如何使用 setcap 启用 setuid 功能
[英]How to use setcap to enable setuid capability
问题描述
I have the following c program.
我有以下 c 程序。
$ cat main.c
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
int fd;
if((fd = open(argv[1], O_RDONLY)) == -1) {
perror("open");
return 1;
}
if(close(fd) == -1) {
perror("close");
return 1;
}
return 0;
}
But I got the following error.但我收到以下错误。
touch tmpfile
sudo chown root tmpfile
sudo chown root ./main_prog
sudo setcap cap_setuid+ep ./main_prog # There will be no error if I use sudo chmod u+s
./main_prog tmpfile
open: Permission denied
Could anybody show me how to use setcap for setuid?有人可以告诉我如何使用 setcap 作为 setuid 吗?
1 个解决方案
解决方案1
0 2021-04-09 15:05:27
What you are trying to do is access a file you need privilege to access.您要做的是访问您需要访问权限的文件。 The cap_setuid capability does not directly grant this privilege - it grants the process the privilege to change its own UID(s). cap_setuid功能不直接授予此权限 - 它授予进程更改其自己的 UID 的权限。 You can get there via this path, but it requires more code in your program.您可以通过此路径到达那里,但它需要在您的程序中添加更多代码。
The capability you want for your use case is one to override the discretionary access control: cap_dac_override .您希望为您的用例提供的功能是覆盖自主访问控制: cap_dac_override 。
With your ./main_prog as written, try this instead:用你的./main_prog写的,试试这个:
$ touch tmpfile
$ sudo chown root.root tmpfile
$ sudo chmod go-r tmpfile
$ ls -l tmpfile
-rw------- 1 root root 0 Apr 9 08:02 tmpfile
$ cat tmpfile
cat: tmpfile: Permission denied
$ sudo setcap cap_dac_override=ep ./main_prog
$ ./main_prog tmpfile
$ echo $?
0
Note, with capabilities, there is no need for main_prog to be owned by root.请注意,使用功能, main_prog不需要由 root 拥有。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.