
+SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
+SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
+
+exec_cgroup_quota(){
+## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup
+    #systemctl set-property --runtime user-1001.slice MemoryHigh=200M MemorySwapMax=300M CPUQuota=100%
+    true
+}
+
+################
+##### MAIN #####
+################
+
+    exec_cgroup_quota $@
--- a/ublinux/rc.preinit.d/56-openssl-gost
+++ b/ublinux/rc.preinit.d/56-openssl-gost
@ -0,0 +1,46 @@
+#!/bin/bash
+#
+# Initial script for Live operating system
+# This script are launching before starting init from linux-live script.
+# Current dir allways must be set to root (/)
+# All system path must be relative, except initrd dirs
+
+ENABLED=yes
+[ "$ENABLED" != "yes" ] && exit 0
+DEBUGMODE=no
+
+PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
+SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+debug_mode "$0" "$@"
+
+SYSCONF="${ROOTFS}/${SYSCONF}"
+SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
+SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
+
+exec_openssl_gost(){
+## Настройка OpenSSL ГОСТ
+    FILE_OPENSSL_CONF="${ROOTFS}/etc//etc/ssl/openssl.cnf"
+    FILE_OPENSSL_GOST_CONF="${ROOTFS}/etc//etc/ssl/gost.cnf"
+    TXT_OPENSSL_GOST_CONF="$(sed -r '/^\s*$/d' "${FILE_OPENSSL_GOST_CONF}")"
+    TXT_ENABLE_GOST_CONF="openssl_conf = openssl_gost"
+
+    if [[ ${OPENSSL_GOST,,} == @(y|yes|enable) ]]; then
+    # Enable GOST
+	grep -q "${TXT_ENABLE_GOST_CONF}" "${FILE_OPENSSL_CONF}" || sed "0,/^[a-zA-Z0-9\[]/s//${TXT_ENABLE_GOST_CONF}\n&/" -i "${FILE_OPENSSL_CONF}"
+	grep -q "${TXT_OPENSSL_GOST_CONF%%$'\n'*}" "${FILE_OPENSSL_CONF}" || cat ${FILE_OPENSSL_GOST_CONF} >> "${FILE_OPENSSL_CONF}"
+    elif [[ ${OPENSSL_GOST,,} == @(n|no|disable) ]]; then
+    ## Disable GOST
+	sed "/${TXT_ENABLE_GOST_CONF}/d" -i "${FILE_OPENSSL_CONF}"
+	sed "/${TXT_OPENSSL_GOST_CONF%%$'\n'*}/,/${TXT_OPENSSL_GOST_CONF##*$'\n'}/d" -i "${FILE_OPENSSL_CONF}"
+    fi
+}
+
+################
+##### MAIN #####
+################
+
+    exec_openssl_gost $@
+    
--- a/ublinux/rc.preinit.d/56-security
+++ b/ublinux/rc.preinit.d/56-security
@ -1,170 +0,0 @@
-#!/bin/bash
-#
-# Initial script for Live operating system
-# This script are launching before starting init from linux-live script.
-# Current dir allways must be set to root (/)
-# All system path must be relative, except initrd dirs
-
-ENABLED=yes
-[ "$ENABLED" != "yes" ] && exit 0
-DEBUGMODE=no
-
-SELF_NAME="56-security"
-PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
-SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
-SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
-debug_mode "$0" "$@"
-
-SYSCONF="${ROOTFS}/${SYSCONF}"
-SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
-SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
-
-exec_openssl_gost(){
-## Настройка OpenSSL ГОСТ
-    FILE_OPENSSL_CONF="${ROOTFS}/etc//etc/ssl/openssl.cnf"
-    FILE_OPENSSL_GOST_CONF="${ROOTFS}/etc//etc/ssl/gost.cnf"
-    TXT_OPENSSL_GOST_CONF="$(sed -r '/^\s*$/d' "${FILE_OPENSSL_GOST_CONF}")"
-    TXT_ENABLE_GOST_CONF="openssl_conf = openssl_gost"
-
-    if [[ ${OPENSSL_GOST,,} == @(y|yes|enable) ]]; then
-    # Enable GOST
-	grep -q "${TXT_ENABLE_GOST_CONF}" "${FILE_OPENSSL_CONF}" || sed "0,/^[a-zA-Z0-9\[]/s//${TXT_ENABLE_GOST_CONF}\n&/" -i "${FILE_OPENSSL_CONF}"
-	grep -q "${TXT_OPENSSL_GOST_CONF%%$'\n'*}" "${FILE_OPENSSL_CONF}" || cat ${FILE_OPENSSL_GOST_CONF} >> "${FILE_OPENSSL_CONF}"
-    elif [[ ${OPENSSL_GOST,,} == @(n|no|disable) ]]; then
-    ## Disable GOST
-	sed "/${TXT_ENABLE_GOST_CONF}/d" -i "${FILE_OPENSSL_CONF}"
-	sed "/${TXT_OPENSSL_GOST_CONF%%$'\n'*}/,/${TXT_OPENSSL_GOST_CONF##*$'\n'}/d" -i "${FILE_OPENSSL_CONF}"
-    fi
-}
-exec_access_denied_vtx11(){
-    FILE_XORGDONTVTSWITCH_CONF="${ROOTFS}/etc/X11/xorg.conf.d/ublinux-disable-vt.conf"
-    FILE_SYSTEMDLOGIND_CONF="${ROOTFS}/etc/systemd/logind.conf.d/ublinux-disable-vt.conf"
-    FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/ublinux-disable-vt.conf"
-    if [[ ${ACCESS_DENIED_VTX11,,} == @(y|yes|enable) ]]; then
-	mkdir -p ${FILE_XORGDONTVTSWITCH_CONF%/*}
-	 cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_XORGDONTVTSWITCH_CONF}"
-	    Section "ServerFlags"
-	    Option "DontVTSwitch" "true"
-	    EndSection
-EOF
-	if readlink -fq ${ROOTFS}/usr/bin/init | grep -q "lib/systemd/systemd$"; then
-	    mkdir -p ${FILE_SYSTEMDLOGIND_CONF%/*}
-	    cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_SYSTEMDLOGIND_CONF}"
-		[Login]
-		NAutoVTs=0
-		ReserveVT=0
-EOF
-	fi
-	if [[ -d ${ROOTFS}/etc/lightdm ]]; then
-	    mkdir -p ${FILE_LIGHTDM_CONF%/*}
-	    cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_LIGHTDM_CONF}"
-		[LightDM]
-		logind-check-graphical=true
-EOF
-	fi
-    elif [[ ${ACCESS_DENIED_VTX11,,} == @(n|no|disable) ]]; then
-	rm -f "${FILE_SYSTEMDLOGIND_CONF}" "${FILE_XORGDONTVTSWITCH_CONF}" "${FILE_LIGHTDM_CONF}"
-    fi
-}
-exec_access_allowed_login(){
-## Управление доступом в систему, правила разрешения
-    FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/01-ublinux-allowed.conf"
-    rm -f "${FILE_ACCESS_CONF}"
-    if [[ -n ${ACCESS_ALLOWED_LOGIN} ]]; then
-	[[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*}
-	tr , $'\n' <<< ${ACCESS_ALLOWED_LOGIN} | while read RULE; do
-	    echo "+:${RULE}" >> "${FILE_ACCESS_CONF}"
-	done
-    fi    
-}
-exec_access_denied_login(){
-## Управление доступом в систему, правила блокировки
-    FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/02-ublinux-denied.conf"
-    rm -f "${FILE_ACCESS_CONF}"
-    if [[ -n ${ACCESS_DENIED_LOGIN} ]]; then
-	[[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*}
-	tr , $'\n' <<< ${ACCESS_DENIED_LOGIN} | while read RULE; do
-	    echo "-:${RULE}" >> "${FILE_ACCESS_CONF}"
-	done
-    fi    
-}
-exec_access_allowed_suid(){
-## Отключить влияние SUID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SUID
-    if [[ -n ${ACCESS_ALLOWED_SUID[@]} ]]; then
-	for PATH_WORK_SUID in "${!ACCESS_ALLOWED_SUID[@]}"; do
-	    EXCLUDE_SUID=$(tr , $'\n' <<< ${ACCESS_ALLOWED_SUID[${PATH_WORK_SUID}]})
-	    find ${PATH_WORK_SUID} -type f -perm /u=s $(printf "! -name %s " ${EXCLUDE_SUID}) -exec chmod u-s {} +
-	done
-    fi
-}
-exec_access_allowed_sgid(){
-## Отключить влияние SGID бита на привилегии порождаемого процесса всем, кроме указанных в ACCESS_ALLOWED_SGID
-    if [[ -n ${ACCESS_ALLOWED_SGID[@]} ]]; then
-	for PATH_WORK_SGID in "${!ACCESS_ALLOWED_SGID[@]}"; do
-	    EXCLUDE_SGID=$(tr , $'\n' <<< ${ACCESS_ALLOWED_SGID[${PATH_WORK_SGID}]})
-	    find ${PATH_WORK_SGID} -type f -perm /g=s $(printf "! -name %s " ${EXCLUDE_SGID}) -exec chmod g-s {} +
-	done
-    fi
-}
-exec_access_allowed_interpreter(){
-## Ограничить запуск интерпретаторов языков программирования в интерактивном режиме
-    true
-}
-exec_mount_attr(){
-## Отключить пользовательские nosuid nodev noexec на смонтированные цели
-    true
-}
-exec_mount_quota(){
-## Использовать дисковые квоты на файловые системы
-    true
-}
-exec_cgroup_quota(){
-## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup
-    true
-}
-exec_polkit(){
-## Настрока polkit правил
-    rm -f "${ROOTFS}"/etc/polkit-1/rules.d/ublinux-*
-    if [[ -n ${POLKIT[@]} ]]; then
-	for RULES in "${!POLKIT[@]}"; do
-	    RULES_GROUP=
-	    RULES_FILE="${ROOTFS}/etc/polkit-1/rules.d/ublinux-$(sed 's/\([A-z0-9]*.[A-z0-9]*.[A-z0-9]*\)\..*/\1/' <<< ${RULES}).rules"
-	    RULES_RESULT=$(cut -d: -f1 <<< ${POLKIT[${RULES}]})
-	    for GROUP in $(grep ":" <<< ${POLKIT[${RULES}]} | cut -d: -f2 | tr ',' '\n'); do
-	        RULES_GROUP+="&& subject.isInGroup(\"${GROUP}\") "
-	    done
-	    cat >> ${RULES_FILE} <<EOF
-polkit.addRule(function(action, subject) {
-    if (action.id.indexOf("${RULES}") == 0 
-	&& subject.active == true
-	&& subject.local == true	
-	${RULES_GROUP}
-	) 
-    {
-            return polkit.Result.${RULES_RESULT^^};
-    }
-});
-
-EOF
-	done
-	#touch ${ROOTFS}/etc/polkit-1/rules.d
-    fi
-}
-
-################
-##### MAIN #####
-################
-
-    if [[ ${0##*/} == ${SELF_NAME} && -z $@ ]]; then
-        while read -r FUNCTION; do
-            $"${FUNCTION##* }"
-        done < <(declare -F | grep "declare -f exec_")
-    elif [[ ${0##*/} == ${SELF_NAME} ]]; then
-        for FUNCTION in $@; do
-            declare -f ${FUNCTION} &>/dev/null && ${FUNCTION}
-        done
-    else
-        true
-    fi
--- a/ublinux/rc.preinit.d/57-access-denied-vtx11
+++ b/ublinux/rc.preinit.d/57-access-denied-vtx11
@ -0,0 +1,59 @@
+#!/bin/bash
+#
+# Initial script for Live operating system
+# This script are launching before starting init from linux-live script.
+# Current dir allways must be set to root (/)
+# All system path must be relative, except initrd dirs
+
+ENABLED=yes
+[ "$ENABLED" != "yes" ] && exit 0
+DEBUGMODE=no
+
+PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
+SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+debug_mode "$0" "$@"
+
+SYSCONF="${ROOTFS}/${SYSCONF}"
+SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
+SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
+
+exec_access_denied_vtx11(){
+## Отключить виртуальные терминалы и запретить переключение на них из X11
+    FILE_XORGDONTVTSWITCH_CONF="${ROOTFS}/etc/X11/xorg.conf.d/ublinux-disable-vt.conf"
+    FILE_SYSTEMDLOGIND_CONF="${ROOTFS}/etc/systemd/logind.conf.d/ublinux-disable-vt.conf"
+    FILE_LIGHTDM_CONF="${ROOTFS}/etc/lightdm/lightdm.conf.d/ublinux-disable-vt.conf"
+    if [[ ${ACCESS_DENIED_VTX11,,} == @(y|yes|enable) ]]; then
+	mkdir -p ${FILE_XORGDONTVTSWITCH_CONF%/*}
+	 cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_XORGDONTVTSWITCH_CONF}"
+	    Section "ServerFlags"
+	    Option "DontVTSwitch" "true"
+	    EndSection
+EOF
+	if readlink -fq ${ROOTFS}/usr/bin/init | grep -q "lib/systemd/systemd$"; then
+	    mkdir -p ${FILE_SYSTEMDLOGIND_CONF%/*}
+	    cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_SYSTEMDLOGIND_CONF}"
+		[Login]
+		NAutoVTs=0
+		ReserveVT=0
+EOF
+	fi
+	if [[ -d ${ROOTFS}/etc/lightdm ]]; then
+	    mkdir -p ${FILE_LIGHTDM_CONF%/*}
+	    cat <<-EOF | sed 's/^\s*\t*//' > "${FILE_LIGHTDM_CONF}"
+		[LightDM]
+		logind-check-graphical=true
+EOF
+	fi
+    elif [[ ${ACCESS_DENIED_VTX11,,} == @(n|no|disable) ]]; then
+	rm -f "${FILE_SYSTEMDLOGIND_CONF}" "${FILE_XORGDONTVTSWITCH_CONF}" "${FILE_LIGHTDM_CONF}"
+    fi
+}
+
+################
+##### MAIN #####
+################
+
+    exec_access_denied_vtx11 $@
--- a/ublinux/rc.preinit.d/58-access-login
+++ b/ublinux/rc.preinit.d/58-access-login
@ -0,0 +1,62 @@
+#!/bin/bash
+#
+# Initial script for Live operating system
+# This script are launching before starting init from linux-live script.
+# Current dir allways must be set to root (/)
+# All system path must be relative, except initrd dirs
+
+ENABLED=yes
+[ "$ENABLED" != "yes" ] && exit 0
+DEBUGMODE=no
+
+PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
+SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+debug_mode "$0" "$@"
+
+SYSCONF="${ROOTFS}/${SYSCONF}"
+SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
+SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
+
+exec_access_allowed_login(){
+## Управление доступом в систему, правила разрешения
+    FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/01-ublinux-allowed.conf"
+    rm -f "${FILE_ACCESS_CONF}"
+    if [[ -n ${ACCESS_ALLOWED_LOGIN} ]]; then
+	[[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*}
+	tr , $'\n' <<< ${ACCESS_ALLOWED_LOGIN} | while read RULE; do
+	    echo "+:${RULE}" >> "${FILE_ACCESS_CONF}"
+	done
+    fi    
+}
+exec_access_denied_login(){
+## Управление доступом в систему, правила блокировки
+    FILE_ACCESS_CONF="${ROOTFS}/etc/security/access.d/02-ublinux-denied.conf"
+    rm -f "${FILE_ACCESS_CONF}"
+    if [[ -n ${ACCESS_DENIED_LOGIN} ]]; then
+	[[ -d ${FILE_ACCESS_CONF%/*} ]] || mkdir -p ${FILE_ACCESS_CONF%/*}
+	tr , $'\n' <<< ${ACCESS_DENIED_LOGIN} | while read RULE; do
+	    echo "-:${RULE}" >> "${FILE_ACCESS_CONF}"
+	done
+    fi    
+}
+
+################
+##### MAIN #####
+################
+
+    if [[ -z $@ ]]; then
+        while read -r FUNCTION; do
+            $"${FUNCTION##* }"
+        done < <(declare -F | grep "declare -f exec_")
+    else 
+#        for FUNCTION in $@; do
+#            declare -f ${FUNCTION} &>/dev/null && ${FUNCTION}
+#        done
+	while [[ $# -gt 0 ]]; do
+	    declare -f ${1} &>/dev/null && FUNCTION+="; ${1}" && shift || { FUNCTION+=" ${1}" && shift; }
+	done
+	eval ${FUNCTION#*; }
+    fi
--- a/ublinux/rc.preinit.d/59-polkit
+++ b/ublinux/rc.preinit.d/59-polkit
@ -0,0 +1,56 @@
+#!/bin/bash
+#
+# Initial script for Live operating system
+# This script are launching before starting init from linux-live script.
+# Current dir allways must be set to root (/)
+# All system path must be relative, except initrd dirs
+
+ENABLED=yes
+[ "$ENABLED" != "yes" ] && exit 0
+DEBUGMODE=no
+
+PATH=.:/:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+unset ROOTFS; [[ -d /usr/lib/ublinux ]] || ROOTFS=.
+SOURCE=${ROOTFS}/usr/lib/ublinux/functions; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+SOURCE=${ROOTFS}/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null || exit 0
+debug_mode "$0" "$@"
+
+SYSCONF="${ROOTFS}/${SYSCONF}"
+SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
+SOURCE=${SYSCONF}/security; [ -f ${SOURCE} ] && . ${SOURCE} 2>/dev/null
+
+exec_polkit(){
+## Настрока polkit правил
+    rm -f "${ROOTFS}"/etc/polkit-1/rules.d/ublinux-*
+    if [[ -n ${POLKIT[@]} ]]; then
+	for RULES in "${!POLKIT[@]}"; do
+	    RULES_GROUP=
+	    RULES_FILE="${ROOTFS}/etc/polkit-1/rules.d/ublinux-$(sed 's/\([A-z0-9]*.[A-z0-9]*.[A-z0-9]*\)\..*/\1/' <<< ${RULES}).rules"
+	    RULES_RESULT=$(cut -d: -f1 <<< ${POLKIT[${RULES}]})
+	    for GROUP in $(grep ":" <<< ${POLKIT[${RULES}]} | cut -d: -f2 | tr ',' '\n'); do
+	        RULES_GROUP+="&& subject.isInGroup(\"${GROUP}\") "
+	    done
+	    cat >> ${RULES_FILE} <<EOF
+polkit.addRule(function(action, subject) {
+    if (action.id.indexOf("${RULES}") == 0 
+	&& subject.active == true
+	&& subject.local == true	
+	${RULES_GROUP}
+	) 
+    {
+            return polkit.Result.${RULES_RESULT^^};
+    }
+});
+
+EOF
+	done
+	#touch ${ROOTFS}/etc/polkit-1/rules.d
+    fi
+}
+
+################
+##### MAIN #####
+################
+
+    exec_polkit $@
--- a/ublinux/templates/ublinux-data.ini
+++ b/ublinux/templates/ublinux-data.ini
@ -28,7 +28,7 @@
 [/etc/ublinux/config]
 ## Config verison
 ## Версия конфигурации
-VERSION=2.9
+VERSION=2.10

 ## Additional boot parameters
 ## Дополнительные параметры загрузки, только для управления модулями
@ -242,11 +242,23 @@ GRUB_CMDLINE_LINUX="modprobe.blacklist=nouveau"
 ## Сохранять кэши при перезагрузке/выключении, ускоряет загрузку системы
 ## SAVE_ALL_CACHE=rootcopy

+## Работает только в режимах песочницы. Не работает в режиме полного сохранения.
+## При перезагрузке/выключении, сохранить/перезаписать указанные каталоги/файлы <SAVE_ROOTCOPY_CHANGES> и <SAVE_ROOTCOPY_INCLUDE>, кроме <SAVE_ROOTCOPY_EXCLUDE> в /ublinux-data/rootcopy/
+## Примечание: При загрузке весь каталог /ublinux-data/rootcopy копируется в корень. В режиме песочницы потребляет свободное ОЗУ. В режиме сохранения заменяет файлы в корне.
+## SAVE_ROOTCOPY_INCLUDE=<path_1,path_2/file_1,path_n>	# Каталоги и файлы которые будут сохранены в rootcopy
+## SAVE_ROOTCOPY_CHANGES=<path_1,path_2/file_1,path_n>	# Каталоги и файлы изменений которые будут сохранены в rootcopy
+## SAVE_ROOTCOPY_EXCLUDE=<path_1,path_2/file_1,path_n>	# Каталоги и файлы которые будут исключены из сохраенния в rootcopy
+#SAVE_ROOTCOPY_CHANGES="/etc"
+#SAVE_ROOTCOPY_INCLUDE="/etc/pacman.d/gnupg,/etc/NetworkManager/system-connections"
+#SAVE_ROOTCOPY_EXCLUDE="/etc/ublinux"
+
 ## TODO
-#SELECT_SAVE_ROOTCOPY_WHITELIST=""
-#SELECT_SAVE_ROOTCOPY_BLACKLIST=""
-#SELECT_SAVE_MODULE_WHITELIST=""
-#SELECT_SAVE_MODULE_BLACKLIST=""
+## Работает только в режимах песочницы. Не работает в режиме полного сохранения.
+## При перезагрузке/выключении, сохранять указанные каталоги/файлы <SAVE_MODULE_CHANGES> и <SAVE_MODULE_INCLUDE>, кроме <SAVE_MODULE_EXCLUDE> в модуль /ublinux-data/modules/zz-save-module.ubm
+## Примечание: При загрузке подключается последним модулем. Не потребляет свободное ОЗУ. Требует больше времени при перезагрузки/выключении, т.к. создаёт модуль.
+#SAVE_MODULE_CHANGES="/etc"
+#SAVE_MODULE_INCLUDE="/etc/pacman.d/gnupg,/etc/NetworkManager/system-connections"
+#SAVE_MODULE_EXCLUDE="/etc/ublinux"

 ################################################################################
 ## Настройка сети
@ -491,15 +503,21 @@ NSSWITCHWINBIND=yes
 ## MOUNT_ATTR[/tmp,/dev/shm]=nosuid,nodev,noexec

 ## Использовать дисковые квоты на файловые системы ext2,ext3,ext4,jfs,xfs,vfs,nfs,...
+## Внимание: для квот на группу, необходимо что-бы указанная группа была основной у пользователей.
+## Альтернатива для проектов, через дополнительную группу projgrp: groupadd projgrp; mkdir /home/projects; chgrp projgrp /home/projects; chmod g+s /home/projects
 ## DISK_QUOTA[<quota_type>:<device_ident>]=<enable/disable>
+## DISK_QUOTA[<quota_type>:<device_ident>]=:0:0:0:0:<bgrace>:<igrace>
 ## DISK_QUOTA[<quota_type>:<device_ident>]=<user1,user2,user_n>:<bsoft>:<bhard>:<isoft>:<ihard>[:<bgrace>:<igrace>]
 ## DISK_QUOTA[<quota_type>:<device_ident>]=<group_1,group_2,group_n>:<bsoft>:<bhard>:<isoft>:<ihard>[:<bgrace>:<igrace>]
 ## DISK_QUOTA[prjquota:<path_dir>]=<project_id>,<project_name>:<bsoft>:<bhard>:<isoft>:<ihard>[:<bgrace>:<igrace>]
+## DISK_QUOTA[quota:<device_ident>]=clean
+## DISK_QUOTA[quota]=<enable/disable>
 ##   <quota_type>		# Тип квоты, может принимать значения:
 ##     usrquota			# Квоты на пользователя
 ##     grpquota			# Квоты на группу
 ##     prjquota			# Квоты на проект/каталог
-##   <enable/disable>		# Простое включение/отключение дисковой квоты, без указания дополнительных условий
+##   <enable/disable>		# Простое включение/отключение дисковой квоты, без указания дополнительных условий,
+##                              #  если не указан <device_ident>, то для всех устройств
 ##   <device_ident>		# Уникальный идентификатор устройства, из возможных представленных:
 ##     PATH			# Путь до устройства /dev/device
 ##     LABEL			# МЕТКА файловой системы
@ -507,6 +525,7 @@ NSSWITCHWINBIND=yes
 ##     UUID			# UUID файловой системы
 ##     PARTUUID			# UUID раздела
 ##     MOUNTPOINT		# Путь куда примонтировано устройство
+##   clean                      # Очистить базу данных квот, отключить поддержку ^quota ^project у EXT234
 ##   <path_dir>			# Путь до каталога
 ##   <user_1,user_2,user_n>	# Перечень пользователей разделённых ,
 ##   <group_1,group_2,group_n>	# Перечень групп разделённых ,
@ -523,10 +542,12 @@ NSSWITCHWINBIND=yes
 ## DISK_QUOTA[usrquota:/dev/sda3]=enable
 ## DISK_QUOTA[usrquota:/dev/sda3]=disable
 ## DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:100M:150M:100:150
+## DISK_QUOTA[usrquota:/dev/sdc1]=:0:0:0:0:86400:86400
 ## DISK_QUOTA[usrquota:/dev/sdc1]=user-1,user-2:100M:150M:100:150:86400:86400
 ## DISK_QUOTA[grpquota:/dev/sdc1]=users,users@domain.com:1G:1500M:0:0:604800:604800
 ## DISK_QUOTA[prjquota:/mnt/data/project1]=AUTO:5G:6G:0:0:604800:604800
 ## DISK_QUOTA[prjquota:/mnt/data/project2]=1,MyProjectName:500M:600M:0:0:604800:604800
+## DISK_QUOTA[quota]=enable

 ## Квоты на ресурсы, через cgroup2. Механизм systemd или напрямую cgroup. man 5 systemd.resource-control
 ##   CGROUP_QUOTA[unit|user]=property_1=value,property_2=value,property_n=value