主页 / server / 问题 / 56800
Accepted
IVR Avenger
Asked: 2009-08-21 11:10:40 +0800 CST

在 Redhat 上,“kernel.suid_dumpable = 1”是什么意思?

  • 772

我正在运行 bash 脚本来复制一些日志文件,然后在 Red Hat 机器上重新启动服务。每次执行脚本时,我都会在控制台上看到以下内容:

[root@servername ~]# sh /bin/restart_nss.sh
kernel.suid_dumpable = 1
Stopping Service: [ OK ]
Starting Service: [ OK ]
[root@servername ~]#

在这种情况下,“kernel.suid_dumpable = 1”是什么意思?

谢谢,IVR 复仇者

bash

2 个回答

  1. Best Answer

    一些背景:

    setuid 位:
    可执行文件上的 setuid 位使得任何用户运行的可执行文件都像由可执行文件的所有者运行一样运行。所以如果setuid设置在root拥有的程序上,不管是谁运行,都会以root权限运行。当然没那么简单,请参阅这篇 wikipedia文章,或获取 Steven 的 Programing in the Unix Env​​ironment 的副本。

    核心转储:
    核心转储是将程序的工作内存转储到文件中。请参阅此维基百科文章

    suid_dumpable
    这控制是否可以如上所述从 setuid 程序中转储内核。见下文。这是一个内核可调参数,您可以使用以下命令对其进行更改:

    sudo sysctl -w kernel.suid_dumpable=2

    您可以在源代码的文档中找到有关此可调参数的信息,如果安装了该可调参数,您可能会在如下目录中找到: /usr/src/linux-source-2.6.27/Documentation/sysctl/ 。在这种情况下,下面的引用位于该目录的 fs.txt 中。使用该uname -a命令找出您的内核版本。

    为什么重要:

    这可能是一个安全风险:
    所以这个想法是,如果有核心转储并且普通用户可以阅读它们,他们可能会发现特权信息。如果程序被很好地转储,它在内存中具有特权信息,并且用户可以读取转储,他们可能会发现该特权信息。

    参考:

    This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are

0 - (default) - traditional behaviour. Any process which has changed
   privilege levels or is execute only will not be dumped
1 - (debug) - all processes dump core when possible. The core dump is
   owned by the current user and no security is applied. This is
   intended for system debugging situations only.
2 - (suidsafe) - any binary which normally not be dumped is dumped
   readable by root only. This allows the end user to remove
   such a dump but not access it directly. For security reasons
   core dumps in this mode will not overwrite one another or 
   other files. This mode is appropriate when adminstrators are
   attempting to debug problems in a normal environment.
    • 13

  2. 它确定您是否可以从 setuid 进程获取核心转储。

    来自原始补丁的一些信息 

    +suid_dumpable:
+
+This value can be used to query and set the core dump mode for setuid
+or otherwise protected/tainted binaries. The modes are
+
+0 - (default) - traditional behaviour. Any process which has changed
+   privilege levels or is execute only will not be dumped
+1 - (debug) - all processes dump core when possible. The core dump is
+   owned by the current user and no security is applied. This is
+   intended for system debugging situations only.
+2 - (suidsafe) - any binary which normally not be dumped is dumped
+   readable by root only. This allows the end user to remove
+   such a dump but not access it directly. For security reasons
+   core dumps in this mode will not overwrite one another or 
+   other files. This mode is appropriate when adminstrators are
+   attempting to debug problems in a normal environment.
    • 1

相关问题