在Redhat上,“ kernel.suid_dumpable = 1”是什么意思?

9

我正在运行bash脚本来复制一些日志文件,然后在Red Hat盒子上重新启动服务。每次执行脚本时,都会在控制台上看到以下内容:

[root@servername ~]# sh /bin/restart_nss.sh
kernel.suid_dumpable = 1
Stopping Service: [ OK ]
Starting Service: [ OK ]
[root@servername ~]#

在这种情况下,“ kernel.suid_dumpable = 1”是什么意思?

谢谢,IVR Avenger

bash  shell  redhat 
IVR复仇者
source

Answers:

13

一些背景:

setuid位:
可执行文件上的setuid位使它可以使任何用户运行的可执行文件都像由可执行文件所有者运行一样运行。因此,如果在root拥有的程序上设置了setuid,则无论是谁运行它,都将以root特权运行。当然不是那么简单,请参阅此Wikipedia文章,或获得Unix环境中的Steven's Programing的副本。

核心转储:
核心转储是程序的工作内存到文件的转储。请参阅此维基百科文章

suid_dumpable
这控制是否可以如上所述从setuid程序中转储内核。见下文。这是一个内核可调参数,您可以使用以下命令进行更改:

sudo sysctl -w kernel.suid_dumpable=2

您可以在您的源代码的文档中找到有关此可调参数的信息,如果安装了此可调参数,则可能会在以下目录中找到:/usr/src/linux-source-2.6.27/Documentation/sysctl/。在这种情况下,以下参考位于该目录的fs.txt中。使用该uname -a命令找出您的内核版本。

为何重要:

这可能会带来安全风险:
因此,想法是,如果有核心转储并且常规用户可以读取它们,则他们可能会发现特权信息。如果程序转储得很好,则它在内存中具有特权信息,并且用户可以读取转储,他们可能会发现该特权信息。

参考:

This value can be used to query and set the core dump mode for setuid
or otherwise protected/tainted binaries. The modes are

0 - (default) - traditional behaviour. Any process which has changed
   privilege levels or is execute only will not be dumped
1 - (debug) - all processes dump core when possible. The core dump is
   owned by the current user and no security is applied. This is
   intended for system debugging situations only.
2 - (suidsafe) - any binary which normally not be dumped is dumped
   readable by root only. This allows the end user to remove
   such a dump but not access it directly. For security reasons
   core dumps in this mode will not overwrite one another or 
   other files. This mode is appropriate when adminstrators are
   attempting to debug problems in a normal environment.
凯尔·勃兰特(Kyle Brandt)
source
fs.txt也在这里在线:kernel.org/doc/Documentation/sysctl/fs.txt
圣代
1

它确定您是否可以从setuid进程获取核心转储。

原始补丁的一些信息 

+suid_dumpable:
+
+This value can be used to query and set the core dump mode for setuid
+or otherwise protected/tainted binaries. The modes are
+
+0 - (default) - traditional behaviour. Any process which has changed
+   privilege levels or is execute only will not be dumped
+1 - (debug) - all processes dump core when possible. The core dump is
+   owned by the current user and no security is applied. This is
+   intended for system debugging situations only.
+2 - (suidsafe) - any binary which normally not be dumped is dumped
+   readable by root only. This allows the end user to remove
+   such a dump but not access it directly. For security reasons
+   core dumps in this mode will not overwrite one another or 
+   other files. This mode is appropriate when adminstrators are
+   attempting to debug problems in a normal environment.
特拉维斯·坎贝尔
source
那么,这是严格意义上的吗?它告诉我从启动过程中可以得到哪种转储?
IVR Avenger
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.