为什么CapEff在/proc/$ PID/status中全为零 [英] Why is CapEff all zeros in /proc/$PID/status

问题描述

我从ping二进制文件中删除了setuid位，并添加了cap_net_raw+p，如下所示:

I removed the setuid bit from the ping binary and added cap_net_raw+p instead as follows:

$ chmod 755 /bin/ping
$ setcap cap_net_raw+p /bin/ping

然后我在一个终端中运行ping，并从另一个终端检查了正在运行的进程的/proc/$ PID/状态:

Then I ran ping in one terminal and checked the /proc/$PID/status of the running process from another:

$ ps aux | grep ping                                                                   
  user     5468  0.0  0.0  14948  1792 pts/20   S+   11:14   0:00 ping www.google.com
  user     5471  0.0  0.0  14224   896 pts/2    S+   11:14   0:00 grep --color=auto ping
$ cat /proc/5468/status | grep Cap
  CapInh: 0000000000000000
  CapPrm: 0000000000002000
  CapEff: 0000000000000000
  CapBnd: 0000003fffffffff
  CapAmb: 0000000000000000

如果ping当前正在运行，为什么CapEff: 0000000000000000? cap_net_raw也应该不在有效集中吗? /proc/$ PID/状态是否不反映线程的当前状态?

If ping is currently running why is CapEff: 0000000000000000? Shouldn't cap_net_raw be in the effective set as well? Does /proc/$PID/status not reflect the current state of the thread?

推荐答案

在OFTC(irc)上的#kernelnewbies中，一个乐于助人的人很友好，可以为我提供答案.

A helpful person in #kernelnewbies on OFTC (irc) was kind enough to provide me with the answer.

ping在有效集中设置cap_net_raw，创建套接字，然后删除cap_net_raw，如strace所示:

ping sets cap_net_raw in the effective set, creates the socket, then drops cap_net_raw, as can been seen with strace:

$ strace -e socket,capset ping -c1 localhost
  capset({_LINUX_CAPABILITY_VERSION_3, 0}, {CAP_NET_RAW, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0
  socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = 3
  capset({_LINUX_CAPABILITY_VERSION_3, 0}, {0, CAP_NET_ADMIN|CAP_NET_RAW, 0}) = 0

套接字打开后，不需要更多特权即可写入它.

Once the socket is open, no more privileges are required to write to it.

这篇关于为什么CapEff在/proc/$ PID/status中全为零的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！