免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 3688 | 回复: 5

nfs的一个目录有setuid程序,如何配置使之可以在客户端mount后可以使用这个setuid程序 [复制链接]

论坛徽章:
0
发表于 2011-07-29 18:19 |显示全部楼层
描述有的绕, 这样子的,

不希望一般用户在自己机器上有root权限,但,这些命令有时必须要root权限才能正常使用。
所以,设计的方案是:
在nfs服务器上,创建一个目录 /tools,把 mount, adb, fastboot等程序放入此目录,然后 $ cd /tools && chown root:root * && chmod 4755 *
修改 /etc/exports
/tools *(ro,all_root_squash,anonuid=0,anongid=0)

重启nfs服务。

客户端mount nfs上的tools
$ mkdir /tmp/test && sudo mount -t nfs x.x.x.x:/tools /tmp/test

mount成功,并且:
$ ls -l /tmp/test
rwsr-xr-x 1 root       root         82256 2011-07-29 17:20 mount

但是,
$ /tmp/test/mount -a

mount: only root can do that


我知道是nfs服务端配置不对,但,尝试了好久,没找到正确的配置


完成这种功能,当然,可以设置 /etc/sudoers ,但我还是希望用nfs,因为以后方便添加其他命令

论坛徽章:
0
发表于 2011-07-29 18:51 |显示全部楼层
回复 1# angle4


    第一次见 这么挂 命令目录        sudoers  可以限制用户使用的命令啊  添加也很方便

论坛徽章:
0
发表于 2011-08-01 09:11 |显示全部楼层
机器较多,每次要添加新命令,要一台一台的修改,

nfs可以一劳永逸

论坛徽章:
0
发表于 2011-08-01 09:17 |显示全部楼层
回复 3# angle4


    这个实验出来没?

论坛徽章:
0
发表于 2011-08-01 09:49 |显示全部楼层
回复 1# angle4


    die (EX_USAGE, _("mount: only root can do that"));  


    像mount 源码里 都有进行判断

论坛徽章:
0
发表于 2011-08-03 12:24 |显示全部楼层
本帖最后由 angle4 于 2011-08-03 12:26 编辑

通过mount nfs服务器上的tools目录,adb, fastboot可以以root权限运行.
但,mount, apt-get 等命令必须要uid == 0才行.
现在的方案:
adb, fastboot等命令放到nfs上,$ chmod 4755 *, 修改客户端/etc/fstab.
其他命令还是/etc/sudoers.

为了批量操作,写个脚本.
$ git clone git://github.com/wallunit/ssh4py
$ cd ssh4py && python setup.py build && sudo python setup.py install

  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-

  3. import sys
  4. import socket
  5. import libssh2

  6. def get_channel(session):
  7.         try:
  8.                 channel = session.channel()
  9.         except libssh2.Error, e:
  10.                 if e.errno == libssh2.ERROR_EAGAIN:
  11.                         return None
  12.                 raise

  13.         return channel

  14. def channel_execute(channel, command):
  15.         try:
  16.                 channel.execute(command)
  17.         except libssh2.Error, e:
  18.                 if e.errno == libssh2.ERROR_EAGAIN:
  19.                         return True
  20.                 raise

  21.         return False

  22. def channel_read_to_end(channel):
  23.         stdout = ''
  24.         stderr = ''

  25.         while not channel.eof:
  26.                 # Read a chunk of up to 1024 bytes from stdout.
  27.                 try:
  28.                         data = channel.read(1024)
  29.                         if data:
  30.                                 stdout = stdout + data
  31.                 except libssh2.Error, e:
  32.                         if e.errno == libssh2.ERROR_EAGAIN:
  33.                                 return None
  34.                         raise

  35.                 # Read a chunk of up to 1024 bytes from stderr.
  36.                 try:
  37.                         data = channel.read(1024, libssh2.STDERR)
  38.                         if data:
  39.                                 stderr = stderr + data
  40.                 except libssh2.Error, e:
  41.                         if e.errno == libssh2.ERROR_EAGAIN:
  42.                                 return None
  43.                         raise

  44.         out = { 'stdout' : stdout, 'stderr' : stderr }
  45.         return out

  46. def get_execute_output(channel, s):
  47.         data = channel_read_to_end(channel)
  48.         if channel.get_exit_status() == 0:
  49.                 print data['stdout']
  50.                 print '\tchanged ' + s + ' done.'
  51.         else:
  52.                 print data['stderr']
  53.                 print '\tfailed in changing ' + s
  54.         channel.wait_closed()

  55. def change_apt_sources(session):
  56.         # change /etc/apt/sources.list
  57.         my_cmd = "echo '" + my_sourceslist + "' > /etc/apt/sources.lis"
  58.         channel = get_channel(session)
  59.         channel_execute(channel, my_cmd)
  60.         get_execute_output(channel, '/etc/apt/sources.list')

  61. def change_sudoers(session):
  62.         my_cmd = "echo '" + my_sudoers + "' > /etc/sudoers"
  63.         channel = get_channel(session)
  64.         channel_execute(channel, my_cmd)
  65.         get_execute_output(channel, '/etc/sudoers')

  66. def change_password(session, user, passwd):
  67.         my_cmd = 'echo "' + user + ':' + passwd + '"' + ' | chpasswd'
  68.         channel = get_channel(session)
  69.         channel_execute(channel, my_cmd)
  70.         get_execute_output(channel, 'change password for' + user)
  71.        
  72. # changed /etc/sudoers
  73. my_sudoers = '''# /etc/sudoers
  74. #
  75. # This file MUST be edited with the 'visudo' command as root.
  76. #
  77. # See the man page for details on how to write a sudoers file.
  78. #

  79. Defaults        env_reset

  80. # Host alias specification

  81. # User alias specification

  82. # Cmnd alias specification
  83. Cmnd_Alias KILL = /bin/kill
  84. Cmnd_Alias PKG = /usr/bin/apt-get, /usr/bin/dpkg
  85. Cmnd_Alias SHUTDOWN = /sbin/shutdown, /sbin/reboot, /sbin/halt
  86. Cmnd_Alias NETOP = /sbin/ifconfig, /usr/sbin/tcpdump
  87. Cmnd_Alias MOUNT = /bin/mount, /bin/umount
  88. # configuration edit by vim
  89. Cmnd_Alias VIMAPT = /usr/bin/vim /etc/apt/sources.list
  90. Cmnd_Alias VIMHOSTS = /usr/bin/vim /etc/hosts
  91. Cmnd_Alias VIMRESOLV = /usr/bin/vim /etc/resolv.conf
  92. Cmnd_Alias VIMUDEV = /usr/bin/vim /etc/udev/rules.d/51-android.rules
  93. Cmnd_Alias VIMFSTAB = /usr/bin/vim /etc/fstab
  94. Cmnd_Alias VIMXIM = /usr/bin/vim /usr/lib/gtk-2.0/2.10.0/immodule-files.d/libgtk2.0-0.immodules
  95. # configuration edit by gedit
  96. Cmnd_Alias GEDITAPT = /usr/bin/gedit /etc/apt/sources.list
  97. Cmnd_Alias GEDITHOSTS = /usr/bin/gedit /etc/hosts
  98. Cmnd_Alias GEDITRESOLV = /usr/bin/gedit /etc/resolv.conf
  99. Cmnd_Alias GEDITUDEV = /usr/bin/gedit /etc/udev/rules.d/51-android.rules
  100. Cmnd_Alias GEDITFSTAB = /usr/bin/gedit /etc/fstab
  101. Cmnd_Alias GEDITXIM = /usr/bin/gedit /usr/lib/gtk-2.0/2.10.0/immodule-files.d/libgtk2.0-0.immodules
  102. # command list
  103. Cmnd_Alias EXECCMDLIST = KILL, PKG, SHUTDOWN, NETOP, MOUNT
  104. Cmnd_Alias NOEXECCMDLIST = VIMAPT, VIMHOSTS, VIMRESOLV, VIMUDEV, VIMFSTAB, \
  105.         GEDITAPT, GEDITHOSTS, GEDITRESOLV, GEDITUDEV, GEDITFSTAB

  106. # User privilege specification
  107. root        ALL=(ALL) ALL

  108. # Allow members of group sudo to execute any command after they have
  109. # provided their password
  110. # (Note that later entries override this, so you might need to move
  111. # it further down)
  112. %sudo ALL=(ALL) ALL
  113. #
  114. #includedir /etc/sudoers.d

  115. # Members of the admin group may gain root privileges
  116. %admin ALL=(ALL) ALL
  117. %cdgroup ALL = EXECCMDLIST, NOEXEC: NOEXECCMDLIST'''

  118. my_sourceslist = '''# our local repository
  119. deb http://company-mirror/ubuntu lucid main restricted universe multiverse
  120. deb-src http://company-mirror/ubuntu lucid main restricted universe multiverse
  121. deb http://company-mirror/ubuntu lucid-updates main restricted universe multiverse
  122. deb-src http://company-mirror/ubuntu lucid-updates main restricted universe multiverse
  123. deb http://company-mirror/ubuntu lucid-security main restricted universe multiverse
  124. deb-src http://company-mirror/ubuntu lucid-security main restricted universe multiverse'''

  125. # get ip list
  126. NETWORK = '172.x.x.'
  127. IP_START = x
  128. IP_END = x
  129. IP_LIST = []
  130. USER = 'root'
  131. PASS = 'secret'
  132. DONE_LIST = []

  133. for x in range(IP_START, IP_END+1):
  134.         IP_LIST.append(NETWORK + str(x))

  135. for x in IP_LIST:
  136.         print 'login ' + x

  137.         # connect to each machine
  138.         try:
  139.                 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  140.                 sock.connect((x, 22))
  141.         except:
  142.                 continue

  143.         session = libssh2.Session()
  144.         session.startup(sock)

  145.         # login
  146.         session.userauth_password(USER, PASS)

  147.         # change root's passwd
  148.         change_password(session, 'root', 'newpasswd')

  149.         # change others ...

  150.         print x + ' done.'
  151.         DONE_LIST.append(x)

  152. print DONE_LIST
复制代码
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP