Traceroute 不能以 root 身份工作,但可以在其他用户上工作

tag-icon tag-icon networking traceroute
Traceroute 不能以 root 身份工作,但可以在其他用户上工作

Traceroute 对所有用户都有效,但是当以 root 身份运行时,一切都是“ * * * ”

# As root user
[root]# /usr/bin/traceroute 1.1.1.1 -I
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  one.one.one.one (1.1.1.1)  2.436 ms  2.433 ms  2.417 ms

# Switch to non-root user
[root]# su sam

# As non-root user
[sam]$ /usr/bin/traceroute 1.1.1.1 -I
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  169.254.100.0 (169.254.100.0)  1.291 ms  1.250 ms  1.243 ms
 2  13.106.232.74 (13.106.232.74)  3.202 ms  3.188 ms  3.420 ms
 3  172.70.160.4 (172.70.160.4)  6.058 ms  6.053 ms  6.035 ms
 4  one.one.one.one (1.1.1.1)  2.437 ms  2.434 ms  2.431 ms
[sam]$

Environment:
RockyLinux 9.2 (Blue Onyx)
kernel 5.14.0-284.18.1.el9_2.x86_64
traceroute-2.1.0-16.el9.src.rpm
Azure VM (Official Rocky image - clean install)

我见过防火墙或特权非 root 用户无法执行跟踪路由,但今天发生的情况正好相反!

以下是根据以下评论进行的一些调查:

  1. iptables:
[root]# iptables-save -c
# Generated by iptables-save v1.8.8 (nf_tables) on Sun Oct  8 13:33:21 2023
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8239:955658]
[0:0] -A OUTPUT -d 168.63.129.16/32 -p tcp -m tcp --dport 53 -j ACCEPT
[6259:1742375] -A OUTPUT -d 168.63.129.16/32 -p tcp -m owner --uid-owner 0 -j ACCEPT
[0:0] -A OUTPUT -d 168.63.129.16/32 -p tcp -m conntrack --ctstate INVALID,NEW -j DROP
COMMIT
# Completed on Sun Oct  8 13:33:21 2023
# Generated by iptables-save v1.8.8 (nf_tables) on Sun Oct  8 13:33:21 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sun Oct  8 13:33:21 2023
  1. 获取帽
# As root user
[root]# /sbin/getcap $(readlink -e /usr/bin/traceroute)
/usr/bin/traceroute cap_net_admin=ep
# Switch to non-root user
[root]# su sam
# As non-root user
[sam]$ /sbin/getcap $(readlink -e /usr/bin/traceroute)
/usr/bin/traceroute cap_net_admin=ep
[sam]$
  1. 知识产权规则
# ip rule
0:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default
  1. NFT 规则集
# nft list ruleset
table ip security {
    chain OUTPUT {
        type filter hook output priority 150; policy accept;
        ip daddr 168.63.129.16 tcp dport 53 counter packets 0 bytes 0 accept
        meta l4proto tcp ip daddr 168.63.129.16 skuid 0 counter packets 6159 bytes 1716902 accept
        meta l4proto tcp ip daddr 168.63.129.16 ct state invalid,new counter packets 0 bytes 0 drop
    }
}
table ip filter {
}
  1. SELinux
# sestatus
SELinux status:                 disabled

相关内容