(U)通过"exec"安装与"sudo".用户是"sudoer"用户.使用NOPASSWD [英] (U)Mounting through "exec" with "sudo". The user is a "sudoer" with NOPASSWD

查看:105
本文介绍了(U)通过"exec"安装与"sudo".用户是"sudoer"用户.使用NOPASSWD的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我已经看过这两个:

但是,我的问题似乎有所不同.

我建立了一个广泛的库,用于调用Linux CLI工具.它围绕 proc_open 建立和 POSIX .

我正在使用它成功执行 all (直到我遇到此 mount / umount 错误)CLI工具.

现在,我正在构建一个RAID设置例程,其中涉及 partprobe parted - rm mklabel mkpart mdadm -停止零超级块创建 dd mkfs ,最后是 mount / umount .

实际上有两个优雅的例程,一个用于组装RAID,另一个用于拆卸.

正如标题所述,问题出在 mount umount .上面列出的其他工具及其命令成功执行.

环境

Arch Linux-Linux stone 3.11.6-1-ARCH#1 SMP PREEMPT Fri Oct 18 23:22:36 CEST 2013 x86_64 GNU/Linux.

Arch与 systemd 一起运行-可能是某种程度上影响了安装.

运行mod_php(最新)的Apache Web服务器(最新).Apache以 http:http 运行.

http wheel 组中,并且 wheels 是sudoers-%wheel ALL =(ALL)NOPASSWD:ALL .
请不要开始为 webserver 提供完整的root功能讨论-该单元是NAS,它正在运行自定义WebOS,并且用于Intranet只要.即使有骇客企图-极有可能破坏整个系统,对客户而言这是不健康的.NAS是 Mobotix IP摄像机的存储,它运行相关服务的负载,并且单元是已经部署在30多个对象中,没有任何问题.简而言之, webserver 不是为 web 服务,而是一个OS.

在写之前,为了快速测试,我将 http 明确地添加到了sudoers- http ALL =(ALL)NOPASSWD:ALL -不起作用.

问题

在RAID组装过程中运行的最后一条命令是 mount/dev/md/stone \:supershare/mnt/supershare ,该命令返回的退出代码为 0

执行后续安装将导致:

  mount:已安装/dev/md127或/mnt/supershare忙/dev/md127已经挂载在/mnt/supershare上

,退出代码为 32 .因此,该阵列安装在某处.

在执行上述 mount 之后执行 umount/dev/md/stone \:supershare ,返回退出代码为 0 .执行后续的 umount 会导致:

  umount:/dev/md/stone:supershare:未挂载

上面的命令是使用sudo自动运行的.

因此,它已成功安装并成功卸载,但是...我在执行 mount后在TTY0上以 root 登录,在运行 lsblk 操作,但是,我没有看到 mountpoint :

  NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTsda 8:0 0 55.9G 0磁盘├─sda18:1 0 1M 0部分├─sda28:2 0 1G 0部分[SWAP]├─sda38:3 0 12G 0部分/s─sda48:4 0 16.6G 0部分/homesdb 8:16 0 931.5G 0磁盘└─sdb18:17 0 899M 0部分md─md1279:127 0 1.8G 0 raid0sdc 8:32 0 931.5G 0磁盘└─sdc18:33 0 899M 0部分md─md1279:127 0 1.8G 0 raid0

尝试从TTY0进行相同的 mount 命令将其成功挂载(lsblk将在之后显示).

如果我使用CLI工具进行 mount ,然后也使用CLI工具运行 mount -l <​​/code>和 lsblk ,则挂载点是可见的

立即以root用户身份从TTY0运行两个命令,不显示安装点.

重新引导,以重置所有挂载(不是自动挂载),然后从TTY0挂载并从TTY0运行 lsblk 会显示挂载点.

然后,使用CLI工具运行 lsblk ,显示安装点.

然后,使用CLI工具运行 umount ,退出代码 0 -卸载.

再次使用CLI工具运行 lsblk ,不会显示安装点.

从TTY0运行 lsblk ,仍会显示安装点.

看来,当使用我的CLI工具运行 mount / umount 时,它将为 sudo 会话运行器私下执行命令.

挂载TTY0后

umount 确实会卸载它,但是再次-是私下进行的.

从CLI工具安装RAID后,以 http 从TTY0登录并运行 lsblk ,不会显示安装点.这种方式否定了为 sudo 会话运行程序私下执行".

我还在解决方案

简而言之,麻烦已解决.

Apache的相应 systemd 服务具有 PrivateTmp = true 指令.显然,该指令使用新的文件系统名称空间执行该过程.

这个问题在尝试调试和解决该问题时,在互联网上产生了许多其他帖子.

  1. > https://unix.stackexchange.com/questions/97897/sudo-mount-from-webserver-apache-by-mod-php-result-not-visible-by-root
  2. https://bbs.archlinux.org/viewtopic.php?id=172072
  3. 指向我进入 systemd 方向,特别是Apaches服务-PHP: mount USB device
  4. Error on mount through php "exec"

    5. But, my problem appears to be different.

    I have built an extensive library that's used to call Linux CLI tools. It's built around proc_open, it's family and POSIX.

    I'm using it to successfully execute all (until I hit this mount/umount bug) CLI tools.

    Now, I'm building a RAID setup routine, that involves partprobe, parted - rm, mklabel, mkpart, mdadm - stop, zero-superblock, create, dd, mkfs and ultimately mount/umount.

    There are actually two graceful routines, one for assembling the RAID, the other one for disassembly.

    As the title says, the problem relies in mount and umount. The other tools and their commands listed above execute successfully.

    Environment

    Arch Linux - Linux stone 3.11.6-1-ARCH #1 SMP PREEMPT Fri Oct 18 23:22:36 CEST 2013 x86_64 GNU/Linux.

    The Arch is running with systemd - might be that is somehow affecting the mounting.

    An Apache web server (latest), that runs mod_php (latest). Apache is run as http:http.

    http is in wheel group, and wheels are sudoers - %wheel ALL=(ALL) NOPASSWD: ALL.
    Please, don't start the webserver being given a full root capabilities discussion - the unit is a NAS, it's running a custom WebOS, and it's meant for intranet only. Even if there are hacking attempts - those will, most probably, break the whole system and that's not healthy for the customer. The NAS is a storage for Mobotix IP cameras, it runs a load of dependent services and the units are already deployed in over 30 objects with no issues. In short, the webserver is not serving a web, but an OS.

    Before writing, I added, for a quick test, http explicitly to sudoers - http ALL=(ALL) NOPASSWD: ALL - didn't work.

    Problem

    The last command run in the RAID assembly process is mount /dev/md/stone\:supershare /mnt/supershare, which returns with an exit code of 0.

    Performing a subsequent mount results in: 

    mount: /dev/md127 is already mounted or /mnt/supershare busy
/dev/md127 is already mounted on /mnt/supershare

    with an exit code of 32. So, the array is mounted somewhere.

    Performing an umount /dev/md/stone\:supershare afterwards the above mount, returns with an exit code of 0. Performing an subsequent umount results in:

    umount: /dev/md/stone:supershare: not mounted

    The commands above are auto-run with sudo.

    So, it's mounted successfully and unmounted sucessfully, but... I'm logged in as root on TTY0, running lsblk after having performed the mount operation, yet, I do not see the mountpoint:

    NAME      MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda         8:0    0  55.9G  0 disk
├─sda1      8:1    0     1M  0 part
├─sda2      8:2    0     1G  0 part  [SWAP]
├─sda3      8:3    0    12G  0 part  /
└─sda4      8:4    0  16.6G  0 part  /home
sdb         8:16   0 931.5G  0 disk
└─sdb1      8:17   0   899M  0 part
  └─md127   9:127  0   1.8G  0 raid0
sdc         8:32   0 931.5G  0 disk
└─sdc1      8:33   0   899M  0 part
  └─md127   9:127  0   1.8G  0 raid0

    Attempting the same mount command from TTY0 mounts it successfully (lsblk displays after).

    If I mount it with my CLI tool, then run mount -l and lsblk also with the CLI tool, the mountpoint is visible.

    Running immediately both commands from TTY0 as root, do not display the mountpoint.

    Rebooting, to reset all mounts (not automounted), then, mounting from TTY0 and running lsblk from TTY0 displays the mountpoint.

    Then, running lsblk with CLI tool, displays the mountpoint.

    Then, running umount with CLI tool, exit code 0 - unmounted.

    Running lsblk with CLI tool again, does not display the mountpoint.

    Running lsblk from TTY0, still does display the mountpoint.

    It appears that when the mount/umount is run with my CLI tool, it executes the commands privately for the sudo session runner.

    umounting after TTY0 has mounted, does unmount it, but again - privately.

    Logging in from TTY0 as http and running lsblk after having mounted the RAID from CLI tool, the mountpoint is not displayed. This kind of negates the "executes privately for the sudo session runner".

    I've also found a material in IBM's:

    The mount command uses the real user ID, not the effective user ID, to determine if the user has appropriate access. System group members can issue device mounts, provided they have write access to the mount point and those mounts specified in the /etc/file systems file. Users with root user authority can issue any mount command.

    I hope I've explained good enough and not too confusing, I also hope that you guys will be able to help me catch the issue here.

    Update (2013-10-28)

    I attempted a test with the CLI tool outside web context, a simple PHP file, that'd I exec with root and a custom user.

    In both scenarios, the mounting and unmounting was successful. So, it must be something with Apache executing the commands, though, I don't understand why do other commands work.

    Question

    What is causing the issue, and how do I overcome it?

    解决方案

    In short, the hassle has been resolved.

    It was the Apache's corresponding systemd service, that had PrivateTmp=true directive. Apparently, the directive executes the process with a new file system namespace.

    This question, while attempting to debug and fix the issue spawned a numerous other posts around the internet.

    1. https://unix.stackexchange.com/questions/97897/sudo-mount-from-webserver-apache-by-mod-php-result-not-visible-by-root
    2. https://bbs.archlinux.org/viewtopic.php?id=172072
    3. https://unix.stackexchange.com/questions/98182/a-process-run-as-root-when-performing-mount-is-mounting-for-self-how-to-ma/98191#98191

    Each derived from stuff I've learn in the process.

    I started with getting deeper information about mount working on EUID. Soon, I found out that my simple sudo call is actually not executing with EUID 0. That led me to multiple queries on how to do so, that in return spawned command syntax like sudo -i 'su' -c 'mount /dev/sdb1 /mnt/firstone' and other derivatives.

    Having no success with the solution, I looked further.

    I started to think of trying to add the entry to /etc/fstab, that led me to loads of permission issues. Also, sudo and my CLI tool proved to be incomplete for the task. Lets bring the big weapons - lets compile Apache with -DBIG_SECURITY_HOLE, also known as, give Apache the possibility to be run as root.

    Lets append entry to the tab, lets attempt to mount... and... fail!

    After numerous tests, queries and what not, I stumbled upon per process mount that led me here and opened the dimension of namespaces to me.

    Okay, that explains everything - checking /proc/<pid>/mounts validates it, now, lets gnaw deeper and see how to overcome it.

    Again, after numerous attempts and no success, I started posting questions based around my fresh knowledge of namespaces. Narrowing the questions down and becoming more technical (at least I think I did), that eventually led to a user hiciu who pointed me into systemd direction, specifically, Apaches service - PrivateTmp.

    Voila! ...apparently systemd can enforce new namespaces.

    这篇关于(U)通过"exec"安装与"sudo".用户是"sudoer"用户.使用NOPASSWD的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆