Linux文件权限 [英] Linux file permission

问题描述

有一个正在root用户下运行的进程.

There is a process which is running under root user.

ps aux | grep ProcessX
root     11565  0.0  0.7  82120 22976 ?        Ssl  14:57   0:02 ProcessX

现在ls -l /proc/11565/(pid)给出此结果.

Now ls -l /proc/11565/ (pid ) gives this result.

total 0
dr-xr-xr-x 2 root root 0 Aug  9 16:06 attr
-rw-r--r-- 1 root root 0 Aug  9 16:06 autogroup
-r-------- 1 root root 0 Aug  9 16:06 auxv
-r--r--r-- 1 root root 0 Aug  9 16:06 cgroup
--w------- 1 root root 0 Aug  9 16:06 clear_refs
-r--r--r-- 1 root root 0 Aug  9 16:06 cmdline
-rw-r--r-- 1 root root 0 Aug  9 16:06 coredump_filter
-r--r--r-- 1 root root 0 Aug  9 16:06 cpuset
lrwxrwxrwx 1 root root 0 Aug  9 16:06 cwd -> /usr/local/bin
-r-------- 1 root root 0 Aug  9 16:06 environ
lrwxrwxrwx 1 root root 0 Aug  9 16:06 exe -> /usr/local/bin/ProcessX
dr-x------ 2 root root 0 Aug  9 16:06 fd
dr-x------ 2 root root 0 Aug  9 16:06 fdinfo
-r-------- 1 root root 0 Aug  9 16:06 io
-rw------- 1 root root 0 Aug  9 16:06 limits
-rw-r--r-- 1 root root 0 Aug  9 16:06 loginuid
-r--r--r-- 1 root root 0 Aug  9 16:06 maps
-rw------- 1 root root 0 Aug  9 16:06 mem
-r--r--r-- 1 root root 0 Aug  9 16:06 mountinfo
-r--r--r-- 1 root root 0 Aug  9 16:06 mounts
-r-------- 1 root root 0 Aug  9 16:06 mountstats
dr-xr-xr-x 6 root root 0 Aug  9 16:06 net
-r--r--r-- 1 root root 0 Aug  9 16:06 numa_maps
-rw-r--r-- 1 root root 0 Aug  9 16:06 oom_adj
-r--r--r-- 1 root root 0 Aug  9 16:06 oom_score
-rw-r--r-- 1 root root 0 Aug  9 16:06 oom_score_adj
-r--r--r-- 1 root root 0 Aug  9 16:06 pagemap
-r--r--r-- 1 root root 0 Aug  9 16:06 personality
lrwxrwxrwx 1 root root 0 Aug  9 16:06 root -> /
-rw-r--r-- 1 root root 0 Aug  9 16:06 sched
-r--r--r-- 1 root root 0 Aug  9 16:06 schedstat
-r--r--r-- 1 root root 0 Aug  9 16:06 sessionid
-r--r--r-- 1 root root 0 Aug  9 16:06 smaps
-r--r--r-- 1 root root 0 Aug  9 16:06 stack
-r--r--r-- 1 root root 0 Aug  9 16:06 stat
-r--r--r-- 1 root root 0 Aug  9 16:06 statm
-r--r--r-- 1 root root 0 Aug  9 16:06 status
-r--r--r-- 1 root root 0 Aug  9 16:06 syscall
dr-xr-xr-x 6 root root 0 Aug  9 16:06 task
-r--r--r-- 1 root root 0 Aug  9 16:06 wchan

现在状态和映射的文件许可权是相同的(-r--r--r--).但是，当我向非特权(不是root)用户发出cat /proc/11565/maps时，它给了我拒绝的权限.但是对于cat /proc/11565/status，它会按预期输出.

Now the file permission for both status and maps are same (-r--r--r--). But when I issue cat /proc/11565/maps with a non privileged (not root) user, it gives me a permission denied. But for cat /proc/11565/status, it outputs as expected.

我这里缺少什么吗?

推荐答案

这是因为文件权限不是您遇到的唯一保护.

It's because the file permissions are not the only protection you're encountering.

这些文件不只是文件系统上的常规文本文件，procfs是进入进程内部的窗口，并且您必须获得两个文件权限 plus 的保护，无论其他保护措施是什么.

Those aren't just regular text files on a file system, procfs is a window into process internals and you have to get past both the file permissions plus whatever other protections are in place.

这些映射显示有关内存使用情况以及可执行代码在进程空间中的位置的潜在危险信息.如果您研究ASLR，就会发现这是一种防止潜在攻击者知道代码在何处加载的方法，而在procfs中的世界可读条目中揭示该代码是没有意义的.

The maps show potentially dangerous information about memory usage and where executable code is located within the process space. If you look into ASLR, you'll see this was a method of preventing potential attackers from knowing where code was loaded and it wouldn't make sense to reveal it in a world-readable entry in procfs.

此保护是在早在2007年添加的:

此更改在允许访问读取地图内容之前，使用"ptrace_may_attach"实现了检查.为了控制此保护，已添加了新的旋钮/proc/sys/kernel/maps_protect，并对procfs文档进行了相应的更新.

This change implements a check using "ptrace_may_attach" before allowing access to read the maps contents. To control this protection, the new knob /proc/sys/kernel/maps_protect has been added, with corresponding updates to the procfs documentation.

在ptrace_may_attach()中(实际上在它调用的函数之一内)包含以下代码:

Within ptrace_may_attach() (actually within one of the functions it calls) lies the following code:

if (((current->uid != task->euid) ||
     (current->uid != task->suid) ||
     (current->uid != task->uid) ||
     (current->gid != task->egid) ||
     (current->gid != task->sgid) ||
     (current->gid != task->gid))     && !capable(CAP_SYS_PTRACE))
   return -EPERM;

，因此，除非您具有相同的真实用户/组ID，已保存的用户/组ID和有效的用户/组ID(即，没有偷偷摸摸的setuid东西)，并且它们与用户/组ID相同拥有该进程的用户，您将无法看到该文件"内部(除非您的进程当然具有CAP_SYS_PTRACE功能).

so that, unless you have the same real user/group ID, saved user/group ID and effective user/group ID (i.e., no sneaky setuid stuff) and they're the same as the user/group ID that owns the process, you're not allowed to see inside that "file" (unless your process has the CAP_SYS_PTRACE capability of course).

这篇关于Linux文件权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！