我在 CentOS 9 VM 上遇到了几个与文件权限相关的问题。我以前从未遇到过这么大的麻烦,我想知道这是否与我在安装过程中选择的安全选项和文件系统(GUI STIG 和 ext4)有关。
示例问题 1:
同一目录下的两个python文件,ls和stat显示权限相同
$ls -al config.py run_app.py
-rwx------. 1 myuser myuser 20K Aug 4 19:33 config.py
-rwx------. 1 myuser myuser 50K Jul 8 10:51 run_app.py
$stat config.py run_app.py
File: config.py
Size: 19873 Blocks: 40 IO Block: 4096 regular file
Device: fd05h/64773d Inode: 1971283 Links: 1
Access: (0700/-rwx------) Uid: ( 1000/myuser) Gid: ( 1000/myuser)
Context: unconfined_u:object_r:user_home_t:s0
File: run_app.py
Size: 51016 Blocks: 104 IO Block: 4096 regular file
Device: fd05h/64773d Inode: 1969096 Links: 1
Access: (0700/-rwx------) Uid: ( 1000/myuser) Gid: ( 1000/myuser)
Context: unconfined_u:object_r:user_home_t:s0
但 lsattr 无法正常工作:
$lsattr config.py run_app.py
--------------e------- config.py
lsattr: Operation not permitted While reading flags on run_app.py
$sudo lsattr run_app.py
--------------e------- run_app.py
我也无法 cat/edit/run run_app.py。虽然这三个操作在 config.py 上运行得很好。使用 run_app.py 执行任何操作都需要 sudo/root。
示例问题 2:
我无法将 python 包安装到虚拟环境中,但我可以将它们安装到本地用户环境中。
myuser@COS9-VM:~/sandbox
$python3 -m venv myvenv
myuser@COS9-VM:~/sandbox
$. myvenv/bin/activate
(myvenv) myuser@COS9-VM:~/sandbox
$python3 -m pip install pyyaml
Traceback (most recent call last):
File "/usr/lib64/python3.9/runpy.py", line 197, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/home/myuser/sandbox/myvenv/lib64/python3.9/site-packages/pip/__main__.py", line 29, in <module>
from pip._internal.cli.main import main as _main
File "/home/myuser/sandbox/myvenv/lib64/python3.9/site-packages/pip/_internal/cli/main.py", line 9, in <module>
from pip._internal.cli.autocompletion import autocomplete
File "/home/myuser/sandbox/myvenv/lib64/python3.9/site-packages/pip/_internal/cli/autocompletion.py", line 10, in <module>
from pip._internal.cli.main_parser import create_main_parser
File "/home/myuser/sandbox/myvenv/lib64/python3.9/site-packages/pip/_internal/cli/main_parser.py", line 8, in <module>
from pip._internal.cli import cmdoptions
File "/home/myuser/sandbox/myvenv/lib64/python3.9/site-packages/pip/_internal/cli/cmdoptions.py", line 23, in <module>
from pip._internal.cli.parser import ConfigOptionParser
File "/home/myuser/sandbox/myvenv/lib64/python3.9/site-packages/pip/_internal/cli/parser.py", line 12, in <module>
from pip._internal.configuration import Configuration, ConfigurationError
File "/home/myuser/sandbox/myvenv/lib64/python3.9/site-packages/pip/_internal/configuration.py", line 21, in <module>
from pip._internal.exceptions import (
File "/home/myuser/sandbox/myvenv/lib64/python3.9/site-packages/pip/_internal/exceptions.py", line 7, in <module>
from pip._vendor.pkg_resources import Distribution
File "/home/myuser/sandbox/myvenv/lib64/python3.9/site-packages/pip/_vendor/pkg_resources/__init__.py", line 80, in <module>
from pip._vendor import appdirs
File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 846, in exec_module
File "<frozen importlib._bootstrap_external>", line 982, in get_code
File "<frozen importlib._bootstrap_external>", line 1039, in get_data
PermissionError: [Errno 1] Operation not permitted: '/home/myuser/sandbox/myvenv/lib64/python3.9/site-packages/pip/_vendor/appdirs.py'
(myvenv) myuser@COS9-VM:~/sandbox
$deactivate
myuser@COS9-VM:~/sandbox
$python3 -m pip install pyyaml
Defaulting to user installation because normal site-packages is not writeable
Collecting pyyaml
Using cached PyYAML-6.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_12_x86_64.manylinux2010_x86_64.whl (661 kB)
Installing collected packages: pyyaml
WARNING: Value for scheme.platlib does not match. Please report this to <https://github.com/pypa/pip/issues/10151>
distutils: /home/myuser/.local/lib/python3.9/site-packages
sysconfig: /home/myuser/.local/lib64/python3.9/site-packages
WARNING: Additional context:
user = True
home = None
root = None
prefix = None
Successfully installed pyyaml-6.0
我没有主意了...我错过了什么?
答案1
在网上搜索之后,我有了答案。当然,答案已经在 Stack Overflow/Stack Exchange 上了(这里),但我花了几天时间才找到它。
我的虚拟机正在运行fapolicyd作为我在安装时启用的 STIG 合规性配置的一部分。该守护进程通过挂钩将自身插入文件权限决策过程中。它具有规则文件,默认情况下禁止访问某些非系统二进制/可执行目录中的某些可执行文件。据我所知,它是根据对文件 MIME 类型的确定来执行此操作的。在我的例子中config.py没有 shebang,而run_app.py有。这足以将后者归类为text/x-python,而忽略前者。
一旦我停止/禁用该fapolicyd服务,我就可以根据文件显示的权限/ACL 使用文件。