問題復現
編寫一個簡單的a.c程序
#include <stdio.h>
void main(){
printf("zzz\n");
}
編譯該程序,生成a.out可執行程序
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ gcc a.c
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ll
總用量 24
drwxrwxr-x 2 greatwall greatwall 4096 6月 9 14:49 ./
drwx------ 26 greatwall greatwall 4096 6月 9 14:39 ../
-rw-rw-r-- 1 greatwall greatwall 55 6月 9 14:38 a.c
-rwxrwxr-x 1 greatwall greatwall 9488 6月 9 14:49 a.out*
可以看到生成的a.out具備可執行權限
執行該程序
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ./a.out
bash: ./a.out: 權限不夠
報錯
權限不夠
解決方案
方案一:設置麒麟系統安全狀態爲Softmode
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ sudo setstatus Softmode
[sudo] greatwall 的密碼:
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ getstatus
KySec status: Softmode
exec control: on
file protect: on
kmod protect: on
three admin : off
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ./a.out
zzz
方案二:單獨設置a.out文件kysec執行權限
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ sudo kysec_set -n exectl -v trusted ./a.out
[sudo] greatwall 的密碼:
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ./a.out
zzz
總結
1. 方案一適合用在開發環境,可有效避免編譯生成的各類文件不可執行故障
2. 方案二適合Normal模式下,安裝軟件後爲軟件制定可執行權限
附件
kysec_set man手冊
kysec_set(8) System Manager's Manual kysec_set(8)
NAME
kysec_set - set kysec label for specfied path(s)
SYNOPSIS
kysec_set [ -n part ] [ -r ] -v value path1 ..
DESCRIPTION
kysec_set set the kysec label of specified files or directories to
value. Kysec label is composed of three parts: identify part, pro‐
tect part and exectl part.
when not used with -n option, kysec label should be in such format:
"identify:protect:exectl". Set the new value to 'none' to clear the
corresponding part of kysec label.
for identify part, these values are valid:
secadm commands for secadm
audadm commands for auditadm
for exectl part, these values are valid:
unknown unknown files
original original system files
verified verified 3rd party files
kysoft software installer
trusted trusted files
for protect part, only readonly is valid.
OPTIONS
-n set specified part of kysec labels. part can be exectl,
userid or protect.
-r process labels recursively, only usable for directories.
-v the new label value
EE ALSO
getstatus(8), setstatus(8), kysec_get(8)
kysec_set(8)