无法让 CAP_CHOWN 和 CAP_DAC_OVERRIDE 为普通用户工作 [英] Unable to get CAP_CHOWN and CAP_DAC_OVERRIDE working for regular user

问题描述

我的要求

我的 python 服务器在 RHEL 上以普通用户身份运行但它需要在它无权访问的地方创建文件/目录.还需要使用随机 UID/GID 来 chown 那些文件

My python server runs as a regular user on RHEL But it needs to create files/directories at places it doesn't have access to. Also needs to do chown those files with random UID/GID

我的方法

在只有功能的环境中尝试这个，没有 setuid.我正在尝试使用 cap_chown 和 cap_dac_override 功能.但是我完全不知道如何让它在 systemctl 类型的环境中工作

Trying this in capability-only environment, no setuid. I am trying to make use of cap_chown and cap_dac_override capabilities. But am totally lost of how to get it working in systemctl kind of environment

目前我在服务文件中有以下内容:

At present I have following in the service file:

#cat /usr/lib/systemd/system/my_server.service 

[Service]
Type=simple
SecureBits=keep-caps
User=testuser
CapabilityBoundingSet=~
Capabilities=cap_dac_override,cap_chown=eip
ExecStart=/usr/bin/linux_capability_test.py

并关注二进制文件本身:

And following on the binary itself:

# getcap /usr/bin/linux_capability_test.py
/usr/bin/linux_capability_test.py = cap_chown,cap_dac_override+ei

但是这里说，它永远不会在脚本上工作:有没有办法让非 root 进程绑定到特权"进程?Linux 上的端口?

But this here says, that it will never work on scripts: Is there a way for non-root processes to bind to "privileged" ports on Linux?

在当前设置下，我对运行进程的能力是:

With the current setting, the capabilities I have for the running process are:

# ps -ef | grep lin
testuser    28268     1  0 22:31 ?        00:00:00 python /usr/bin/linux_capability_test.py

# getpcaps 28268
Capabilities for `28268': = cap_chown,cap_dac_override+i

但是如果我尝试从该脚本中的/etc/中创建文件:

But if I try to create file in /etc/ from within that script:

try:
    file_name = '/etc/junk'
    with open(file_name, 'w') as f:
        os.utime(file_name,None)

它因权限被拒绝"而失败

It fails with 'Permission denied'

对我来说是同样的情况，它不起作用吗?我可以在这里使用 python-prctl 模块让它工作吗?

Is that the same case for me that it won't work ? Can I use python-prctl module here to get it working ?

推荐答案

基于我们上面的讨论，我做了以下事情:

Based upon our discussion above, I did the following:

[Service]
Type=simple
User=testuser
SecureBits=keep-caps
Capabilities=cap_chown,cap_dac_override=i
ExecStart=/usr/bin/linux_capability_test.py

这会以可继承的两种功能启动服务器.

This starts the server with both those capabilities as inheritable.

写了一个小C，测试代码到chown文件

Wrote a small C, test code to chown file

#include <unistd.h>

int main()
  {
    int ret = 0;

    ret = chown("/etc/junk", 160, 160);

    return ret;
  }

在经过 gcc 的二进制文件上设置以下内容

Set following on the gcc'ed binary

chown testuser:testuser /usr/bin/chown_c
chmod 550 /usr/bin/chown_c
setcap cap_chown,cap_dac_override=ie /usr/bin/chown_c

服务器执行以下调用二进制文件

The server does following to call the binary

import prctl
prctl.cap_inheritable.chown = True
prctl.cap_inheritable.dac_override = True
execve('/usr/bin/chown_c',[],os.environ)

而且我能够得到想要的结果

And I was able to get the desired result

# ll /etc/junk 
-rw-r--r-- 1 root root 0 Aug  8 22:33 /etc/junk

# python capability_client.py 

# ll /etc/junk 
-rw-r--r-- 1 testuser testuser 0 Aug  8 22:33 /etc/junk

这篇关于无法让 CAP_CHOWN 和 CAP_DAC_OVERRIDE 为普通用户工作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！