为什么CapEff在/proc/$ PID/status中全为零 [英] Why is CapEff all zeros in /proc/$PID/status
问题描述
我从ping二进制文件中删除了setuid位,并添加了cap_net_raw+p
,如下所示:
I removed the setuid bit from the ping binary and added cap_net_raw+p
instead as follows:
$ chmod 755 /bin/ping
$ setcap cap_net_raw+p /bin/ping
然后我在一个终端中运行ping
,并从另一个终端检查了正在运行的进程的/proc/$ PID/状态:
Then I ran ping
in one terminal and checked the /proc/$PID/status of the running process from another:
$ ps aux | grep ping
user 5468 0.0 0.0 14948 1792 pts/20 S+ 11:14 0:00 ping www.google.com
user 5471 0.0 0.0 14224 896 pts/2 S+ 11:14 0:00 grep --color=auto ping
$ cat /proc/5468/status | grep Cap
CapInh: 0000000000000000
CapPrm: 0000000000002000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
如果ping
当前正在运行,为什么CapEff: 0000000000000000
? cap_net_raw
也应该不在有效集中吗? /proc/$ PID/状态是否不反映线程的当前状态?
If ping
is currently running why is CapEff: 0000000000000000
? Shouldn't cap_net_raw
be in the effective set as well? Does /proc/$PID/status not reflect the current state of the thread?
推荐答案
在OFTC(irc)上的#kernelnewbies中,一个乐于助人的人很友好,可以为我提供答案.
A helpful person in #kernelnewbies on OFTC (irc) was kind enough to provide me with the answer.
ping
在有效集中设置cap_net_raw
,创建套接字,然后删除cap_net_raw
,如strace所示:
ping
sets cap_net_raw
in the effective set, creates the socket, then drops cap_net_raw
, as can been seen with strace:
$ strace -e socket,capset ping -c1 localhost
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_NET_RAW, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 3
capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
套接字打开后,不需要更多特权即可写入它.
Once the socket is open, no more privileges are required to write to it.
这篇关于为什么CapEff在/proc/$ PID/status中全为零的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!