Linux????(capability)???????
???????????? ???????[ 2016/3/29 11:24:01 ] ?????????????? Linux
????1??Linux???????????
????????????UNIX????????????????????椋�??????????????????(??效???ID??0)??????????(??效???ID???0)?????????????????????械?????椋�????????????????????????????(??效ID????效?榧�?????????)???小?
??????linux???2.2?????Linux???????????????????????????????????????????????(capability)????????????????????????????????root??????????????椤�
???????????????????????????????????????y???????????????????????????????y?????????????懈貌??????????????绲�???????????????????y?????????????????(CAP_SYS_TIME)????????????????????ID????0??
???????Linux???泄???37???????????/usr/include/linux/capability.h????胁?
????2??Linux????????????
????????????????????????????????????????:
????1?????????????????????linux????????y???貌????????位???????
????2??Linux?????????????????????????????????????
????3??????????????????????????????????????????????????????????????????????????小?
??????linux???姹�2.6.24??????????????1??2??????????linux???2.6.24?????????3???????????????????
?????????????????????????????????锟�?
????Permitted: ????effective capabilities??Inheritable capability???????????????????Permitted?????卸???????????????????尾?????位????????(????????????胃?????)
????Inheritable: ????????y?????????execve??懈?????????????
????Effecitive: Linux???????????????????
??????2.6.24?????Linux????????????????????????????????????????????????????锟�?
????Permitted:?????????????????????????????????校?????Inhertiable capability??
????Inheritable:????????Inheritable????????????????????execve????????Permitted?????
????Effective: ?????Effective?????????????????????????位????????????????Effective?????
???????????????????Linux???械?????????????????????????????????????????????????Linux??????????????????械?Effective?????????????????????械???????????????????????小???????????????
????3??Linux???????????
??????linux????capabilities??man????????屑?泄?????????
????P'(permitted) = (P(inheritable) & F(inheritable)) |
????(F(permitted) & cap_bset) //??????permitted???????????????inheritable???????????permitted??cap_bset??????.
????P'(effective) = F(effective) ? P'(permitted) : 0 //??????effective??????????????effective位??????????????permitted????????????
????P'(inheritable) = P(inheritable) [i.e.?? unchanged] //??????inheritable???????????Inheritable
???????:
????P ?????execve????????????????
????P' ?????execve???????????????
????F ??????????????
????cap_bset ??????????????????????1
?????胁??????????:
father.c
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/capability.h>
#include <errno.h>
void list_capability()
{
struct __user_cap_header_struct cap_header_data;
cap_user_header_t cap_header = &cap_header_data;
struct __user_cap_data_struct cap_data_data;
cap_user_data_t cap_data = &cap_data_data;
cap_header->pid = getpid();
cap_header->version = _LINUX_CAPABILITY_VERSION_1;
if (capget(cap_header?? cap_data) < 0) {
perror("Failed capget");
exit(1);
}
printf("Cap data permitted: 0x%x?? effective: 0x%x?? inheritable:0x%x
"??
cap_data->permitted?? cap_data->effective??cap_data->inheritable);
}
int main(void)
{
cap_t caps = cap_init();
cap_value_t capList[2] = {CAP_DAC_OVERRIDE?? CAP_SYS_TIME};
unsigned num_caps = 2;
//cap_set_flag(caps?? CAP_EFFECTIVE?? num_caps?? capList?? CAP_SET);
cap_set_flag(caps?? CAP_INHERITABLE?? num_caps?? capList?? CAP_SET);
cap_set_flag(caps?? CAP_PERMITTED?? num_caps?? capList?? CAP_SET);
if(cap_set_proc(caps))
{
perror("cap_set_proc");
}
list_capability();
execl("/home/xlzh/code/capability/child"?? NULL);
sleep(1000);
}
child.c
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/capability.h>
#include <errno.h>
void list_capability()
{
struct __user_cap_header_struct cap_header_data;
cap_user_header_t cap_header = &cap_header_data;
struct __user_cap_data_struct cap_data_data;
cap_user_data_t cap_data = &cap_data_data;
cap_header->pid = getpid();
cap_header->version = _LINUX_CAPABILITY_VERSION_1;
if (capget(cap_header?? cap_data) < 0) {
perror("Failed capget");
exit(1);
}
printf("child Cap data permitted: 0x%x?? effective: 0x%x?? inheritable:0x%x
"?? cap_data->permitted?? cap_data->effective??cap_data->inheritable);
}
int main(void)
{
list_capability();
sleep(1000);
}
??????
???路???
??????????????????
2023/3/23 14:23:39???写?貌??????????
2023/3/22 16:17:39????????????????????些??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???路???????路
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11
sales@spasvo.com
