银河麒麟4.0.2 SP3系统可执行文件报权限不够
现象
root@Kylin:~# cat aa.sh
echo 1
root@Kylin:~# bash aa.sh
bash: aa.sh: 权限不够
root@Kylin:~# ls -l aa.sh
-rw-r--r-- 1 root root 7 2月 1 10:14 aa.sh
root@Kylin:~# chmod +x aa.sh
root@Kylin:~# bash aa.sh
bash: aa.sh: 权限不够
root@Kylin:~# cat aa.sh
echo 1
root@Kylin:~# bash aa.sh
bash: aa.sh: 权限不够
root@Kylin:~# ls -l aa.sh
-rw-r--r-- 1 root root 7 2月 1 10:14 aa.sh
root@Kylin:~# chmod +x aa.sh
root@Kylin:~# bash aa.sh
bash: aa.sh: 权限不够
如上所示,写了一个简单的Shell脚本,直接bash解释报权限错误,一般权限错误是没有执行权限什么的,但是如上给了权限还是报错。
因为也没有怎么深入使用过银河麒麟的操作系统,然后就上网查询了一下,是因为默认有个Kysec
麒麟安全管理工具。
解决方案
方案二: 通过命令设置麒麟系统安全状态为Softmode
root@Kylin:~# getstatus
KySec status: Normal
exec control: on
file protect: on
kmod protect: on
three admin : off
root@Kylin:~# setstatus Softmode
root@Kylin:~# getstatus
KySec status: Softmode
exec control: on
file protect: on
kmod protect: on
three admin : off
root@Kylin:~# bash aa.sh
1
设置开机启动设置:
root@Kylin:~# echo "setstatus Softmode" >> /lib/lsb/init-functions
方案三: 单独设置个别文件权限
oot@Kylin:~# setstatus Normal
root@Kylin:~# bash aa.sh
bash: aa.sh: 权限不够
root@Kylin:~# kysec_set -n exectl -v trusted aa.sh
root@Kylin:~# bash aa.sh
1
kysec_set man手册
kysec_set(8) System Manager's Manual kysec_set(8)
NAME
kysec_set - set kysec label for specfied path(s)
SYNOPSIS
kysec_set [ -n part ] [ -r ] -v value path1 ..
DESCRIPTION
kysec_set set the kysec label of specified files or directories to
value. Kysec label is composed of three parts: identify part, pro‐
tect part and exectl part.
when not used with -n option, kysec label should be in such format:
"identify:protect:exectl". Set the new value to 'none' to clear the
corresponding part of kysec label.
for identify part, these values are valid:
secadm commands for secadm
audadm commands for auditadm
for exectl part, these values are valid:
unknown unknown files
original original system files
verified verified 3rd party files
kysoft software installer
trusted trusted files
for protect part, only readonly is valid.
OPTIONS
-n set specified part of kysec labels. part can be exectl,
userid or protect.
-r process labels recursively, only usable for directories.
-v the new label value
EE ALSO
getstatus(8), setstatus(8), kysec_get(8)
kysec_set(8)