gpt4 book ai didi

linux - 如何执行进程,在缺少基于文件系统的功能的情况下保留功能?

转载 作者:IT王子 更新时间:2023-10-29 01:16:05 32 4
gpt4 key购买 nike

我想让系统在没有 setuid、文件“+p”功能的情况下可用,并且通常没有在我设置 PR_SET_NO_NEW_PRIVS 时被禁用的东西.

使用这种方法(init 设置 PR_SET_NO_NEW_PRIVS 并且基于文件系统的能力提升不再可能)你不能“补充”你的能力,只需要小心不要“飞溅”他们。

如何execve一些其他进程而不“散布”任何授予的功能(例如,如果新程序的文件是setcap =ei)?只是“我相信这个新过程就像我相信自己一样”。例如,一个能力被赋予了一个用户(并且该用户想在他启动的任何程序中行使它)...

我可以使整个文件系统永久 =ei 吗?我想让文件系统不干扰方案,不能够授予或撤销功能;通过 parent->child things 控制一切。

最佳答案

我并不是说我推荐你正在做的事情,但就是这样。

摘自手册,有一些改动。根据它:fork 不会改变功能。并且现在Linux kernel 4.3中添加了一个ambient set,看来这就是你想要做的。

   Ambient (since Linux 4.3):
This is a set of capabilities that are preserved across an execve(2) of a program that is not privileged. The ambient capability set obeys the invariant that no capability can ever
be ambient if it is not both permitted and inheritable.

The ambient capability set can be directly modified using
prctl(2). Ambient capabilities are automatically lowered if
either of the corresponding permitted or inheritable
capabilities is lowered.

Executing a program that changes UID or GID due to the set-
user-ID or set-group-ID bits or executing a program that has
any file capabilities set will clear the ambient set. Ambient
capabilities are added to the permitted set and assigned to
the effective set when execve(2) is called.

A child created via fork(2) inherits copies of its parent's
capability sets. See below for a discussion of the treatment of
capabilities during execve(2).

Transformation of capabilities during execve()
During an execve(2), the kernel calculates the new capabilities of
the process using the following algorithm:

P'(ambient) = (file is privileged) ? 0 : P(ambient)

P'(permitted) = (P(inheritable) & F(inheritable)) |
(F(permitted) & cap_bset) | P'(ambient)

P'(effective) = F(effective) ? P'(permitted) : P'(ambient)

P'(inheritable) = P(inheritable) [i.e., unchanged]

where:

P denotes the value of a thread capability set before the
execve(2)

P' denotes the value of a thread capability set after the
execve(2)

F denotes a file capability set

cap_bset is the value of the capability bounding set (described
below).

A privileged file is one that has capabilities or has the set-user-ID
or set-group-ID bit set.

关于linux - 如何执行进程,在缺少基于文件系统的功能的情况下保留功能?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14636359/

32 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com