我正在运行一个 bash 脚本来复制一些日志文件,然后在 Red Hat 机器上重新启动服务。每次执行该脚本时,我的控制台上都会出现以下内容:
[root@servername ~]# sh /bin/restart
_nss.sh
_dumpable = 1
kernel.suid
Stopping Service: [ OK ]
Starting Service: [ OK ]
[root@servername ~]#
在这种情况下“kernel.suid_dumpable = 1”是什么意思?
谢谢,IVR Avenger
答案1
背景:
setuid 位:
可执行文件上的 setuid 位使得任何用户运行的可执行文件都像由可执行文件的所有者运行一样运行。因此,如果在 root 拥有的程序上设置了 setuid,无论谁运行它,它都将以 root 权限运行。当然,事情没那么简单,请参阅这个维基百科文章,或者获取 Steven 的《Unix 环境编程》一份。
核心转储:
核心转储是将程序的工作内存转储到文件中。请参阅这篇维基百科文章。
suid_dumpable:
这控制是否可以从 setuid 程序转储核心,如上所述。见下文。这是一个内核可调参数,您可以使用以下命令更改它:
sudo sysctl -w kernel.suid_dumpable=2
您可以在源代码文档中找到有关此可调参数的信息,如果已安装,您可能会在类似以下目录中找到该文档: /usr/src/linux-source-2.6.27/Documentation/sysctl/ 。在这种情况下,下面的参考资料位于该目录中的 fs.txt 中。使用该uname -a
命令查找您的内核版本。
为什么重要:
这可能是一个安全风险:
因此,这个想法是,如果有核心转储,并且普通用户可以读取它们,他们可能会发现特权信息。如果程序被转储,并且它在内存中具有特权信息,并且用户可以读取转储,他们可能会发现该特权信息。
参考:
This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are
0 - (default) - traditional behaviour. Any process which has changed
privilege levels or is execute only will not be dumped
1 - (debug) - all processes dump core when possible. The core dump is
owned by the current user and no security is applied. This is
intended for system debugging situations only.
2 - (suidsafe) - any binary which normally not be dumped is dumped
readable by root only. This allows the end user to remove
such a dump but not access it directly. For security reasons
core dumps in this mode will not overwrite one another or
other files. This mode is appropriate when adminstrators are
attempting to debug problems in a normal environment.
答案2
它决定您是否可以从 setuid 进程获取核心转储。
一些信息来自原始补丁
+suid_dumpable:
+
+This value can be used to query and set the core dump mode for setuid
+or otherwise protected/tainted binaries. The modes are
+
+0 - (default) - traditional behaviour. Any process which has changed
+ privilege levels or is execute only will not be dumped
+1 - (debug) - all processes dump core when possible. The core dump is
+ owned by the current user and no security is applied. This is
+ intended for system debugging situations only.
+2 - (suidsafe) - any binary which normally not be dumped is dumped
+ readable by root only. This allows the end user to remove
+ such a dump but not access it directly. For security reasons
+ core dumps in this mode will not overwrite one another or
+ other files. This mode is appropriate when adminstrators are
+ attempting to debug problems in a normal environment.