Clearcase:如何控制SUID程序是否在视图中工作? [英] Clearcase: How to control whether SUID programs work in a view or not?
问题描述
我们有两台运行ClearCase的机器(正在讨论中)-不同版本的ClearCase.否则,它们在设置上将几乎相同-相同的Linux x86/64内核等.
We have two machines (under discussion) running ClearCase - different versions of ClearCase. Otherwise, they are about as identical in setup as can be - same Linux x86/64 kernel etc.
在一台计算机上,视图中的SUID根程序就像SUID根程序一样.
On one machine, SUID root programs in the view work as SUID root programs.
在另一台计算机上,视图中的SUID根程序无法使用SUID特权,从而导致意外结果.
On the other machine, SUID root programs in the view do not work with SUID privileges, leading to unexpected results.
到目前为止,我们发现的唯一区别是:
The only difference we've spotted so far is:
- 工作视图:CC 7.0.1
- 非工作视图:CC 7.1.1.1
我可以给出cleartool -version的完整输出,但我怀疑不会.这些是列出的第一个版本.
I can give the full output of cleartool -version if it matters, but I suspect it won't. These are the first versions listed.
- 这是ClearCase版本之间的已知区别吗,还是它是一个配置项,还是其他?
- 是否可以配置较新版本的ClearCase(MVFS)以允许SUID根程序正确"运行?
- 如果它是可配置的,我们如何更改配置以使新版本允许SUID程序?
我们有无数机器在许多不同的平台上运行ClearCase.有传言说,在某些机器上,我们的SUID软件必须在视线外"运行才能正常工作.现在有人报告了一个错误-整天大部分时间都在缩小这些差异.问题中解决的问题似乎是一个合理的解释.如果还有其他事情,那就这样吧.我仍然需要我今天再次失去的头发!
所有视图都是动态的,而不是快照.
All views are dynamic, not snapshot.
这是运行ClearCase 7.0.1的SUID程序运行的机器上cleartool lsview -l -full -pro -cview的输出:
This is the output of cleartool lsview -l -full -pro -cview on the machine where SUID programs do work, running ClearCase 7.0.1:
Tag: idsdb00222108.jleffler.toru
Global path: /net/toru/work4/atria/idsdb00222108.jleffler.toru.vws
Server host: toru
Region: lenexa
Active: YES
View tag uuid:6dac5149.2d7511e0.8c62.00:14:5e:69:25:d0
View on host: toru
View server access path: /work4/atria/idsdb00222108.jleffler.toru.vws
View uuid: 6dac5149.2d7511e0.8c62.00:14:5e:69:25:d0
View owner: lenexa.pd/jleffler
Created 2011-01-31T11:58:11-08:00 by jleffler.rd@toru
Last modified 2011-02-26T22:32:49-08:00 by jleffler.rd@toru.lenexa.ibm.com
Last accessed 2011-02-26T22:44:55-08:00 by jleffler.rd@toru.lenexa.ibm.com
Last read of private data 2011-02-26T22:44:55-08:00 by jleffler.rd@toru.lenexa.ibm.com
Last config spec update 2011-02-26T01:10:36-08:00 by jleffler.rd@toru.lenexa.ibm.com
Last view private object update 2011-02-26T22:32:49-08:00 by jleffler.rd@toru.lenexa.ibm.com
Text mode: unix
Properties: dynamic readwrite shareable_dos
Owner: lenexa.pd/jleffler : rwx (all)
Group: lenexa.pd/rd : rwx (all)
Other: : rwx (all)
Additional groups: lenexa.pd/RAND lenexa.pd/ccusers lenexa.pd/ccids lenexa.pd/ccos
这是运行ClearCase 7.1.1.1的SUID程序无法正常运行的机器上的输出:
This is the output on the machine where SUID programs do not 'work', running ClearCase 7.1.1.1:
Tag: new.jleffler.zeetes
Global path: /tmp/jl/new.jleffler.zeetes.vws
Server host: zeetes
Region: lenexa
Active: YES
View tag uuid:f62b7c80.414111e0.9cec.00:14:5e:de:1b:44
View on host: zeetes
View server access path: /tmp/jl/new.jleffler.zeetes.vws
View uuid: f62b7c80.414111e0.9cec.00:14:5e:de:1b:44
View owner: lenexa.pd/informix
Created 2011-02-25T18:40:11-06:00 by informix.informix@zeetes
Last modified 2011-02-25T18:49:56-06:00 by informix.informix@zeetes
Last accessed 2011-02-25T18:50:31-06:00 by informix.informix@zeetes
Last read of private data 2011-02-25T18:50:31-06:00 by informix.informix@zeetes
Last config spec update 2011-02-25T18:49:37-06:00 by informix.informix@zeetes
Last view private object update 2011-02-25T18:49:56-06:00 by informix.informix@zeetes
Text mode: unix
Properties: dynamic readwrite shareable_dos
Owner: lenexa.pd/informix : rwx (all)
Group: lenexa.pd/informix : r-x (read)
Other: : r-x (read)
Additional groups: lenexa.pd/RAND lenexa.pd/ccids lenexa.pd/ccos
检测到SUID程序不起作用
问题不是操作系统发出有关运行SUID程序的错误消息.问题在于,即使该程序看起来是setuid root,在运行时,该程序实际上也不是setuid:
Detecting that SUID programs are not working
The problem is not that there is an error message from the operating system about running the SUID program. The problem is that even though the program appears to be setuid root, when run, the program is not actually setuid:
Zeetes IX: ls -l asroot
-r-sr-xr-x 1 root informix 24486 Feb 25 18:49 asroot
Zeetes IX: ./asroot id
asroot: not installed SUID root
Zeetes IX:
这是当asroot未使用SUID根特权安装时的输出.在另一台计算机上:
This is the output from asroot when it is not installed with SUID root privileges. On the other machine:
Toru JL: ls -l asroot
-r-sr-xr-x 1 root informix 26297 2011-02-27 00:11 asroot
Toru JL: ./asroot id
uid=0(root) gid=1240(rd) groups=1240(rd),1360(RAND),8714(ccusers),8803(ccids),8841(ccos)
Toru JL:
如果该程序是使用SUID根特权安装的,则这或多或少是我期望的输出.
This is more or less the output I'd expect if the program is installed with SUID root privileges.
两个主要的VOB是tristarp和tristarm.在SUID正常的机器上(手动进行包装以避免滚动条):
The two main VOBs are tristarp and tristarm. On the machine where SUID is OK (wrapping done manually to avoid scrollbars):
aether:/vobs/tristarm.vbs on /vobs/tristarm.vbs type nfs \
(rw,hard,intr,bg,addr=9.25.149.151)
charon:/vobs/tristarp.vbs on /vobs/tristarp.vbs type nfs \
(rw,hard,intr,bg,addr=9.25.149.147)
charon:/vobs/tristarp.vbs on /vobs/tristarp type mvfs \
(uuid=684ef023.2dd111d0.b696.08:00:09:b1:a4:c5)
aether:/vobs/tristarm.vbs on /vobs/tristarm type mvfs \
(uuid=b74900ef.814511cf.afee.08:00:09:b1:54:d5)
在SUID不正确的机器上:
On the machine where SUID is not OK:
aether:/vobs/tristarm.vbs on /vobs/tristarm type mvfs \
(uuid=b74900ef.814511cf.afee.08:00:09:b1:54:d5,nosuid)
aether:/vobs/tristarm.vbs on /vobs/tristarm.vbs type nfs \
(rw,hard,intr,bg,addr=9.25.149.151)
charon:/vobs/tristarp.vbs on /vobs/tristarp.vbs type nfs \
(rw,hard,intr,bg,addr=9.25.149.147)
charon:/vobs/tristarp.vbs on /vobs/tristarp type mvfs \
(uuid=684ef023.2dd111d0.b696.08:00:09:b1:a4:c5)
这里有不法之徒! (而且我以为我查看了mount信息.很明显.我看的不够准确,或者只在一台机器上(正在工作的一台机器)或其他东西.)奇怪的是,这两个VOB中只有一个安装了用nosuid;很奇怪.
And there's the miscreant! (And I thought I'd looked at mount information. Evidently. I'd not looked accurately enough, or only on one machine - the working one - or something.) It is odd that only one of these two VOBs is mounted with nosuid; very odd.
谢谢,VonC.
脚本/etc/init.d/clearcase和/etc/clearcase中提供了/opt/rational/clearcase下的脚本和程序的规定,以使用文件/var/adm/rational/clearcase/suid_mounts_allowed控制是否允许SUID;它在两台计算机上都以空文件存在,权限为root:root:000.但是,这里可能还存在其他一些至关重要的区别-我已经向居民ClearCase Guru询问了这一点.但是,似乎这是两台计算机上的配置差异更大,而不是功能上的某些特定于版本的差异.这两个版本都表面上支持nosuid选项,即使这两个版本都不言自明地调用了该选项-除了7.1.1.1版本设法在不使用7.0.1版本的情况下调用它之外,也是如此.
There is provision in the scripts /etc/init.d/clearcase and /etc/clearcase for the scripts and programs under /opt/rational/clearcase to use a file /var/adm/rational/clearcase/suid_mounts_allowed to control whether SUID is allowed or not; it exists on both machines, as an empty file with permissions root:root:000. But there may be some other difference that is crucial lurking here - I have asked the resident ClearCase Guru about this. However, it looks as though the difference is more likely in the configuration on the two machines than it is some version-specific change in functionality. Both versions superficially support the nosuid option, even though neither is self-evidently invoking that option - except that the 7.1.1.1 version is managing to invoke it where the 7.0.1 version is not.
推荐答案
知道这将很有趣:
-
两种视图都是快照还是动态视图.我想是动态的,有一个与MVFS有关的问题. - 在两种情况下'
cleartool lsview -l -full -pro -cview'都会返回什么(在每个视图中执行时,一个在SUID起作用的视图,一个在不起作用的视图) - 如果尝试使用SUID位时每个视图内的本地路径都相同(本地路径是视图内的路径,如
</path/toView>/vobs/MyVob/.../path/to/a/directory中的路径)
if both kind of views are snapshots or dynamic views. I suppose dynamic, with an issue related to MVFS.- what a '
cleartool lsview -l -full -pro -cview' returns in both case (when executed within each views, one where SUID works, one where it doesn't) - if the local path within each view is the same when trying the SUID bit (local path being the path within the view as in
</path/toView>/vobs/MyVob/.../path/to/a/directory)
主要是,您是否有确切的错误消息,例如此线程:
And mainly, do you have an exact error message, like in this thread:
我们看到在Linux和SunOS上使用不同的选项挂载了VOB,特别是 Linux在操作系统中添加了一个"nosuid".安装选项,而在SunOS的"setuid"上,已添加.
We see that VOBs are mounted with different options on Linux and SunOS, especially, Linux adds a "nosuid" mount option, while on SunOS "setuid" is added.
这在Linux机器上的分布式构建期间给我们带来了麻烦,因为远程机器会获得不允许的操作".尝试从其中一个VOB执行suid根二进制文件时发生错误
This causes us trouble during distributed builds on the Linux machines, because the remote machine(s) gets an "Operation not permitted" error when trying to execute a suid root binary from one of the VOBs
请参见
UNIX和Linux: 另请参见"使用cleartool保护命令设置粘性位" See also "Setting the sticky bit using the cleartool protect command" 使用以下语法正确设置粘性位".使用cleartool保护命令: Use the following syntax to properly set the "sticky bit" using the cleartool protect command:
这篇关于Clearcase:如何控制SUID程序是否在视图中工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!nodev,nosuid,suid.
cleartool protect -chmod u=rxs <file>
