我显然误解了文件权限的某些方面。
我正在尝试从 Drupal 安装中执行在 Linux 机器的文件g++中编译的二进制文件:/var/www/html/modules
uname -a
Linux <redacted> 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
如果我ls -al从modules目录中运行,我可以看到我对该文件拥有完全权限(作为用户apache):
whoami
apache
pwd
/var/www/html/modules
ls -al
total 108
drwxrwxrwx. 42 apache apache 4096 May 8 17:03 .
drwxrwxrwx. 9 apache apache 4096 May 8 16:49 ..
. . .
-rwxrwxrwx. 1 apache apache 46016 May 8 16:38 my_binary
cd ../..
ls -al
total 8
drwxr-xr-x. 4 root root 33 Dec 3 10:31 .
drwxr-xr-x. 21 root root 4096 Dec 11 18:49 ..
drwxr-xr-x. 2 root root 6 Nov 16 16:19 cgi-bin
drwxrwxrwx. 9 apache apache 4096 May 8 16:49 html
这是发行版信息:
cat /proc/version
Linux version 3.10.0-1160.6.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Tue Nov 17 13:59:11 UTC 2020
为了完整起见,这里file对文件进行运行:
file my_binary
my_binary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), BuildID[sha1]=e7fb75e11b7234dc1129e9502304fcc7440fd788, for GNU/Linux 3.2.0, not stripped
而且,如果我检查mount | grep noexec,当前目录似乎不会显示在结果中:
mount | grep noexec
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,seclabel,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,perf_event)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,memory)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpuacct,cpu)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,net_prio,net_cls)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,blkio)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,hugetlb)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,pids)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,freezer)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,cpuset)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,seclabel,devices)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
并且,正如评论中所建议的,以下是结果cat /proc/mounts | grep noexec:
cat /proc/mounts | grep noexec
devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /sys/fs/cgroup tmpfs ro,seclabel,nosuid,nodev,noexec,mode=755 0 0
cgroup /sys/fs/cgroup/systemd cgroup rw,seclabel,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,seclabel,nosuid,nodev,noexec,relatime,perf_event 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,seclabel,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,seclabel,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0
cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,seclabel,nosuid,nodev,noexec,relatime,net_prio,net_cls 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,seclabel,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,seclabel,nosuid,nodev,noexec,relatime,hugetlb 0 0
cgroup /sys/fs/cgroup/pids cgroup rw,seclabel,nosuid,nodev,noexec,relatime,pids 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,seclabel,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,seclabel,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,seclabel,nosuid,nodev,noexec,relatime,devices 0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
尽管如此,尝试运行该文件仍会出现权限错误:
./my_binary
bash: line 84: ./my_binary: Permission denied
这里可能存在什么问题,或者我如何进一步诊断导致权限问题的原因?
我有义务说我在进行(简单的)Hack the Box 挑战时遇到了这个问题。不过,我正在通过挑战来学习,这是一个我真的很想从中学习的障碍。
答案1
感谢@Stéphane Chazelas 的提示,我想我找到了答案。
如果我运行sestatus,我会得到:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: error (Permission denied)
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31
因此,有额外的保护措施。如果我随后运行ls -alZ以显示应用于文件的 selinux 策略,我会看到:
ls -alZ
drwxrwxrwx. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
. . .
drwxrwxrwx. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 modules
我相信这httpd_sys_rw_content_t意味着该文件只允许读取和写入;与文件权限无关。所以,我需要找到一种方法来绕过这个限制(或者,我正走在完全错误的方向上)。