如何找出一个进程需要哪些Linux功能才能工作? [英] How to find out what linux capabilities a process requires to work?

问题描述

我处在一个困难的情况下，我不知道一个进程需要什么Linux功能才能工作. 最好的方法是什么，或者找出所需的上限的任何方法?

I am in a difficult situation where I don't know what linux capabilities a process requires to work. What is the best way, or any way to find out what cap is required?

我现在唯一能想到的就是使用capsh并删除进程中的所有大写字母.然后，该过程失败，我开始添加上限(通过删除--drop = CAP_XZY)，直到它起作用为止.

The only thing I can think of right now is using capsh and drop all caps on a process. The process then fails and I start to add caps (by removing --drop=CAP_XZY) until it works.

还有更好的建议吗?

推荐答案

我在此

Another method, that I've come across a while ago in this blog post by Brendan Gregg is to use capabilities tracer - capable.

以下是示例输出:

$ sudo /usr/share/bcc/tools/capable
TIME      UID    PID    COMM             CAP  NAME                 AUDIT
11:31:54  0      2467   capable          21   CAP_SYS_ADMIN        1
11:31:54  0      2467   capable          21   CAP_SYS_ADMIN        1
11:31:59  1000   2468   ls               1    CAP_DAC_OVERRIDE     1
11:31:59  1000   2468   ls               2    CAP_DAC_READ_SEARCH  1
11:32:02  0      1421   timesync         25   CAP_SYS_TIME         1
11:32:05  1000   2469   sudo             7    CAP_SETUID           1
11:32:05  0      2469   sudo             6    CAP_SETGID           1

它具有记录内核针对给定进程进行的功能检查的显着优势.这样就可以根据应用程序实际需要的功能来分析应用程序，例如缩小权限并以非特权用户身份执行.

It has a significant advantage of recording capability checks made by kernel for a given process. This allows to profile the application against the capabilities that it actually requires, e.g. to narrow down the privileges and execute it as an unprivileged user.

虽然 pscap 允许列出所有正在运行的进程的有效功能，但是它不能提供一种可靠的方法来检查该进程实际上需要哪些功能，因为:

While pscap allows to list the effective capabilities of all running processes, it does not offer a reliable method of checking which capabilities are in fact required by the process, because:

• 进程可能在其允许的集合中具有能力X，并且仅在短时间内将其提升到有效的集合中才能执行特权操作.
• 一个过程可以从更广泛的功能集开始，进行需要提升特权的初始化，并放弃某些(或全部)功能(例如，

• A process may have capability X in its permitted set and only raise it to the effective set for a short time to perform a privileged operation.
• A process could have started with broader set of capabilities, do the initialization requiring elevated privileges, and drop some (or all) capabilities (e.g. ping opening a raw socket).
• It works only for processes that are already running in capabilities-based manner. What if you had to determine the minimal capability set required for your newly developed application?
• It does not allow to correlate privilege checks made for application with the operations it performs, with capable you get timestamps for ever single check.

功能的来源可在 github . 此处. 有关更多描述，请参阅开头提到的博客文章，还请注意，该功能需要内核4.4+，博客文章中也提供了较旧内核的替代方法.

The sources for capable are available on github. Installation instructions for BCC (including capable) are available here. For further description please refer to the blog post mentioned at the beginning, please also note that capable requires kernel 4.4+, an alternative for older kernels is available in the blog post as well.

注意:我不是作者，也不以任何方式隶属于工具开发人员.我只是想将它带给更广泛的受众，因为我个人使用它来为复杂的监视应用程序开发功能配置文件，该应用程序以前需要运行完整的root特权才能运行，并且发现此跟踪器有很大帮助.

Note: I'm not the author, nor am I affiliated with the tool developers in any way. I just wanted to bring it to wider audience, since I have personally used it to develop a capabilities profile for a complex monitoring application that previously required full root privileges to run, and found this tracer to be of tremendous help.

这篇关于如何找出一个进程需要哪些Linux功能才能工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！