非root用户拥有的setuid程序 [英] setuid program owned by non-root user

问题描述

我有一个setuid程序(getpwd)，仅当由root拥有时才按预期运行.

I have a setuid program (getpwd) that runs as expected only when owned by root.

-rwsr-xr-x 1 root root 7981 2011-11-17 18:28 getpwd*

换句话说，当用户"alice"在命令行上执行我的程序时，一切正常

In other words when my program is executed on the command line by user "alice" all works fine

程序在目录/home/secure中打开一个文件，然后将内容打印到屏幕上.

The program opens a file in directory /home/secure and print the contents to screen.

alice@devbox:/home/alice/tmp$ ./getpwd
setuid is working

但是，当我更改所有权并设置文件的setuid时:

However when I change the ownership and set setuid of the file:

chown secure:users getpwd
chmod 4755 getpwd

-rwsr-xr-x 1 secure users 7981 2011-11-17 18:28 getpwd*

以"alice"用户身份执行时，程序无法运行.

The program does not run when executed as user "alice".

alice@devbox:/home/alice/tmp$ ./getpwd
cannot open file /home/secure/test ...

为什么会这样?

ls -ld /home/ /home/secure/
drwx--x--x 2 secure users 280 Nov 18 11:16 /home/secure/

ls -ld /home/secure/*
-rw------- 1 secure users 33 Nov 15 14:35 /home/secure/test

推荐答案

我如何确保只有用户"alice"才能可以运行安全拥有的setuid程序吗?

How do I ensure that only user "alice" can run the setuid program owned by secure?

有两种可能的方法.一种使用传统的Unix权限，另一种使用新式的ACL.

There are two possible approaches. One uses nothing but traditional Unix permissions and the other uses newfangled ACLs.

创建一个新组；也许ALICE或与alice用户帐户明显不同的内容.确保alice是group(5)中ALICE的成员. (vigr(8)是编辑group(5)文件的好方法.)设置getpwd程序secure:ALICE的所有权，并对文件执行删除世界执行权限.然后，只有secure和ALICE组的成员可以执行setuid getpwd程序.

Create a new group; perhaps ALICE or something obviously different from an alice user account. Make sure alice is a member of ALICE in group(5). (vigr(8) is a great way to edit the group(5) file.) Set the ownership of your getpwd program secure:ALICE and remove world execute privileges on the file. Then, only secure and members of the ALICE group can execute the setuid getpwd program.

如果alice只是潜在人群的替代者，则可以将组命名为SECURE. (大写只是为了方便我描述.您不必坚持使用大写.)

If alice is just a stand-in for a potentially larger group of people, then maybe name the group SECURE. (Upper case is just convenient for my description. You don't have to stick with upper case.)

setfacl -m u:alice:x getpwd

setfacl(1)程序有点复杂，但是它允许您创建比传统的Unix权限复杂得多的权限.因为这些完全不同，所以我见过的大多数系统默认情况下都没有将它们打开-挂载文件系统时，需要在mount(8)中将acl选项设置为mount(8).您需要将acl添加到需要额外权限的/etc/fstab中的文件系统. (不过，您无需重新启动即可使用它；只要安装了文件系统，mount /file/system -oremount,acl就足够了-通常直到重新启动为止.)

The setfacl(1) program is a bit complicated, but it allows you to create far more complex permissions than the traditional Unix permissions. Because these are pretty different, most systems I have seen don't have them turned on by default -- that requires the acl option to mount(8) when mounting the filesystem. You would need to add acl to the filesystems in /etc/fstab that need the extra permissions. (You don't need to reboot to make it available, though; mount /file/system -oremount,acl would be sufficient for as long as the filesystem is mounted -- typically until reboot.)

我建议坚持使用传统的Unix方法.

I suggest sticking with the traditional Unix method.

这篇关于非root用户拥有的setuid程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！