无法让 CAP_CHOWN 和 CAP_DAC_OVERRIDE 为普通用户工作 [英] Unable to get CAP_CHOWN and CAP_DAC_OVERRIDE working for regular user
问题描述
我的要求
我的 python 服务器在 RHEL 上以普通用户身份运行但它需要在它无权访问的地方创建文件/目录.还需要使用随机 UID/GID 来 chown 那些文件
My python server runs as a regular user on RHEL But it needs to create files/directories at places it doesn't have access to. Also needs to do chown those files with random UID/GID
我的方法
在只有功能的环境中尝试这个,没有 setuid.我正在尝试使用 cap_chown 和 cap_dac_override 功能.但是我完全不知道如何让它在 systemctl 类型的环境中工作
Trying this in capability-only environment, no setuid. I am trying to make use of cap_chown and cap_dac_override capabilities. But am totally lost of how to get it working in systemctl kind of environment
目前我在服务文件中有以下内容:
At present I have following in the service file:
#cat /usr/lib/systemd/system/my_server.service
[Service]
Type=simple
SecureBits=keep-caps
User=testuser
CapabilityBoundingSet=~
Capabilities=cap_dac_override,cap_chown=eip
ExecStart=/usr/bin/linux_capability_test.py
并关注二进制文件本身:
And following on the binary itself:
# getcap /usr/bin/linux_capability_test.py
/usr/bin/linux_capability_test.py = cap_chown,cap_dac_override+ei
但是这里说,它永远不会在脚本上工作:有没有办法让非 root 进程绑定到特权"进程?Linux 上的端口?
But this here says, that it will never work on scripts: Is there a way for non-root processes to bind to "privileged" ports on Linux?
在当前设置下,我对运行进程的能力是:
With the current setting, the capabilities I have for the running process are:
# ps -ef | grep lin
testuser 28268 1 0 22:31 ? 00:00:00 python /usr/bin/linux_capability_test.py
# getpcaps 28268
Capabilities for `28268': = cap_chown,cap_dac_override+i
但是如果我尝试从该脚本中的/etc/中创建文件:
But if I try to create file in /etc/ from within that script:
try:
file_name = '/etc/junk'
with open(file_name, 'w') as f:
os.utime(file_name,None)
它因权限被拒绝"而失败
It fails with 'Permission denied'
对我来说是同样的情况,它不起作用吗?我可以在这里使用 python-prctl 模块让它工作吗?
Is that the same case for me that it won't work ? Can I use python-prctl module here to get it working ?
推荐答案
基于我们上面的讨论,我做了以下事情:
Based upon our discussion above, I did the following:
[Service]
Type=simple
User=testuser
SecureBits=keep-caps
Capabilities=cap_chown,cap_dac_override=i
ExecStart=/usr/bin/linux_capability_test.py
这会以可继承的两种功能启动服务器.
This starts the server with both those capabilities as inheritable.
写了一个小C,测试代码到chown文件
Wrote a small C, test code to chown file
#include <unistd.h>
int main()
{
int ret = 0;
ret = chown("/etc/junk", 160, 160);
return ret;
}
在经过 gcc 的二进制文件上设置以下内容
Set following on the gcc'ed binary
chown testuser:testuser /usr/bin/chown_c
chmod 550 /usr/bin/chown_c
setcap cap_chown,cap_dac_override=ie /usr/bin/chown_c
服务器执行以下调用二进制文件
The server does following to call the binary
import prctl
prctl.cap_inheritable.chown = True
prctl.cap_inheritable.dac_override = True
execve('/usr/bin/chown_c',[],os.environ)
而且我能够得到想要的结果
And I was able to get the desired result
# ll /etc/junk
-rw-r--r-- 1 root root 0 Aug 8 22:33 /etc/junk
# python capability_client.py
# ll /etc/junk
-rw-r--r-- 1 testuser testuser 0 Aug 8 22:33 /etc/junk
这篇关于无法让 CAP_CHOWN 和 CAP_DAC_OVERRIDE 为普通用户工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!