授予 unix 进程对目录的独占 RW 访问权限

发布于 2024-09-29 05:08:03 字数 1459 浏览 10 评论 0原文

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

北城挽邺 2024-10-06 05:08:03

文件权限基于所有者/组而不是进程,因此同一用户运行的多个程序将能够访问拥有的目录。但是,如果您在每个进程运行之前为其创建一个临时目录,然后 chroot() 它那么任何进程都不能脱离其 chroot 监狱来访问其他目录。

基本概念是,就进程而言,临时目录成为目录树的顶部。该进程不知道也不能改变其之上的任何内容。否则,它可以在沙箱中读取/写入、创建/删除其核心内容。

例如:

/rundir
/rundir/temp1  <-- process 1 chroot jailed here, can't go above
/rundir/temp2  <-- process 2 chroot jailed here, can't go above

另请参阅“man 8 chroot”。

File permissions are based on owner/group not process so multiple programs run by the same user are going to be able to access owned directories. However if you create a temporary directory for each process before it runs and then chroot() it then no process should be able to get out of its chroot jail to access other directories.

The basic notion is that the temp directory becomes the top of the directory tree as far the process is concerned. The process doesn't know about, nor can it change to, anything above it. Otherwise it can read/write create/delete whatever to its heart's content in its sandbox.

For instance:

/rundir
/rundir/temp1  <-- process 1 chroot jailed here, can't go above
/rundir/temp2  <-- process 2 chroot jailed here, can't go above

See also "man 8 chroot".

没企图 2024-10-06 05:08:03

这样就只能写
在此目录下,不限制
它的功能太多了。

哇,这听起来几乎很神奇。几乎不是一个编程问题。

in such a way that it can only write
in this directory, without limiting
too much of its functionality.

Wow, this sounds almost magical. Hardly a programming question.

生生漫 2024-10-06 05:08:03

听起来你想要类似于 FreeBSD Jail 的 Linux 版本,或者至少是非常相似的东西。此博客文章包含对同名工具的描述,位于至少。

Sounds like you want something like the Linux equivalent of the FreeBSD Jail, or at least something quite similar. This blog posting contains the description of a tool with the same name at least.

╰つ倒转 2024-10-06 05:08:03

您可以使用像 Grsecurity 这样的内核补丁(我认为还有其他可以完成这项工作,寻找 SELinux 和 AppArmor )对某个进程强制执行 RBAC(基于角色的访问控制)。

考虑到您的使用场景,我认为使用安全增强内核是必须的。

You could use a kernel patch like Grsecurity (there are others that could do the job, I think, look for SELinux and AppArmor) to enforce RBAC (role-based access control) for a certain process.

I think using a security enhanced kernel is a must, given your usage scenario.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文