无法跟踪 sudo;报告有效 uid 为非零
Cannot strace sudo; reports that effective uid is nonzero
命令:
bigxu@bigxu-ThinkPad-T410 ~/work/lean $ sudo ls
content_shell.pak leanote libgcrypt.so.11 libnotify.so.4 __MACOSX resources
icudtl.dat leanote.png libnode.so locales natives_blob.bin snapshot_blob.bin
大部分时间 right.but 有时速度很慢。
所以我跟踪它。
命令:
bigxu@bigxu-ThinkPad-T410 ~/work/lean $ strace sudo ls
execve("/usr/bin/sudo", ["sudo", "ls"], [/* 66 vars */]) = 0
brk(0) = 0x7f2b3c423000
fcntl(0, F_GETFD) = 0
fcntl(1, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
......
......
......
write(2, "sudo: effective uid is not 0, is"..., 140sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
) = 140
exit_group(1) = ?
+++ exited with 1 +++
其他信息:
bigxu-ThinkPad-T410 lean # ls /etc/sudoers -alht
-r--r----- 1 root root 745 2月 11 2014 /etc/sudoers
bigxu-ThinkPad-T410 lean # ls /usr/bin/sudo -alht
-rwsr-xr-x 1 root root 152K 12月 14 21:13 /usr/bin/sudo
bigxu-ThinkPad-T410 lean # df `which sudo`
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sdb1 67153528 7502092 56217148 12%
出于安全原因,setuid 位和 ptrace(用于 运行 调试器下的二进制文件)不能同时被接受。过去未能执行此限制导致了 CVE-2001-1384。
因此,任何着眼于安全性而设计的操作系统要么在执行 setuid 二进制文件时停止支持 ptrace,要么在使用 ptrace 时不支持 setuid 位。
在 Linux 上,考虑改用 Sysdig -- 它只能查看但不能修改行为,不会 运行 相同的风险。
如何跟踪 sudo
$ sudo strace -u <username> sudo -k <command>
sudo 以 root 身份运行 strace。strace 运行 sudo 作为 <username> 通过 -u 选项传递。sudo 使用 -k 选项删除先前 sudo 的缓存凭据(用于再次询问密码)并运行 <command>.
第二个sudo是tracee(被跟踪的进程)
要自动将当前用户放在 <username> 的位置,请使用 $(id -u -n)。
为什么 sudo 不能与 strace 一起使用
除了 by Charles, here is what execve() manual page说:
If the set-user-ID bit is set on the program file referred to by pathname, then the effective user ID of the calling process is changed to that of the owner of the program file. Similarly, when the set-group-ID bit of the program file is set the effective group ID of the calling process is set to the group of the program file.
The aforementioned transformations of the effective IDs are not performed (i.e., the set-user-ID and set-group-ID bits are ignored) if any of the following is true:
- the no_new_privs attribute is set for the calling thread (see prctl(2));
- the underlying filesystem is mounted nosuid (the MS_NOSUID flag for mount(2)); or
- the calling process is being ptraced.
The capabilities of the program file (see capabilities(7)) are also ignored if any of the above are true.
跟踪进程、检查或修改其内存的权限在 NOTES 部分的 Ptrace 访问模式检查 小节中进行了描述ptrace(2) manual page. I've commented about this in .
命令:
bigxu@bigxu-ThinkPad-T410 ~/work/lean $ sudo ls
content_shell.pak leanote libgcrypt.so.11 libnotify.so.4 __MACOSX resources
icudtl.dat leanote.png libnode.so locales natives_blob.bin snapshot_blob.bin
大部分时间 right.but 有时速度很慢。 所以我跟踪它。
命令:
bigxu@bigxu-ThinkPad-T410 ~/work/lean $ strace sudo ls
execve("/usr/bin/sudo", ["sudo", "ls"], [/* 66 vars */]) = 0
brk(0) = 0x7f2b3c423000
fcntl(0, F_GETFD) = 0
fcntl(1, F_GETFD) = 0
fcntl(2, F_GETFD) = 0
......
......
......
write(2, "sudo: effective uid is not 0, is"..., 140sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
) = 140
exit_group(1) = ?
+++ exited with 1 +++
其他信息:
bigxu-ThinkPad-T410 lean # ls /etc/sudoers -alht
-r--r----- 1 root root 745 2月 11 2014 /etc/sudoers
bigxu-ThinkPad-T410 lean # ls /usr/bin/sudo -alht
-rwsr-xr-x 1 root root 152K 12月 14 21:13 /usr/bin/sudo
bigxu-ThinkPad-T410 lean # df `which sudo`
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sdb1 67153528 7502092 56217148 12%
出于安全原因,setuid 位和 ptrace(用于 运行 调试器下的二进制文件)不能同时被接受。过去未能执行此限制导致了 CVE-2001-1384。
因此,任何着眼于安全性而设计的操作系统要么在执行 setuid 二进制文件时停止支持 ptrace,要么在使用 ptrace 时不支持 setuid 位。
在 Linux 上,考虑改用 Sysdig -- 它只能查看但不能修改行为,不会 运行 相同的风险。
如何跟踪 sudo
$ sudo strace -u <username> sudo -k <command>
sudo以 root 身份运行strace。strace运行sudo作为<username>通过-u选项传递。sudo使用-k选项删除先前sudo的缓存凭据(用于再次询问密码)并运行<command>.
第二个sudo是tracee(被跟踪的进程)
要自动将当前用户放在 <username> 的位置,请使用 $(id -u -n)。
为什么 sudo 不能与 strace 一起使用
除了execve() manual page说:
If the set-user-ID bit is set on the program file referred to by pathname, then the effective user ID of the calling process is changed to that of the owner of the program file. Similarly, when the set-group-ID bit of the program file is set the effective group ID of the calling process is set to the group of the program file.
The aforementioned transformations of the effective IDs are not performed (i.e., the set-user-ID and set-group-ID bits are ignored) if any of the following is true:
- the no_new_privs attribute is set for the calling thread (see prctl(2));
- the underlying filesystem is mounted nosuid (the MS_NOSUID flag for mount(2)); or
- the calling process is being ptraced.
The capabilities of the program file (see capabilities(7)) are also ignored if any of the above are true.
跟踪进程、检查或修改其内存的权限在 NOTES 部分的 Ptrace 访问模式检查 小节中进行了描述ptrace(2) manual page. I've commented about this in