/ usr / bin / passwd和CAP_CHOWN功能
[英]/usr/bin/passwd and the CAP_CHOWN capability
问题描述
I was experimenting with Linux Capabilities, and I noticed that for the passwd program to work without being Set-UID root, it needs to have the CAP_CHOWN capability (in addition to some others). 
我正在试验Linux功能,我注意到,为了使passwd程序在没有Set-UID root的情况下工作,它需要具有CAP_CHOWN功能(除了其他一些功能)。 Logically, why would it need to have CAP_CHOWN at all? 从逻辑上讲,为什么需要CAP_CHOWN呢?
Incidentally, passwd gives me a "token manipulation error" if I remove the capability. 顺便说一句,如果删除该功能,passwd会给我一个“令牌操作错误”。
Edit: I'm using Ubuntu 11.04 without SELinux. 编辑:我正在使用没有SELinux的Ubuntu 11.04。 I'm trying to get passwd to work without being Set-UID root. 我试图让passwd工作而不是Set-UID root。
2 个解决方案
解决方案1
2 已采纳 2011-10-21 13:10:12
The cap_chown is not required for the passwd itself. passwd本身不需要cap_chown 。 It is only needed to change the /etc/shadow file associated with the userID . 只需要更改与userID关联的/ etc / shadow文件。 The /etc/shadow file is set so that it cannot be read by just anyone. / etc / shadow文件已设置为只有任何人都无法读取。
/etc/shadow is only accessible to root. / etc / shadow只能由root访问。 So when /etc/passwd finishes it's authentication module and is ready to write a new (encoded) password, it will create a token. 因此,当/ etc / passwd完成它的身份验证模块并准备编写新的(编码)密码时,它将创建一个令牌。 Which is accessed by the Linux-PAM service, which will chown it to root and write it into /etc/shadow. 哪个是由Linux-PAM服务访问的,它将把它chown到root并将其写入/ etc / shadow。
Edit: 编辑:
passwd uses the files /etc/.pwd.lock, /etc/shadow , /etc/nshadow. passwd使用文件/etc/.pwd.lock,/ etc / shadow,/ etc / nshadow。 Since passwd reads and writes from /etc directory, w permissions are requried by it. 由于passwd从/ etc目录读取和写入,因此需要w权限。 Note that, /etc/shadow is never written by passwd. 请注意,/ etc / shadow永远不会被passwd写入。 passwd actually writes to /etc/nshadow and renames /etc/nshadow to /etc/shadow. passwd实际写入/ etc / nshadow并将/ etc / nshadow重命名为/ etc / shadow。
open('/etc/nshadow',O_WRONLY|O_CREAT)=fd1
open('/etc/shadow', O_RDONLY)=fd2
fchown(fd1, uid=root, gid=shadow)
chmod /etc/shadow to : rw by owner and r by group
read(fd2)
write(fd1)
rename("/etc/nshadow", "/etc/shadow")
Furthermore, I confirmed the existence of /etc/nshadow using this C program. 此外,我使用这个C程序确认了/etc/nshadow的存在。 FYI, 仅供参考,
#include<stdio.h>
#include<unistd.h>
int main()
{
while(1)
if (access("/etc/nshadow",F_OK)!=-1){
printf("Exists\n");
break;
}
return 0;
}
解决方案2
0 2011-10-21 05:47:56
setuid is all that originally was needed. setuid就是最初需要的。
The additions of SELinux ( Security Enhanced ) requires the program context to be correct as well as file permission checks. 添加SELinux ( 安全性增强 )需要程序上下文正确以及文件权限检查。
If the system's SE feature is disabled, passwd will work fine without any CAP_... . 如果系统的SE功能被禁用, passwd将正常工作,没有任何CAP_... Somewhere I read that SE can be disabled by writing a "1" to /selinux/disable . 在某处我读到可以通过向/selinux/disable写入“1”来禁用SE。 Presumably writing "0" reenables it. 大概写“0”可以重新启用它。
See NSA's description or Fedora's . 请参阅NSA的描述或Fedora 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.