尽管缺少基于文件系统的功能，如何执行流程并保留功能? [英] How to execve a process, retaining capabilities in spite of missing filesystem-based capabilities?

问题描述

我想使系统在没有setuid和文件"+ p"功能的情况下可用，并且通常没有在设置

I want to make system usable without setuid, file "+p" capabilities, and in general without things which are disabled when I set PR_SET_NO_NEW_PRIVS.

使用这种方法(init设置PR_SET_NO_NEW_PRIVS和基于文件系统的功能提升不再可能)，您不能重新填充"您的功能，而只需要注意不要散布"它们.

With this approach (init sets PR_SET_NO_NEW_PRIVS and filesystem-based capability elevation no longer possible) you cannot "refill" your capabilities and only need to be careful not to "splatter" them.

如何在不散布"任何授予的功能(例如，新程序的文件为setcap =ei)的情况下如何进行其他操作?只是我相信这个新过程就像我相信自己一样".例如，为用户提供了一项功能(用户想在他启动的任何程序中使用该功能)...

How to execve some other process without "splattering" any granted capabilities (such as if the new program's file is setcap =ei)? Just "I trust this new process as I trust myself". For example, a capability is given to a user (and the user wants to exercise it in any program he starts)...

我可以使整个文件系统永久地=ei吗?我要保持文件系统不干扰该方案，不能授予或撤消功能.通过父子项控制所有事情.

Can I make the entire filesystem permanently =ei? I want to keep the filesystem just not interfering with the scheme, not capable of granting or revoking capabilities; controlling everything through parent->child things.

推荐答案

我并不是说我建议您这样做，但这是对的.

I am not saying that I recommend this for what you are doing, but here it is.

从手册中摘录，进行了一些更改.根据它:fork不会更改功能.并且现在Linux内核4.3中添加了一个环境设置，看来这是您要尝试执行的操作.

Extracted from the manual, There have been some changes. According to it: fork does not change capabilities. And now there is an ambient set added in Linux kernel 4.3, it seems that this is for what you are trying to do.

   Ambient (since Linux 4.3):
          This is a set of capabilities that are preserved across an execve(2) of a program that is not privileged.  The ambient capability set obeys the invariant that no capability can ever
          be ambient if it is not both permitted and inheritable.

          The ambient capability set can be directly modified using
          prctl(2).  Ambient capabilities are automatically lowered if
          either of the corresponding permitted or inheritable
          capabilities is lowered.

          Executing a program that changes UID or GID due to the set-
          user-ID or set-group-ID bits or executing a program that has
          any file capabilities set will clear the ambient set.  Ambient
          capabilities are added to the permitted set and assigned to
          the effective set when execve(2) is called.

   A child created via fork(2) inherits copies of its parent's
   capability sets.  See below for a discussion of the treatment of
   capabilities during execve(2).

Transformation of capabilities during execve()
   During an execve(2), the kernel calculates the new capabilities of
   the process using the following algorithm:

       P'(ambient) = (file is privileged) ? 0 : P(ambient)

       P'(permitted) = (P(inheritable) & F(inheritable)) |
                       (F(permitted) & cap_bset) | P'(ambient)

       P'(effective) = F(effective) ? P'(permitted) : P'(ambient)

       P'(inheritable) = P(inheritable)    [i.e., unchanged]

   where:

       P         denotes the value of a thread capability set before the
                 execve(2)

       P'        denotes the value of a thread capability set after the
                 execve(2)

       F         denotes a file capability set

       cap_bset  is the value of the capability bounding set (described
                 below).

   A privileged file is one that has capabilities or has the set-user-ID
   or set-group-ID bit set.

这篇关于尽管缺少基于文件系统的功能，如何执行流程并保留功能?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！