Linux
命令跟踪 rsh 伺服器以檢查特定係統呼叫的行為
我正在與
rsh. 我想從頭到尾檢查整個過程。為此,我使用了strace.作業系統名稱是 CentOS。我在單機上工作,伺服器和客戶端在同一台機器上。
我的命令是,
rsh localhost ulimit -n為了進行跟踪,我使用了
strace rsh localhost ulimit -n.我讀取了執行上述命令期間打開的所有文件。但我想跟踪 rsh 伺服器如何設置 的限制
ulimit -n,因為 rsh 中的所有命令都由 rsh 守護程序執行。我正在尋找的系統呼叫是
setrlimit,,但它沒有通過使用顯示這個系統呼叫strace rsh localhost ulimit -n。為此,我必須跟踪 rsh server ,即 rsh 守護程序。但我不知道,我如何執行這項任務。
請告訴我命令及其解釋。
我知道在目前場景中沒有使用 rsh,但是我的項目正在使用它,所以請不要說,rsh 不好。我知道所有這些東西。
編輯編號 1
$ sudo lsof -i :514 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME syslogd 2210 root 9u IPv4 6259 UDP *:syslog xinetd 2658 root 8u IPv4 8745 TCP *:shell (LISTEN)而且,
/etc/xinetd.d, 不包含 rshd,它包含 rsh、rexec、rlogin、rsync 等。編輯第 2 號
$$ related to comment by Chris Down $$
rsh localhost strace -o log_new bash -c 'ulimit -n'它給出了與我跑步時不同的答案
strace rsh localhost ulimit -nexecve("/bin/bash", ["bash", "-c", "ulimit", "-n"], [/* 15 vars */]) = 0 brk(0) = 0x13e86000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbab2000 uname({sys="Linux", node="jhamb.XXX.XXX", ...}) = 0 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=57641, ...}) = 0 mmap(NULL, 57641, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2af7bbab3000 close(3) = 0 open("/lib64/libtermcap.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\17\300T4\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=15584, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbac2000 mmap(0x3454c00000, 2108688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3454c00000 mprotect(0x3454c03000, 2093056, PROT_NONE) = 0 mmap(0x3454e02000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x3454e02000 close(3) = 0 open("/lib64/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\16@T4\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=23360, ...}) = 0 mmap(0x3454400000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3454400000 mprotect(0x3454402000, 2097152, PROT_NONE) = 0 mmap(0x3454602000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x3454602000 close(3) = 0 open("/lib64/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\332\1T4\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1726320, ...}) = 0 mmap(0x3454000000, 3506520, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3454000000 mprotect(0x345414f000, 2097152, PROT_NONE) = 0 mmap(0x345434f000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14f000) = 0x345434f000 mmap(0x3454354000, 16728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3454354000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbac3000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbac4000 arch_prctl(ARCH_SET_FS, 0x2af7bbac3dd0) = 0 mprotect(0x3454602000, 4096, PROT_READ) = 0 mprotect(0x345434f000, 16384, PROT_READ) = 0 mprotect(0x3453e1c000, 4096, PROT_READ) = 0 munmap(0x2af7bbab3000, 57641) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/dev/tty", O_RDWR|O_NONBLOCK) = -1 ENXIO (No such device or address) ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, 0x7fffb504cb00) = -1 EINVAL (Invalid argument) brk(0) = 0x13e86000 brk(0x13ea7000) = 0x13ea7000 getuid() = 500 getgid() = 500 geteuid() = 500 getegid() = 500 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/proc/meminfo", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbab3000 read(3, "MemTotal: 3920228 kB\nMemFre"..., 4096) = 777 close(3) = 0 munmap(0x2af7bbab3000, 4096) = 0 rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGCHLD, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, 8) = 0 rt_sigaction(SIGINT, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGINT, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, 8) = 0 rt_sigaction(SIGQUIT, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGQUIT, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigaction(SIGQUIT, {0x1, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, 8) = 0 uname({sys="Linux", node="jhamb.XXX.XXX", ...}) = 0 stat("/home/service", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 stat(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 getpid() = 30873 getppid() = 30829 stat(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0 stat("/home/service/bin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory) stat("/usr/local/sbin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory) stat("/usr/local/bin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory) stat("/usr/sbin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory) stat("/sbin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory) stat("/usr/kerberos/bin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory) stat("/usr/bin/bash", 0x7fffb504cab0) = -1 ENOENT (No such file or directory) stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=801512, ...}) = 0 access("/bin/bash", X_OK) = 0 access("/bin/bash", R_OK) = 0 stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=801512, ...}) = 0 access("/bin/bash", X_OK) = 0 access("/bin/bash", R_OK) = 0 getpgrp() = 30829 rt_sigaction(SIGCHLD, {0x436080, [], SA_RESTORER, 0x3454030330}, {SIG_DFL, [], SA_RESTORER, 0x3454030330}, 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 getpeername(0, {sa_family=AF_INET, sin_port=htons(61000), sin_addr=inet_addr("127.0.0.1")}, [5255137823777882128]) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 getrlimit(RLIMIT_FSIZE, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0 fstat(1, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2af7bbab3000 write(1, "unlimited\n", 10) = 10 exit_group(0) = ?編輯 No.3
# grep -e ulimit -e setrlimit rsh.strace. rsh.strace.31472:14:22:42.966361 setrlimit(RLIMIT_NOFILE, {rlim_cur=1024, rlim_max=1024}) = 0 rsh.strace.31474:14:22:43.085822 execve("/bin/bash", ["bash", "-c", "ulimit -n"], [/* 4 vars */]) = 0 rsh.strace.31474:14:22:43.546754 setrlimit(RLIMIT_CORE, {rlim_cur=RLIM_INFINITY, rlim_max=RLIM_INFINITY}) = 0編輯 4:
/etc/security/limits.conf刪除評論* soft core unlimited * hard core unlimited @service hard nofile 13000 @service soft nofile 13000 * soft nofile 12000 * hard nofile 12000
您需要確定伺服器上執行
rshakashell服務的伺服器程序。傳統上,它由inetd或xinetd元守護程序啟動,它偵聽shellTCP 埠 (514) 並rshd在傳入連接時執行命令。lsof -i tcp:shell(以 root 身份)將告訴您正在偵聽該埠的程序。
您可以使用以下方法對其進行跟踪:
strace -tt -ff -o rsh.strace -p "the-PID"該
-ff選項遵循分叉並為每個程序創建一個日誌文件,使其更易於閱讀。日誌文件將命名為對應程序
rsh.strace.<pid>的<pid>程序 ID。xinetd將產生一個新程序來執行rshd伺服器,它本身可能會產生另一個程序來執行使用者的登錄 shell,它本身可能會在解釋時產生多個程序~/.bashrc(是bash的(如果它是使用者的登錄 shell),甚至~/.bashrc在執行時也會解釋rsh如果它不是登錄外殼)。然後,您可以在那裡查看誰
setrlimit與:grep setrlimit rsh.strace.*一旦你確定了這個過程。你可以做一個
grep execve rsh.strace.<that-pid>要查看該程序是否在執行之前執行了命令,
setrlimit這將告訴您執行了ulimit. 如果該過程沒有這樣做,execve那麼它的父母或祖父母就會這樣做。您可以通過檢查導致fork/的程序來找出父程序,例如:clone``<pid>grep -E '(clone|fork).*= <that-pid>' rsh.strace.*如果程序是
inetd/xinetd並且inetd在旁邊為許多其他服務提供服務shell,或者您可以將其配置更改為執行strace -tt -ff -o /var/log/rsh.strace in.rshd而不是in.rshd為shell服務執行,或者製作一個包裝腳本in.rshd來呼叫真正in.rshd的strace.現在設置 的兩個可能的東西
ulimit是PAM(通過pam_limits模組和/etc/security/limits.conf),以及遠端使用者的登錄 shell 啟動腳本。在後一種情況下
stracingrshd,您可以在登錄 shell 中啟用 shell 跟踪,而不是 。例如,如果遠端使用者的登錄 shell 是bash或sh,sh作為 的符號連結bash,您可以將/usr/sbin/in.rshd(或任何rsh守護程序命令的位置)更改為執行以下操作的包裝腳本:#! /bin/sh - exec /usr/bin/env SHELLOPTS=xtrace "$0.bin" "$@"將其重命名為
in.rshd.bin.