(U)通过"exec"安装与"sudo".用户是"sudoer"用户.使用NOPASSWD [英] (U)Mounting through "exec" with "sudo". The user is a "sudoer" with NOPASSWD
问题描述
我已经看过这两个:
但是,我的问题似乎有所不同.
我建立了一个广泛的库,用于调用Linux CLI工具.它围绕 proc_open
建立和 POSIX
.
我正在使用它成功执行 all (直到我遇到此 mount
/ umount
错误)CLI工具.
现在,我正在构建一个RAID设置例程,其中涉及 partprobe
, parted
- rm , mklabel , mkpart , mdadm
-停止,零超级块,创建, dd
, mkfs
,最后是 mount
/ umount
.
实际上有两个优雅的例程,一个用于组装RAID,另一个用于拆卸.
正如标题所述,问题出在 mount
和 umount
.上面列出的其他工具及其命令成功执行.
环境
Arch Linux-Linux stone 3.11.6-1-ARCH#1 SMP PREEMPT Fri Oct 18 23:22:36 CEST 2013 x86_64 GNU/Linux.
Arch与 systemd
一起运行-可能是某种程度上影响了安装.
运行mod_php(最新)的Apache Web服务器(最新).Apache以 http:http
运行.
http
在 wheel
组中,并且 wheels
是sudoers-%wheel ALL =(ALL)NOPASSWD:ALL 代码>.
请不要开始为 webserver
提供完整的root功能讨论-该单元是NAS,它正在运行自定义WebOS,并且用于Intranet只要.即使有骇客企图-极有可能破坏整个系统,对客户而言这是不健康的.NAS是 Mobotix IP摄像机的存储,它运行相关服务的负载,并且单元是已经部署在30多个对象中,没有任何问题.简而言之, webserver
不是为 web 服务,而是一个OS.
在写之前,为了快速测试,我将 http
明确地添加到了sudoers- http ALL =(ALL)NOPASSWD:ALL
-不起作用.>
问题
在RAID组装过程中运行的最后一条命令是 mount/dev/md/stone \:supershare/mnt/supershare
,该命令返回的退出代码为 0
执行后续安装将导致:
mount:已安装/dev/md127或/mnt/supershare忙/dev/md127已经挂载在/mnt/supershare上
,退出代码为 32
.因此,该阵列安装在某处.
在执行上述 mount
之后执行 0
.执行后续的 umount
会导致:
umount:/dev/md/stone:supershare:未挂载
上面的命令是使用sudo自动运行的.
因此,它已成功安装并成功卸载,但是...我在执行 mount后在TTY0上以
操作,但是,我没有看到 root
登录,在运行 lsblk
时 mountpoint
:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTsda 8:0 0 55.9G 0磁盘├─sda18:1 0 1M 0部分├─sda28:2 0 1G 0部分[SWAP]├─sda38:3 0 12G 0部分/s─sda48:4 0 16.6G 0部分/homesdb 8:16 0 931.5G 0磁盘└─sdb18:17 0 899M 0部分md─md1279:127 0 1.8G 0 raid0sdc 8:32 0 931.5G 0磁盘└─sdc18:33 0 899M 0部分md─md1279:127 0 1.8G 0 raid0
尝试从TTY0进行相同的 mount
命令将其成功挂载(lsblk将在之后显示).
如果我使用CLI工具进行 mount
,然后也使用CLI工具运行 mount -l </code>和
lsblk
,则挂载点是可见的
立即以root用户身份从TTY0运行两个命令,不显示安装点.
重新引导,以重置所有挂载(不是自动挂载),然后从TTY0挂载并从TTY0运行 lsblk
会显示挂载点.
然后,使用CLI工具运行 lsblk
,显示安装点.
然后,使用CLI工具运行 umount
,退出代码 0
-卸载.
再次使用CLI工具运行 lsblk
,不会显示安装点.
从TTY0运行 lsblk
,仍会显示安装点.
看来,当使用我的CLI工具运行 mount
/ umount
时,它将为 sudo
会话运行器私下执行命令.
umount
确实会卸载它,但是再次-是私下进行的.
从CLI工具安装RAID后,以 http
从TTY0登录并运行 lsblk
,不会显示安装点.这种方式否定了为 sudo
会话运行程序私下执行".
我还在解决方案
简而言之,麻烦已解决.
Apache的相应 systemd
服务具有 PrivateTmp = true
指令.显然,该指令使用新的文件系统名称空间执行该过程.
这个问题在尝试调试和解决该问题时,在互联网上产生了许多其他帖子.
- > https://unix.stackexchange.com/questions/97897/sudo-mount-from-webserver-apache-by-mod-php-result-not-visible-by-root
- https://bbs.archlinux.org/viewtopic.php?id=172072
- 此处,并向我打开了
命名空间
的尺寸.好的,它解释了所有内容-现在检查
/proc/< pid>/mounts
可以对其进行验证,让我们更深入地了解如何克服它.同样,经过无数次尝试但没有成功,我开始根据我对命名空间的新知识发布问题.缩小问题范围并变得更加技术化(至少我认为是的),最终导致用户hiciu成为指向我进入
systemd
方向,特别是Apaches服务-PHP: mount USB device - Error on mount through php "exec"
- https://unix.stackexchange.com/questions/97897/sudo-mount-from-webserver-apache-by-mod-php-result-not-visible-by-root
- https://bbs.archlinux.org/viewtopic.php?id=172072
- https://unix.stackexchange.com/questions/98182/a-process-run-as-root-when-performing-mount-is-mounting-for-self-how-to-ma/98191#98191
But, my problem appears to be different.
I have built an extensive library that's used to call Linux CLI tools. It's built around proc_open
, it's family and POSIX
.
I'm using it to successfully execute all (until I hit this mount
/umount
bug) CLI tools.
Now, I'm building a RAID setup routine, that involves partprobe
, parted
- rm, mklabel, mkpart, mdadm
- stop, zero-superblock, create, dd
, mkfs
and ultimately mount
/umount
.
There are actually two graceful routines, one for assembling the RAID, the other one for disassembly.
As the title says, the problem relies in mount
and umount
. The other tools and their commands listed above execute successfully.
Environment
Arch Linux - Linux stone 3.11.6-1-ARCH #1 SMP PREEMPT Fri Oct 18 23:22:36 CEST 2013 x86_64 GNU/Linux.
The Arch is running with systemd
- might be that is somehow affecting the mounting.
An Apache web server (latest), that runs mod_php (latest). Apache is run as http:http
.
http
is in wheel
group, and wheels
are sudoers - %wheel ALL=(ALL) NOPASSWD: ALL
.
Please, don't start the webserver
being given a full root capabilities discussion - the unit is a NAS, it's running a custom WebOS, and it's meant for intranet only. Even if there are hacking attempts - those will, most probably, break the whole system and that's not healthy for the customer. The NAS is a storage for Mobotix IP cameras, it runs a load of dependent services and the units are already deployed in over 30 objects with no issues. In short, the webserver
is not serving a web, but an OS.
Before writing, I added, for a quick test, http
explicitly to sudoers - http ALL=(ALL) NOPASSWD: ALL
- didn't work.
Problem
The last command run in the RAID assembly process is mount /dev/md/stone\:supershare /mnt/supershare
, which returns with an exit code of 0
.
Performing a subsequent mount results in:
mount: /dev/md127 is already mounted or /mnt/supershare busy
/dev/md127 is already mounted on /mnt/supershare
with an exit code of 32
. So, the array is mounted somewhere.
Performing an umount /dev/md/stone\:supershare
afterwards the above mount
, returns with an exit code of 0
. Performing an subsequent umount
results in:
umount: /dev/md/stone:supershare: not mounted
The commands above are auto-run with sudo.
So, it's mounted successfully and unmounted sucessfully, but... I'm logged in as root
on TTY0, running lsblk
after having performed the mount
operation, yet, I do not see the mountpoint
:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 55.9G 0 disk
├─sda1 8:1 0 1M 0 part
├─sda2 8:2 0 1G 0 part [SWAP]
├─sda3 8:3 0 12G 0 part /
└─sda4 8:4 0 16.6G 0 part /home
sdb 8:16 0 931.5G 0 disk
└─sdb1 8:17 0 899M 0 part
└─md127 9:127 0 1.8G 0 raid0
sdc 8:32 0 931.5G 0 disk
└─sdc1 8:33 0 899M 0 part
└─md127 9:127 0 1.8G 0 raid0
Attempting the same mount
command from TTY0 mounts it successfully (lsblk displays after).
If I mount
it with my CLI tool, then run mount -l
and lsblk
also with the CLI tool, the mountpoint is visible.
Running immediately both commands from TTY0 as root, do not display the mountpoint.
Rebooting, to reset all mounts (not automounted), then, mounting from TTY0 and running lsblk
from TTY0 displays the mountpoint.
Then, running lsblk
with CLI tool, displays the mountpoint.
Then, running umount
with CLI tool, exit code 0
- unmounted.
Running lsblk
with CLI tool again, does not display the mountpoint.
Running lsblk
from TTY0, still does display the mountpoint.
It appears that when the mount
/umount
is run with my CLI tool, it executes the commands privately for the sudo
session runner.
umount
ing after TTY0 has mounted, does unmount it, but again - privately.
Logging in from TTY0 as http
and running lsblk
after having mounted the RAID from CLI tool, the mountpoint is not displayed. This kind of negates the "executes privately for the sudo
session runner".
I've also found a material in IBM's:
The mount command uses the real user ID, not the effective user ID, to determine if the user has appropriate access. System group members can issue device mounts, provided they have write access to the mount point and those mounts specified in the /etc/file systems file. Users with root user authority can issue any mount command.
I hope I've explained good enough and not too confusing, I also hope that you guys will be able to help me catch the issue here.
Update (2013-10-28)
I attempted a test with the CLI tool outside web context, a simple PHP file, that'd I exec with root
and a custom user.
In both scenarios, the mounting and unmounting was successful. So, it must be something with Apache executing the commands, though, I don't understand why do other commands work.
Question
What is causing the issue, and how do I overcome it?
In short, the hassle has been resolved.
It was the Apache's corresponding systemd
service, that had PrivateTmp=true
directive. Apparently, the directive executes the process with a new file system namespace.
This question, while attempting to debug and fix the issue spawned a numerous other posts around the internet.
Each derived from stuff I've learn in the process.
I started with getting deeper information about mount
working on EUID
. Soon, I found out that my simple sudo
call is actually not executing with EUID 0
. That led me to multiple queries on how to do so, that in return spawned command syntax like sudo -i 'su' -c 'mount /dev/sdb1 /mnt/firstone'
and other derivatives.
Having no success with the solution, I looked further.
I started to think of trying to add the entry to /etc/fstab
, that led me to loads of permission issues. Also, sudo
and my CLI tool proved to be incomplete for the task. Lets bring the big weapons - lets compile Apache with -DBIG_SECURITY_HOLE
, also known as, give Apache the possibility to be run as root
.
Lets append entry to the tab
, lets attempt to mount... and... fail!
After numerous tests, queries and what not, I stumbled upon per process mount
that led me here and opened the dimension of namespaces
to me.
Okay, that explains everything - checking /proc/<pid>/mounts
validates it, now, lets gnaw deeper and see how to overcome it.
Again, after numerous attempts and no success, I started posting questions based around my fresh knowledge of namespaces. Narrowing the questions down and becoming more technical (at least I think I did), that eventually led to a user hiciu who pointed me into systemd
direction, specifically, Apaches service - PrivateTmp
.
Voila! ...apparently systemd
can enforce new namespaces.
这篇关于(U)通过"exec"安装与"sudo".用户是"sudoer"用户.使用NOPASSWD的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!