如何找出进程需要哪些 linux 功能才能工作? [英] How to find out what linux capabilities a process requires to work?

问题描述

我处于一个困难的境地，我不知道一个进程需要什么 linux 功能才能工作.最好的方法是什么，或者有什么方法可以找出需要什么上限?

I am in a difficult situation where I don't know what linux capabilities a process requires to work. What is the best way, or any way to find out what cap is required?

我现在唯一能想到的就是使用 capsh 并删除进程的所有大写字母.然后这个过程失败了，我开始添加大写(通过删除 --drop=CAP_XZY)直到它起作用.

The only thing I can think of right now is using capsh and drop all caps on a process. The process then fails and I start to add caps (by removing --drop=CAP_XZY) until it works.

有什么更好的建议吗?

推荐答案

基于最近的 libcap2 更新

1:(短选项):getpcaps

说明:

来自这里:

getpcaps 显示由在命令行上给出的 pid 值.

getpcaps displays the capabilities on the processes indicated by the pid value(s) given on the command line.

示例:

$ getpcaps <PID>
PID: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+i

---

2:(稍长的选项):/proc status 和 capsh

说明:

proc 是一个进程信息伪文件系统或在换句话说 - 一个目录，您可以在其中查看有关所有进程的信息.

proc is a process information pseudo-filesystem or in other words - a directory where you can view information on all processes.

关于capsh:

Linux 功能支持和使用可以通过以下方式进行探索和限制这个工具.这个工具为某些类型的数据提供了一个方便的包装器能力测试和环境创建.
它还提供一些有助于总结能力状态的调试功能.

Linux capability support and use can be explored and constrained with this tool. This tool provides a handy wrapper for certain types of capability testing and environment creation.
It also provides some debugging features useful for summarizing capability state.

示例:

$ cat /proc/<PID>/status | grep Cap

你会得到(在大多数系统上):

And you'll get (on most systems):

CapInh: 00000000a80425fb (Inherited capabilities)
CapPrm: 0000000000000000 (Permitted capabilities)
CapEff: 0000000000000000 (Effective capabilities)
CapBnd: 00000000a80425fb (Bounding set)
CapAmb: 000000000000000  (Ambient capabilities set)

使用 capsh 实用程序将十六进制数字解码为功能名称:

Use the capsh utility to decode from hexadecimal numbers into the capabilities name:

capsh --decode=00000000a80425fb
0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap

(*) 您可以使用以下命令下载 capsh:sudo apt-get install git libpcap-dev.

(*) You can download capsh with: sudo apt-get install git libpcap-dev.

这篇关于如何找出进程需要哪些 linux 功能才能工作?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！