如何从 POSIX shell 脚本中删除 root 权限? [英] How to drop root privileges from a POSIX shell script?

查看:89
本文介绍了如何从 POSIX shell 脚本中删除 root 权限?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

有哪些可移植选项可以删除 root 权限并以不同于 shell 脚本的用户身份执行给定命令?

What portable options do exist to drop root privileges and execute a given command as a different user from a shell script?

在做了一些研究之后,这里有一些非选项:

After doing a bit of research, here are a few non-options:

  • su $USER -c "$COMMAND" 使用 PAM 堆栈并创建一个新的 cgroup(在 systemd 下运行时).它也会在用户命名空间中失败,因为审计调用在旧版 Linux 上返回 -EPERM.
  • sudo -u $USER $COMMAND 默认情况下未安装在许多系统上.
  • start-stop-daemon --pidfile/dev/null --start --chuid $USER --startas/bin/sh -- -c "$COMMAND" 很难使用并且仅在 Debian 系统上可用.
  • chpst -u $USER $COMMAND 在许多系统上缺失.
  • runuser -u $USER -- $COMMAND 适用于 su 不适用的地方,但需要最新的 util-linux.
  • su $USER -c "$COMMAND" uses the PAM stack and creates a new cgroup (when run under systemd). It also fails in user namespaces, because the audit call returns -EPERM on older versions of Linux.
  • sudo -u $USER $COMMAND is not installed by default on many systems.
  • start-stop-daemon --pidfile /dev/null --start --chuid $USER --startas /bin/sh -- -c "$COMMAND" is very hard to use and only available on Debian systems.
  • chpst -u $USER $COMMAND is missing on many systems.
  • runuser -u $USER -- $COMMAND works where su doesn't, but requires recent util-linux.

推荐答案

如果你想要 POSIX,那么 su 是你唯一的选择(除非你想写一个 C 程序).su 有几个优点(或没有,取决于您的要求):

If it's POSIX you want, then su is your only option (unless you want to write a C program). su has several advantages (or not, depending on your requirements):

  • 这是一个系统工具,它不会忘记 Linux 3.42 中引入的新咖啡 UID(用于饮用饮料的 UID),并且不会通过在组权限之前删除用户权限或忘记能力.
  • 它将权限设置为已知状态:用户 ID、用户和组数据库中该用户的记录组,没有额外的功能.
  • 它记录日志条目.
  • 再说一次,它是完全标准的,保证在任何地方都可用,但在最坏的系统上.

现在在实践中,有些系统不是 POSIX——比如这个旧的 Linux,它在用户命名空间中失败.他们是休息时间.

Now in practice some systems aren't POSIX — like this older Linux where it fails in user namespaces. Them's the breaks.

如果您想要在实践中具有相当可移植性的东西(在非嵌入式平台上)并且可以为您提供更大的控制权,请使用 Perl(或 Python,安装较少).作为首选,使用可靠的模块:Privilege::Drop.

If you want something that's reasonably portable in practice (on non-embedded platforms) and that gives you a greater decree of control, use Perl (or Python, a bit less commonly installed). For preference, use a solid module: Privilege::Drop.

perl -e 'use Privileges::Drop; drop_uid_gid(123, 456); exec("/path/to/command", "--option", "an argument")'

Privilege::Drop 负责做正确的事情(删除补充组,检查错误).然而,它可能并不完整;例如,它不知道功能.

Privilege::Drop takes care of doing things right (dropping supplemental groups, checking for errors). It might not be complete, however; for example it isn't aware of capabilities.

如果您必须手动完成,请注意以下几点:

If you must do it by hand, take care of several things:

  • 在用户权限之前删除组权限.
  • 要删除补充组,请设置 $) = "456 456" 其中 456 是目标 GID ($) = 456 只会设置 EGID 而不会影响补充组组).
  • 之后检查 (E)[UG]ID 并在失败时中止.
  • Drop group privileges before user privileges.
  • To drop supplemental groups, set $) = "456 456" where 456 is the target GID ($) = 456 would only set the EGID without affecting the supplemental groups).
  • Check the (E)[UG]ID afterwards and abort on failure.

这篇关于如何从 POSIX shell 脚本中删除 root 权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆