我发现,ping作为用户运行时有效,但在使用root时不起作用。问题是,当使用root时,LD不会加载/lib64/libnss_dns.so.2库,它会收到EACCESS错误。
当我从root运行ping时:
root# ping -c1 localhost
ping: unknown host localhost
这是因为:
root# strace ping -c1 localhost
....
open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
open("/lib64/tls/x86_64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
stat("/lib64/tls/x86_64", 0x7fffa619da70) = -1 EACCES (Permission denied)
open("/lib64/tls/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
stat("/lib64/tls", 0x7fffa619da70) = -1 EACCES (Permission denied)
open("/lib64/x86_64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
stat("/lib64/x86_64", 0x7fffa619da70) = -1 EACCES (Permission denied)
open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
stat("/lib64", {st_mode=S_IFDIR|0655, st_size=4096, ...}) = 0
不用担心。 /lib64/libnss_files.so.2存在于我的系统中:
# ls -la /lib64/libnss_files.so.2
lrwxrwxrwx 1 root root 20 2015-08-19 /lib64/libnss_files.so.2 -> libnss_files-2.15.so
$ ls -la /lib64/libnss_files-2.15.so
-rwxr-xr-x 1 root root 62418 2012-07-16 /lib64/libnss_files-2.15.so
以用户身份运行时,ping工作正常:
user# ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.038 ms
--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.038/0.038/0.038/0.000 ms
user# strace ping -c1 localhost
...
open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
...
如果我执行LD_PRELOAD libnss_files.so.2,则ping从root工作(为什么?):
root# LD_PRELOAD=/lib64/libnss_files.so.2 ping -c1 localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.043 ms
--- localhost ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.043/0.043/0.043/0.000 ms
这个系统ping有setuid:
# ls -la /usr/bin/ping
-rwsr-sr-x 1 root root 40000 2012-07-16 /usr/bin/ping
怎么可能?为什么root在加载库时会出现EACCES错误,而用户加载它时没有问题?为什么LD_PRELOAD对setuid的二进制文件有影响?如果从root用户运行LD_PRELOAD对具有setuid的二进制文件有影响吗?
我有脚本记录了用户和root用户运行的LD_DEBUG=all ping -c1 localhost和strace -f ping -c1 localhost的输出:
系统相对较旧:
# uname -a
Linux gucio 3.4.6-2.10-desktop #1 SMP PREEMPT Thu Jul 26 09:36:26 UTC 2012 (641c197) x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/SuSE-release
openSUSE 12.2 (x86_64)
VERSION = 12.2
CODENAME = Mantis
$ ping -V
ping utility, iputils-sss20101006
此系统中没有SELinux。这个系统中有AppArmor。
答案 0 :(得分:1)
https://serverfault.com/questions/747784/ping-as-root-doesnt-work-with-hostname-but-with-ip-normal-user-works接受的答案表明/(或/lib64)的权限可能存在问题。
在这种情况下,x上的所有者缺少/权限,chmod +x /解决了问题。
也许您的系统遭受相同的权限问题?