Mhoroi mose. Tiri kushanda nesimba uye tave kutogadzirira zvakawanda zvine simba kutanga muna Ndira. Pakati pevamwe, kunyoreswa kwakaziviswa kune imwe nzira itsva yekosi yaanofarira yemunhu wese. . Tichitarisira kuvhurwa, isu tinogovana shanduro yezvinyorwa zvinobatsira.
Mvumo yefaira inopa imwe nzira yakachengeteka kune SUID inotemerwa, asi inogona kuita seyakavhiringidza zvishoma pakutanga.
Tese tinoziva kuti mabhinari ndiyo . Neraki, kana application yako ichida mamwe maropafadzo mashoma, pane imwe nzira inoshanda inodaidzwa .
Ini ndichakuchengetera imwe nguva kana iwe uchida kudzivirira kuverenga chinyorwa chiri pamusoro zvakadzama: Chaizvoizvo, mvumo yefaira inobvumira maitiro anomhanya semudzi uye saka anotenderwa kuita chimwe chinhu kuchengetedza humwe hunyanzvi, hushoma. pavanodonhedza ropafadzo uye zvichifambiswa nemushandisi asina mukana. Izvi zvinoreva kuti kana munhu anorwisa akakwanisa kukanganisa maitiro achishandisa buffer mafashama kana kumwe kubiridzira, ivo havazokwanisa kutora mukana wechimwe chinhu kunze kwemamwe maropafadzo mashoma anodiwa nemaitiro acho.
Mvumo yakanakira masevhisi anowanzo mhanya semidzi, asi ko nezve yekuraira mutsara utilities? Sezvineiwo, izvi zvinotsigirwawo chero iwe uine maturusi akakodzera akaiswa. Kana uri kushandisa Ubuntu, iwe semuenzaniso unoda iyo package libcap2-bin. Iwe zvakare unozofanirwa kumhanya isiri-archaic kernel (kubva mushanduro 2.6.24).
Aya mabasa anobvumira mvumo kuti ibatanidzwe nemafaira anogona kuitiswa, akafanana nekuisa SUID bit, asi chete kune yakatarwa seti yemvumo. Utility setcap inoshandiswa kuwedzera nekubvisa mvumo kubva mufaira.
Nhanho yekutanga ndeyekusarudza mvumo yaunoda. Nekuda kwechinyorwa ichi, ndiri kufungidzira kuti kune network yekuongorora mudziyo inonzi tracewalk, iyo inofanirwa kukwanisa kushandisa . Izvi zvinowanzoda kuti application iitwe semudzi, asi kana uchiona zvinoitika kuti mvumo chete inodiwa CAP_NET_RAW.
Tichifunga kuti uri mudhairekitori panowanikwa bhinari tracewalk, unogona kuwedzera iyi mvumo seizvi:
sudo setcap cap_net_raw=eip tracewalk
Rega chivakashure parizvino =eip kuitira kugadzirisa, ndichataura nezvazvo mumasekonzi mashoma. Ziva kuti zita remvumo riri mumavara madiki. Iwe unogona ikozvino kutarisa kana iwe wakagadzirisa mvumo nemazvo ne:
setcap -v cap_new_raw=eip tracewalkKana kuti iwe unogona kunyora zvese zvibvumirano zvakasetwa kune yakapihwa inoitiswa:
getcap tracewalk
Kuti utaure, iwe unogona zvakare kubvisa zvibvumirano zvese kubva pane zvinogoneka ne:
setcap -r tracewalkPanguva ino, iwe unofanirwa kukwanisa kumhanyisa zvinogoneka semushandisi asina rusarura, uye inofanirwa kukwanisa kushanda nezvigadziko zvakasvibirira, asi isina chero imwe ropafadzo iyo mudzi mushandisi.
Saka chivakashure ichi chinoshamisa chinorevei? =eip? Izvi zvinoda kumwe kunzwisisa kwemhando yemvumo. Maitiro ega ega ane matatu matatu emvumo - inoshanda, inogarwa nhaka uye inotenderwa:
- Zvinoshanda Mvumo ndeizvo zvinotsanangura izvo chirongwa chingaite chaizvo. Semuenzaniso, haigone kubata nema sockets kana
CAP_NET_RAWhaisi museti inoshanda. - Available mvumo ndeizvo izvo maitiro anotenderwa kuve nazvo kana achivakumbira vachishandisa kufona kwakakodzera. Vanodzivirira maitiro kubva pakuita chero chinhu kunze kwekunge zvakanyorwa zvakananga kukumbira mvumo yakataurwa. Izvi zvinobvumira maitiro kuti anyorwe kuwedzera mvumo yakakosha kune iyo inoshanda seti chete yenguva yavanenge vachinyatso kudiwa.
- Kugara nhaka mvumo ndeizvo zvinogona kugarwa nhaka museti inosvikika yemaitiro emwana akazvarwa. Panguva yekuvhiyiwa
fork()kanaclone()maitiro emwana anogara achipihwa kopi yemvumo yevabereki maitiro sezvo ichiri kuita zvakafanana zvinogoneka panguva iyoyo. Seti inogarwa nhaka inoshandiswa kanaexec()(kana kuti yakaenzana) inodanwa kutsiva iyo faira inogoneka neimwe. Panguva ino, iyo nzira iripo seti yakafukidzwa neyakagadzika seti kuti iwane inosvikika seti inozoshandiswa kune itsva maitiro.
Saka utility setcap inotibvumira kuwedzera mvumo yeaya matatu seti takazvimiririra kune yakapihwa inogoneka. Ziva kuti zvinorehwa nemapoka zvinodudzirwa zvakasiyana zvishoma kune mvumo yefaira:
- Inowanikwa mafaira emvumo ndeaya anogara aripo kune faira rinogoneka, kunyangwe kana maitiro emubereki akaridaidza akange asina. Vaimbonzi "forced" permits.
- Nhaka mvumo yefaira inotsanangura imwe mask iyo inogona zvakare kushandiswa kubvisa zvibvumirano kubva kune yekufona maitiro seti. Ivo vanonyorera mukuwedzera kune yekufona kwakagara nhaka seti, saka mvumo inogarwa chete kana iripo mumaseti ese ari maviri.
- Zvinoshanda mvumo yefaira ingori chidimbu chimwe chete, kwete seti, uye kana yaiswa, zvinoreva kuti yese iripo seti inokopwawo mune itsva maitiro ekuita seti. Izvi zvinogona kushandiswa kuwedzera mvumo kune maitiro asina kunyatso kunyorwa kuti azvikumbire. Sezvo iri chidimbu chimwe chete, kana ukachisetera chero mvumo, chinofanira kuisirwa zvibvumirano zvese. Unogona kufunga nezvayo senhaka diki nekuti inoshandiswa kubvumidza mvumo kuti ishandiswe nemaapplication asingavatsigire.
Kana uchitsanangura mvumo kuburikidza setcap mavara matatu e, i ΠΈ p kureva inoshanda, inogarwa nhaka uye inowanikwa seti zvichiteerana. Saka, tsanangudzo yekutanga:
sudo setcap cap_net_raw=eip tracewalk
...inoratidza kuti resolution CAP_NET_RAW inofanira kuwedzerwa kune iripo uye inogarwa seti uye kuti bhiti rinoshanda rinofanirawo kuiswa. Izvi zvinodarika chero mvumo dzakambosetwa pafaira. Kuseta mvumo dzakawanda kamwechete, shandisa runyoro rwakapatsanurwa nemakoma:
sudo setcap cap_net_admin,cap_net_raw=eip tracewalkinokurukura zvese izvi zvakadzama, asi ndinovimba iyi positi yakadzima zviri kuitika zvishoma. Pane mashoma mashoma uye mazano asara ekutaura.
Chekutanga, kugona kwefaira haashande nema symlinks - iwe unofanirwa kuaisa kune iyo binary faira pachayo (kureva chinangwa che symlink).
Chechipiri, haashande nemagwaro akadudzirwa. Semuenzaniso, kana uine Python script yaunoda kupa mvumo kwairi, unofanira kuigovera kumuturikiri wePython pachayo. Zviripachena kuti iyi inyaya yekuchengetedzeka nekuti zvese zvinyorwa zvinoitwa nemuturikiri iyeye zvichave nemvumo yakataurwa, kunyangwe izvi zvichiri nani pane kuzviita SUID. Iyo yakajairika workaround inoita kunge yekunyora yakaparadzana inoitiswa muC kana yakaenzana inogona kuita mashandiro anodiwa uye kuidaidza kubva pane script. Izvi zvakafanana nenzira inoshandiswa neWireshark iyo inoshandisa bhinari /usr/bin/dumpcap kuita mabasa akasarudzika:
$ getcap /usr/bin/dumpcap
/usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
Chechitatu, mvumo yefaira inovharwa kana ukashandisa shanduko yemamiriro ekunze LD_LIBRARY_PATH nokuda kwezvikonzero zvakajeka zvekuchengeteka(1). Izvi zvinoshandawo kune LD_PRELOAD, sekuziva kwangu.
1. Sezvo munhu anorwisa zviri pachena anogona kutsiva imwe yemaraibhurari akajairwa uye kushandisa LD_LIBRARY_PATHkumanikidza raibhurari yayo kuti idaidzwe pachinzvimbo cheraibhurari yehurongwa, uye nekudaro iine kodhi yayo yekupokana inoitwa neropafadzo dzakafanana neyekufona application.
Ndizvo zvose. Mamwe ruzivo nezve chirongwa chekosi anogona kuwanikwa pa
Source: www.habr.com