可以给普通用户capsh 赋予capability 实现特殊操作,避免使用sudo权限
,如使用setuser,当然这样也有一定安全风险,赋予的用户应该是原计划给予sudo的用户。
如下为测试netstat 的代码,如果要更安全,可以是golang等语言开发定制user列表等的控制,比如禁止set为root用户。
[xiehq@140 ~]$ getcap ./capsh
./capsh = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,35,36+eip
[xiehq@140 ~]$ netstat -anlp|head
(No info could be read for "-p": geteuid()=1000 but you should be root.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 192.168.157.140:22 192.168.157.1:49922 ESTABLISHED -
tcp 0 0 192.168.157.140:22 192.168.157.1:55424 ESTABLISHED -
tcp 0 96 192.168.157.140:22 192.168.157.1:55548 ESTABLISHED -
tcp6 0 0 :::2181 :::* LISTEN -
tcp6 0 0 :::7687 :::* LISTEN -
tcp6 0 0 :::3306 :::* LISTEN -
[xiehq@140 ~]$ ./capsh --user=root -- -c netstat -anlp|head
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 140.localdomain:ssh 192.168.157.1:49922 ESTABLISHED
tcp 0 0 140.localdomain:ssh 192.168.157.1:55424 ESTABLISHED
tcp 0 96 140.localdomain:ssh 192.168.157.1:55548 ESTABLISHED
tcp6 0 0 192.168.157.140:mysql 192.168.157.1:52669 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 23423 /run/systemd/shutdownd
unix 2 [ ] DGRAM 45466 /var/run/chrony/chronyd.sock