5
我正在尝试使用原始套接字作为非root用户的Linux功能正常运行的程序。该程序如下:如何使用PAM功能模块将功能授予特定用户和可执行文件?
#include <netinet/ip.h>
int main()
{
int sd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
if(sd < 0)
{
perror("socket() error");
return 1;
}
return 0;
}
如果我编译并运行它以非根,我得到一个错误,如预期:
[[email protected] ~]$ make socket
cc socket.c -o socket
[[email protected] ~]$ ./socket
socket() error: Operation not permitted
如果我添加了cap_net_raw能力,作为一种有效的并允许能力,它的作品。
[[email protected] ~]$ sudo setcap cap_net_raw+ep socket
[sudo] password for user:
[[email protected] ~]$ ./socket
[[email protected] ~]$
现在,我想用pam_cap.so来让这个只有特定的用户可以与cap_net_raw运行,而不是每个人都这样的节目。我/etc/security/capability.conf是:
cap_net_raw user
我/etc/pam.d/login时(注意,我也尝试/etc/pam.d/sshd但似乎没有任何工作):
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
#Added this line to use pam_cap
auth required pam_cap.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
我有一个SSH会话,我登录并重新之后并执行以下命令:
[[email protected] ~]$ sudo setcap cap_net_raw+p socket
[sudo] password for user:
[[email protected] ~]$ getcap socket
socket = cap_net_raw+p
[[email protected] ~]$ ./socket
socket() error: Operation not permitted
[[email protected] ~]$
我的问题是:为什么我无法与cap_net_raw执行“插座”计划?我认为,当我登录时,我的用户将获得它作为允许的功能,并允许'用户'运行'套接字'与cap_net_raw。
这是我上运行:
[[email protected] ~]$ uname -a
Linux localhost.localdomain 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[[email protected] ~]$ cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)