5
我正在嘗試使用原始套接字作爲非root用戶的Linux功能正常運行的程序。該程序如下:如何使用PAM功能模塊將功能授予特定用戶和可執行文件?
#include <netinet/ip.h>
int main()
{
int sd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
if(sd < 0)
{
perror("socket() error");
return 1;
}
return 0;
}
如果我編譯並運行它以非根,我得到一個錯誤,如預期:
[[email protected] ~]$ make socket
cc socket.c -o socket
[[email protected] ~]$ ./socket
socket() error: Operation not permitted
如果我添加了cap_net_raw能力,作爲一種有效的並允許能力,它的作品。
[[email protected] ~]$ sudo setcap cap_net_raw+ep socket
[sudo] password for user:
[[email protected] ~]$ ./socket
[[email protected] ~]$
現在,我想用pam_cap.so來讓這個只有特定的用戶可以與cap_net_raw運行,而不是每個人都這樣的節目。我/etc/security/capability.conf是:
cap_net_raw user
我/etc/pam.d/login時(注意,我也嘗試/etc/pam.d/sshd但似乎沒有任何工作):
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
#Added this line to use pam_cap
auth required pam_cap.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
我有一個SSH會話,我登錄並重新之後並執行以下命令:
[[email protected] ~]$ sudo setcap cap_net_raw+p socket
[sudo] password for user:
[[email protected] ~]$ getcap socket
socket = cap_net_raw+p
[[email protected] ~]$ ./socket
socket() error: Operation not permitted
[[email protected] ~]$
我的問題是:爲什麼我無法與cap_net_raw執行「插座」計劃?我認爲,當我登錄時,我的用戶將獲得它作爲允許的功能,並允許'用戶'運行'套接字'與cap_net_raw。
這是我上運行:
[[email protected] ~]$ uname -a
Linux localhost.localdomain 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[[email protected] ~]$ cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)