我们遇到了一个奇怪的问题,非root用户无法在某些目录中执行任何文件(脚本或二进制文件).本抄本说明了这个问题：

[root@b6 /]# mkdir q

[root@b6 /]# cp /bin/echo .

[root@b6 /]# cp /bin/echo q

[root@b6 /]# chown -R apps q

[root@b6 /]# ./echo ok

ok

[root@b6 /]# ./q/echo ok

ok

[root@b6 /]# su - apps

[apps@b6 ~]$cd /

[apps@b6 /]$./echo ok

ok

[apps@b6 /]$./q/echo ok

-bash: ./q/echo: Permission denied

[apps@b6 /]$ls -ld . echo q q/echo

dr-xr-xr-x. 29 root root 4096 Jun 10 00:34 .

-rwxr-xr-x. 1 root root 28176 Jun 10 00:34 echo

drwxr-xr-x. 2 apps root 4096 Jun 10 00:34 q

-rwxr-xr-x. 1 apps root 28176 Jun 10 00:34 q/echo

[apps@b6 /]# getfacl q q/echo

# file: q

# owner: apps

# group: root

user::rwx

group::r-x

other::r-x

# file: q/echo

# owner: apps

# group: root

user::rwx

group::r-x

other::r-x

[apps@b6 /]$id

uid=2070(apps) gid=2070(apps) groups=2070(apps) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[apps@b6 /]$uname -a

Linux b6.pdc 2.6.32-358.18.1.el6.x86_64 #1 SMP Wed Aug 28 17:19:38 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

[apps@b6 /]$df / /q

Filesystem 1K-blocks Used Available Use% Mounted on

/dev/md2 198166644 4273776 183826596 3% /

/dev/md2 198166644 4273776 183826596 3% /

[apps@b6 /]$mount

/dev/md2 on / type ext4 (rw)

...

[apps@b6 /]$getenforce

Permissive

[apps@b6 /]$strace q/echo ok

execve("q/echo",["q/echo","ok"],[/* 22 vars */]) = -1 EACCES (Permission denied)

dup(2) = 3

fcntl(3,F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE)

fstat(3,{st_mode=S_IFCHR|0620,st_rdev=makedev(136,0),...}) = 0

mmap(NULL,4096,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0) = 0x7f237b0a0000

lseek(3,SEEK_CUR) = -1 ESPIPE (Illegal seek)

write(3,"strace: exec: Permission denied\n",32strace: exec: Permission denied

) = 32

close(3) = 0

munmap(0x7f237b0a0000,4096) = 0

exit_group(1) = ?

我们的第一个想法是selinux,但这是关闭的.

接下来是f / s上的noexec,但事实并非如此.

我们的用户shell只是常规的bash(不受限制).