%20%E6%9D%83%E9%99%90%E9%94%99%E8%AF%AF.png)
我有一个指向世界可读文件的符号链接,而 ac 程序无法读取该文件。redshift应该$HOME/.config/redshift/redsihft.conf自动获取配置,但事实并非如此。我尝试跟踪系统调用以了解正在尝试哪些文件:
debian-x1-7th][redshift-1.12][130]$ strace -fe trace=file redshift
execve("/usr/bin/redshift", ["redshift"], 0x7ffd2d3c2680 /* 78 vars */) = 0
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdrm.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libwayland-client.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libxcb.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libxcb-randr.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libX11.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libXxf86vm.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgio-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgobject-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libffi.so.7", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libXau.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libXdmcp.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libXext.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgmodule-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libmount.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libbsd.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libblkid.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpcre2-8.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libmd.so.0", O_RDONLY|O_CLOEXEC) = 3
statfs("/sys/fs/selinux", 0x7ffc678ee320) = -1 ENOENT (No such file or directory)
statfs("/selinux", 0x7ffc678ee320) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_CLOEXEC) = 3
access("/etc/selinux/config", F_OK) = 0
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/home/ealfonso/.config/redshift/redshift.conf", O_RDONLY) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/home/ealfonso/.config/redshift.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/home/ealfonso/.config/redshift/redshift.conf", O_RDONLY) = -1 EACCES (Permission denied)
openat(AT_FDCWD, "/home/ealfonso/.config/redshift.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/redshift.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
Trying location provider `geoclue2'...
Using provider `geoclue2'.
strace: Process 78213 attached
Could not connect to wayland display, exiting.
Failed to start adjustment method wayland.
Trying next method...
[pid 78212] access("/home/ealfonso/.Xauthority", R_OK) = 0
[pid 78212] openat(AT_FDCWD, "/home/ealfonso/.Xauthority", O_RDONLY) = 6
strace: Process 78214 attached
[pid 78213] openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/glib20.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 78213] openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/glib20.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 78213] openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/glib20.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 78213] openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/glib20.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 78213] openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/glib20.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
[pid 78213] openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/glib20.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
Using method `randr'.
Waiting for initial location to become available...
strace: Process 78215 attached
strace: Process 78216 attached
[pid 78215] +++ exited with 0 +++
`
让我惊讶的是这个权限被拒绝了:
openat(AT_FDCWD, "/home/ealfonso/.config/redshift/redshift.conf", O_RDONLY) = -1 EACCES (Permission denied)
提示进程被拒绝打开/home/ealfonso/.config/redshift/redshift.conf。这很奇怪,因为该文件应该是世界可读的。所有父目录都是所有者可执行文件,包括符号链接目标:
[debian-x1-7th][redshift-1.12][1]$ ls -l /home/ealfonso/.config/redshift/redshift.conf
lrwxrwxrwx 1 ealfonso ealfonso 47 Jul 21 15:47 /home/ealfonso/.config/redshift/redshift.conf -> /home/ealfonso/git/dotfiles/inits/redshift.conf
█[debian-x1-7th][redshift-1.12][0]$ ls -l /home/ealfonso/git/dotfiles/inits/redshift.conf
-rw-r--r-- 1 ealfonso ealfonso 138 Jul 21 15:32 /home/ealfonso/git/dotfiles/inits/redshift.conf
█[debian-x1-7th][redshift-1.12][0]$ ls -ld ~/.config/
drwx------ 29 ealfonso ealfonso 4096 Jul 21 15:47 /home/ealfonso/.config/
█[debian-x1-7th][redshift-1.12][0]$ ls -ld ~/
drwxr-xr-x 56 ealfonso ealfonso 4096 Jul 21 16:10 /home/ealfonso/
█[debian-x1-7th][redshift-1.12][0]$ ls -ld /home/
drwxr-xr-x 3 root root 4096 Apr 27 17:10 /home/
█[debian-x1-7th][redshift-1.12][0]$
█[debian-x1-7th][redshift-1.12][0]$ ls -ld /home/ealfonso/git/dotfiles/inits/
drwxr-xr-x 8 ealfonso ealfonso 4096 Jul 21 15:32 /home/ealfonso/git/dotfiles/inits/
我尝试从源代码编译 redshift 并添加一些调试日志,令人惊讶的是我无法重现该错误:
█[debian-x1-7th][redshift-1.12][130]$ strace -f -e trace=file ./src/redshift
execve("./src/redshift", ["./src/redshift"], 0x7ffc655cd728 /* 78 vars */) = 0
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libwayland-client.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libxcb.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libxcb-randr.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgio-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgobject-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libglib-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libffi.so.7", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libXau.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libXdmcp.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libgmodule-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libmount.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libbsd.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libblkid.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpcre2-8.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libmd.so.0", O_RDONLY|O_CLOEXEC) = 3
statfs("/sys/fs/selinux", 0x7fff8353fa80) = -1 ENOENT (No such file or directory)
statfs("/selinux", 0x7fff8353fa80) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_CLOEXEC) = 3
access("/etc/selinux/config", F_OK) = 0
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
DDEBUG 7w6d: cp /home/ealfonso/.config/redshift/redshift.conf
openat(AT_FDCWD, "/home/ealfonso/.config/redshift/redshift.conf", O_RDONLY) = 3
DDEBUG TRACE (config-ini.c) nlbc ()
DDEBUG wo2r: value randr
DDEBUG iwyt: m->name wayland
DDEBUG iwyt: m->name randr
access("/home/ealfonso/.Xauthority", R_OK) = 0
openat(AT_FDCWD, "/home/ealfonso/.Xauthority", O_RDONLY) = 4
openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/usr/local/share/locale/en_US.UTF-8/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/share/locale/en_US.utf8/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/share/locale/en_US/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/share/locale/en.UTF-8/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/share/locale/en.utf8/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/local/share/locale/en/LC_MESSAGES/redshift.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
Waiting for initial location to become available...
Location: 28.56 N, 81.21 E
openat(AT_FDCWD, "/home/ealfonso/.config/redshift/hooks", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)
^Cstrace: Process 78851 detached
█[debian-x1-7th][redshift-1.12][130]$
尤其:
DDEBUG 7w6d: cp /home/ealfonso/.config/redshift/redshift.conf
openat(AT_FDCWD, "/home/ealfonso/.config/redshift/redshift.conf", O_RDONLY) = 3
文件已成功打开并加载了正确的配置。
如何进一步调试这个奇怪的错误?
对于上下文,我在 debian 11 上使用 redshift 1.12,但这只是一个如何调试这些系统调用的一般问题。
...
发布问题后不久,我查看了打包为 redshift 一部分的文件,并注意到一个 apparmor 文件,其内容包括:
#include <tunables/global>
/usr/bin/redshift {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/dbus-strict>
#include <abstractions/wayland>
#include <abstractions/X>
dbus send
bus=system
path=/org/freedesktop/GeoClue2/Client/[0-9]*,
dbus receive
bus=system
path=/org/freedesktop/GeoClue2/Manager,
# Allow but log any other dbus activity
audit dbus bus=system,
owner @{HOME}/.config/redshift.conf r,
owner /run/user/*/redshift-shared-* rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.redshift>
}
从来源来看,这~/.config/redshift.conf被称为“以前使用的”后备路径:
if (f == NULL && (env = getenv("XDG_CONFIG_HOME")) != NULL &&
env[0] != '\0') {
snprintf(cp, sizeof(cp),
"%s/redshift/redshift.conf", env);
f = fopen(cp, "r");
if (f == NULL) {
/* Fall back to formerly used path. */
snprintf(cp, sizeof(cp),
"%s/redshift.conf", env);
f = fopen(cp, "r");
}
}
但将该行添加owner @{HOME}/.config/redshift/redshift.conf r到此配置后,该文件仍然被拒绝。
答案1
如果有一个文件,所有以相同权限运行的程序都无法访问,这是因为文件权限的原因。如果某个文件某些程序可以访问而其他程序则不能访问,这是因为它们的安全上下文。
如何调试:在内核日志中查找某些内容。日志文件的位置和内容取决于涉及的安全框架以及您的发行版如何配置它。在下面/var/log(可能在子目录中)查找访问失败时被修改的文件。剧透:它是 AppArmor,日志如下所示/var/log/syslog:
Jul 21 20:55:00 darkstar kernel: [1234.567] audit: type=1400 audit(1234.567:89): apparmor="DENIED" operation="open" profile="/usr/bin/redshift" name="/home/ealfonso/.config/redshift/redshift.conf" pid=2345 comm="redshift" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Debian 的 redshift 软件包附带一个应用装甲配置文件,防止/usr/bin/redshift访问主目录下的任意文件。 (该配置文件不适用于redshift位于 之外的目录中调用的可执行文件/usr/bin。)该配置文件位于并且/etc/apparmor.d/usr.bin.redshift拒绝访问以下目录下的文件:/home
owner @{HOME}/.config/redshift.conf r,
由于您的配置文件是指向允许区域之外的符号链接,因此 redshift 无法跟踪该链接。
一种解决方案是授予/usr/bin/redshift更广泛的权限。您可以在 中添加自定义行/etc/apparmor.d/local/usr.bin.redshift。我认为以下行应该适合您:
owner @{HOME}/git/dotfiles/inits/redshift.conf
然后运行service apparmor reload以重新加载 AppArmor 配置。
或者,将常用位置设为 git 管理的文件的副本,而不是指向它的符号链接。