我正在与rsh.我想从头到尾检查整个过程。为此,我使用了strace.
操作系统名称是 CentOS。我在单机上工作,服务器和客户端在同一台机器上。
我的命令是,rsh localhost ulimit -n
为了进行跟踪,我使用了strace rsh localhost ulimit -n.
我读取了执行上述命令期间打开的所有文件。但我想跟踪 rsh 服务器如何设置 的限制ulimit -n,因为 rsh 中的所有命令都由 rsh 守护程序运行。
我正在寻找的系统调用是,,setrlimit但它没有通过使用显示此系统调用strace rsh localhost ulimit -n。
为此,我必须跟踪 rsh server ,即 rsh 守护进程。但我不知道,我如何执行这项任务。
请告诉我命令及其解释。
我知道当前场景中没有使用 rsh,但我的项目正在使用它,所以请不要告诉,rsh 不好。我知道所有这些事情。
编辑1号
$ sudo lsof -i :514
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
syslogd 2210 root 9u IPv4 6259 UDP *:syslog
xinetd 2658 root 8u IPv4 8745 TCP *:shell (LISTEN)
并且,,/etc/xinetd.d不包含rshd,它包含rsh,rexec,rlogin,rsync等。
编辑2号[与 Chris Down 的评论相关]
rsh localhost strace -o log_new bash -c 'ulimit -n'
它给出的答案与我跑步时给出的答案不同strace rsh localhost ulimit -n
execve("/bin/bash", ["bash", "-c", "ulimit", "-n"], [/* 15 vars */]) = 0
brk(0) = 0x13e86000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbab2000
uname({sys="Linux", node="jhamb.XXX.XXX", ...}) = 0
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=57641, ...}) = 0
mmap(NULL, 57641, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2af7bbab3000
close(3) = 0
open("/lib64/libtermcap.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\17\300T4\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=15584, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbac2000
mmap(0x3454c00000, 2108688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3454c00000
mprotect(0x3454c03000, 2093056, PROT_NONE) = 0
mmap(0x3454e02000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x3454e02000
close(3) = 0
open("/lib64/libdl.so.2", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\16@T4\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=23360, ...}) = 0
mmap(0x3454400000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3454400000
mprotect(0x3454402000, 2097152, PROT_NONE) = 0
mmap(0x3454602000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x3454602000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\332\1T4\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1726320, ...}) = 0
mmap(0x3454000000, 3506520, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3454000000
mprotect(0x345414f000, 2097152, PROT_NONE) = 0
mmap(0x345434f000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14f000) = 0x345434f000
mmap(0x3454354000, 16728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3454354000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbac3000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbac4000
arch_prctl(ARCH_SET_FS, 0x2af7bbac3dd0) = 0
mprotect(0x3454602000, 4096, PROT_READ) = 0
mprotect(0x345434f000, 16384, PROT_READ) = 0
mprotect(0x3453e1c000, 4096, PROT_READ) = 0
munmap(0x2af7bbab3000, 57641) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/dev/tty", O_RDWR|O_NONBLOCK) = -1 ENXIO (No such device or address)
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fffb504cb00) = -1 EINVAL (Invalid argument)
brk(0) = 0x13e86000
brk(0x13ea7000) = 0x13ea7000
getuid() = 500
getgid() = 500
geteuid() = 500
getegid() = 500
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/proc/meminfo", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbab3000
read(3, "MemTotal: 3920228 kB\nMemFre"..., 4096) = 777
close(3) = 0
munmap(0x2af7bbab3000, 4096) = 0
rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGINT, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], 0}, 8) = 0
rt_sigaction(SIGQUIT, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigaction(SIGQUIT, {0x1, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, 8) = 0
uname({sys="Linux", node="jhamb.XXX.XXX", ...}) = 0
stat("/home/service", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
getpid() = 30873
getppid() = 30829
stat(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
stat("/home/service/bin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory)
stat("/usr/local/sbin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory)
stat("/usr/local/bin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory)
stat("/usr/sbin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory)
stat("/sbin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory)
stat("/usr/kerberos/bin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory)
stat("/usr/bin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory)
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=801512, ...}) = 0
access("/bin/bash", X_OK) = 0
access("/bin/bash", R_OK) = 0
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=801512, ...}) = 0
access("/bin/bash", X_OK) = 0
access("/bin/bash", R_OK) = 0
getpgrp() = 30829
rt_sigaction(SIGCHLD, {0x436080, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
getpeername(0, {sa_family=AF_INET, sin_port=htons(61000), sin_addr=inet_addr("127.0.0.1")}, [5255137823777882128]) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
getrlimit(RLIMIT_FSIZE, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0
fstat(1, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbab3000
write(1, "unlimited\n", 10) = 10
exit_group(0) = ?
编辑3号
# grep -e ulimit -e setrlimit rsh.strace.
rsh.strace.31472:14:22:42.966361 setrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0
rsh.strace.31474:14:22:43.085822 execve("/bin/bash", ["bash", "-c", "ulimit -n"], [/* 4 vars */]) = 0
rsh.strace.31474:14:22:43.546754 setrlimit(RLIMIT_CORE, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0
编辑4:/etc/security/limits.conf删除评论
* soft core unlimited
* hard core unlimited
@service hard nofile 13000
@service soft nofile 13000
* soft nofile 12000
* hard nofile 12000
答案1
您需要确定服务器上的哪个服务器进程运行rsh又名shell服务。传统上,它由inetd或元守护程序启动xinetd,该守护程序侦听shellTCP 端口 (514) 并rshd在传入连接时运行命令。
lsof -i tcp:shell
(作为 root)会告诉您哪个进程正在侦听该端口。
您可以使用以下命令来追踪:
strace -tt -ff -o rsh.strace -p "the-PID"
该-ff选项遵循分叉并为每个进程创建一个日志文件,使其更易于阅读。
日志文件将被命名,rsh.strace.<pid>其中<pid>是相应进程的进程 ID。xinetd将生成一个新进程来运行rshd服务器,该进程本身可能会生成另一个进程来运行用户的登录 shell,该进程本身可能会在解释时生成多个进程~/.bashrc(是的bash(如果是用户的登录 shell),甚至~/.bashrc在运行时也会解释rsh如果它不是登录 shell)。
然后,您可以查看谁执行此setrlimit操作:
grep setrlimit rsh.strace.*
一旦你确定了流程。你可以做一个
grep execve rsh.strace.<that-pid>
在执行此操作之前查看该进程是否执行setrlimit了命令,这将告诉您ulimit.如果该进程没有执行,那么execve它的父进程或祖父母就会执行。您可以通过检查哪个进程执行fork/来找出父进程,clone例如<pid>:
grep -E '(clone|fork).*= <that-pid>' rsh.strace.*
如果该进程是inetd/xinetd并且inetd除 之外还提供许多其他服务shell,或者您可以更改其配置以运行strace -tt -ff -o /var/log/rsh.strace in.rshd而不是in.rshd为该shell服务运行,或者制作一个包装器脚本来调用in.rshd真正的.in.rshdstrace
现在,设置 的两个可能的事情ulimit是PAM(通过pam_limits模块 和/etc/security/limits.conf),以及远程用户的登录 shell 启动脚本。
在后一种情况下,stracing rshd您可以在登录 shell 中启用 shell 跟踪,而不是 。例如,如果远程用户的登录 shell 是bash或sh,sh作为 的符号链接bash,您可以将/usr/sbin/in.rshd(或守护程序命令的任何位置rsh)更改为执行以下操作的包装器脚本:
#! /bin/sh -
exec /usr/bin/env SHELLOPTS=xtrace "$0.bin" "$@"
将其重命名为in.rshd.bin.
答案2
我没有太多的经验rsh,但这就是我使用 解决它的方法strace。
您可以使用该标志跟踪正在运行的进程-p。所以像这样的事情
linux$ strace -p $(pidof rshd) -o logfile.txt
或者您可以修改启动守护程序的脚本rsh以使用 strace。为此最好使用 strace -o logfile,否则输出可能会被启动 rsh 守护程序的脚本隐藏。
答案3
非常简单:rsh machine command所做的就是command在machine.即,如果您这样做rsh localhost ulimit -u,会发生该命令在(即在同一台机器上)ulimit -u上运行。localhost这rsh与调用它所涉及的完全无关。如果你想知道那里发生了什么,只要看看ulimit -u发生了什么。
你可以分析,rshd直到你脸色发青,它不会做任何事情,除了(1)获取连接并检查是否允许,(2)收集要运行的命令,(3)fork/exec来运行命令,连接以发送回输出。特别是,您不会看到任何 ulimit 出现这种情况。