nosuid 是否可以绑定挂载到 suid 分区?

tag-icon tag-icon permissions mount bind-mount suid
nosuid 是否可以绑定挂载到 suid 分区?

如果我已经/target挂载了 withsuid然后在 /bound with 上进行绑定挂载mount -o bind,nosuid /target /bound,nosuid 会在 /bound 上生效吗?

(我认为它应该生效,但我仍然想要一个明确的答案,而且没有其他人在这里问过,或者看起来是这样)

答案1

是的,即使目标具有 suid,bind 也能够强制执行 nosuid。这是我运行的测试:

a.out的C源代码:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main(){
uid_t uid=getuid(), euid=geteuid();
printf("uid: %u, euid: %u\n",uid,euid);
return 0;
}

进而

root@ratma:/# mount -o bind,nosuid /target /bound
root@ratma:/# su hans
hans@ratma:/$ stat /target/a.out
  File: /target/a.out
  Size: 16712           Blocks: 40         IO Block: 4096   regular file
Device: 18h/24d Inode: 194454      Links: 1
Access: (6755/-rwsr-sr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-12-12 07:52:45.132465174 +0000
Modify: 2019-12-12 07:52:45.132465174 +0000
Change: 2019-12-12 07:53:24.720322010 +0000
 Birth: -
hans@ratma:/$ stat /bound/a.out
  File: /bound/a.out
  Size: 16712           Blocks: 40         IO Block: 4096   regular file
Device: 18h/24d Inode: 194454      Links: 1
Access: (6755/-rwsr-sr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2019-12-12 07:52:45.132465174 +0000
Modify: 2019-12-12 07:52:45.132465174 +0000
Change: 2019-12-12 07:53:24.720322010 +0000
 Birth: -
hans@ratma:/$ id
uid=1000(hans) gid=1000(hans) groups=1000(hans),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev)
hans@ratma:/$ /target/a.out
uid: 1000, euid: 0
hans@ratma:/$ /bound/a.out
uid: 1000, euid: 1000

成功。如果它不起作用,它会在 /bound/a.out 上显示“euid:0”:)

相关内容