Permissions
nosuid 可以綁定掛載到 suid 分區嗎?
如果我已經
/target掛載了suid,然後在 /bound with 上進行了綁定掛載mount -o bind,nosuid /target /bound,nosuid 會在 /bound 上生效嗎?(imo它應該生效,但我仍然想要一個明確的答案,而且似乎沒有其他人在這裡詢問過)
是的,即使目標有 suid,bind 也能夠強制執行 nosuid。這是我執行的測試:
a.out的C原始碼:
#include <stdio.h> #include <unistd.h> #include <sys/types.h> int main(){ uid_t uid=getuid(), euid=geteuid(); printf("uid: %u, euid: %u\n",uid,euid); return 0; }進而
root@ratma:/# mount -o bind,nosuid /target /bound root@ratma:/# su hans hans@ratma:/$ stat /target/a.out File: /target/a.out Size: 16712 Blocks: 40 IO Block: 4096 regular file Device: 18h/24d Inode: 194454 Links: 1 Access: (6755/-rwsr-sr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2019-12-12 07:52:45.132465174 +0000 Modify: 2019-12-12 07:52:45.132465174 +0000 Change: 2019-12-12 07:53:24.720322010 +0000 Birth: - hans@ratma:/$ stat /bound/a.out File: /bound/a.out Size: 16712 Blocks: 40 IO Block: 4096 regular file Device: 18h/24d Inode: 194454 Links: 1 Access: (6755/-rwsr-sr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2019-12-12 07:52:45.132465174 +0000 Modify: 2019-12-12 07:52:45.132465174 +0000 Change: 2019-12-12 07:53:24.720322010 +0000 Birth: - hans@ratma:/$ id uid=1000(hans) gid=1000(hans) groups=1000(hans),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev) hans@ratma:/$ /target/a.out uid: 1000, euid: 0 hans@ratma:/$ /bound/a.out uid: 1000, euid: 1000成功。如果它不起作用,它會在 /bound/a.out 上顯示“euid: 0” :)