我想使用capsh为某个用户提供没有任何特权的shell,以便测试与非root用户但仅具有某些特权相关的安全性。
基本上,我想要运行类似于此的shell。这将模拟测试程序运行的状态。
capsh --print
Current: =
Bounding set =
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=10101(u0_a101)
gid=10101(u0_a101)
groups=9997(everybody),50101(all_a101)
我希望能够再次运行capsh来授予用户某些权限,如果可能的话,更改uid/gid。
我没有找到关于capsh的好教程,如果有人有好的参考资料,请分享。
List current capabilities
capsh --print
Current: =
Bounding set=cap_chown,cap_dac_override,[...]
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=1000(user)
gid=1000(user)
groups=4(adm),10101(u0_a101)
Drop all capabilities from 1. Bounding section:
capsh --drop=cap_chown,cap_dac_override,[...]
+ switch user and group:
capsh --gid=10101 --drop=cap_chown,cap_dac_override,[...] --uid=10101
+ join groups
capsh --gid=10101 --drop=cap_chown,cap_dac_override,[...] \
--uid=10101 --groups=9997,50101
+ execute application
capsh --gid=10101 --drop=cap_chown,cap_dac_override,[...] \
--uid=10101 --groups=9997,50101 -- -c 'ping 127.0.0.1'