Disclosure of Invention
In view of this, the present invention provides a method and an apparatus for determining a shell program permission, a computer device, and a computer storage medium, and mainly aims to reduce a security risk existing in a computer system and improve security of an operating system.
According to one aspect of the invention, a method for determining the authority of a shell program is provided, and the method comprises the following steps:
acquiring a main program of a shell program in an operating system;
distributing an execution authority to the shell program according to the authority information of the main program in an operating system, so that the shell program inherits the execution authority of the main program;
monitoring a behavior of calling a shell program to execute a preset operation, and judging whether the shell program has a permission to execute the preset operation according to an execution permission distributed by the shell program;
if not, intercepting and calling the behavior of the shell program for executing the preset operation.
Further, the acquiring a main program of the shell program in the operating system includes:
searching a main process called and executed by the shell program by traversing the program file in the system directory;
and acquiring the main program of the shell program in an operating system according to the main process of the shell program which is called and executed.
Further, before the allocating the execution permission to the shell program according to the permission information of the main program in the operating system, the method further includes:
and collecting behavior operation of the main program in the operating system, and determining authority information of the main program in the operating system according to the behavior operation.
Further, the main body program includes at least one process, the collecting behavior operation of the main body program in the operating system, and the determining, according to the behavior operation, the authority information that the main body program has in the operating system includes:
the method comprises the steps of monitoring behavior operation of each process belonging to a main program in an operating system, and recording authority information of each process belonging to the main program for executing the behavior operation;
and determining the authority information of the main program in the operating system according to the authority information of each process executing behavior operation.
Further, after monitoring a behavior of calling a shell program to execute a preset operation and judging whether the shell program has a permission to execute the preset operation according to an execution permission distributed by the shell program, the method further includes:
and if so, starting the behavior of calling the shell program to execute the preset operation.
Further, after the starting the behavior of calling the shell program to execute the preset operation, the method further comprises the following steps:
judging whether a task flow when a behavior of calling a shell program to execute a preset operation occurs conforms to flow validity or not through a task flow set collected in advance, wherein the task flow set comprises the task flow when the shell program executes the operation behavior;
and if so, allowing the calling shell program to execute the behavior of the preset operation, and otherwise, intercepting the behavior of the calling shell program for executing the preset operation.
Further, the monitoring and calling the behavior of the shell program for executing the preset operation, and the judging whether the shell program has the authority for executing the preset operation according to the execution authority distributed by the shell program comprises the following steps:
monitoring the behavior of calling the shell program to execute the preset operation by utilizing a hook function;
and when the behavior of calling the shell program to execute the preset operation is monitored, judging whether the shell program has the authority of executing the preset operation according to the execution authority distributed by the shell program.
According to another aspect of the present invention, there is provided an apparatus for determining a permission of a shell program, the apparatus comprising:
the acquisition unit is used for acquiring a main program of the shell program in the operating system;
the distribution unit is used for distributing execution permission to the shell program according to the permission information of the main program in the operating system so that the shell program inherits the execution permission of the main program;
the first judging unit is used for monitoring the behavior of calling a shell program to execute the preset operation and judging whether the shell program has the authority of executing the preset operation according to the execution authority distributed by the shell program;
and the determining unit is used for intercepting the behavior of calling the shell program to execute the preset operation if the shell program does not have the authority of executing the preset operation.
Further, the acquisition unit includes:
the searching module is used for searching the main process called and executed by the shell program by traversing the program file in the system directory;
and the acquisition module is used for acquiring the main program of the shell program in the operating system according to the main process called and executed by the shell program.
Further, the device also comprises
And the collecting unit is used for collecting the behavior operation of the main program in the operating system before the execution permission is distributed to the shell program according to the permission information of the main program in the operating system, and determining the permission information of the main program in the operating system according to the behavior operation.
Further, the main body program includes at least one process, and the collection unit includes:
the recording module is used for recording authority information of each process belonging to the main program for executing the behavior operation by monitoring the behavior operation of each process belonging to the main program in the operating system;
and the determining module is used for determining the authority information of the main program in the operating system according to the authority information of the behavior operation executed by each process.
Further, the determining unit is further configured to start a behavior of calling the shell program to execute a preset operation if the shell program has a permission to execute the preset operation.
Further, the apparatus further comprises:
a second judging unit, configured to, after the starting of the behavior for calling the shell program to perform the preset operation, judge, through a task flow set collected in advance, whether a task flow occurring when the behavior for calling the shell program to perform the preset operation meets flow validity, where the task flow set includes a task flow when the shell program performs the operation behavior;
the second judging unit is specifically configured to allow the calling shell program to execute the behavior of the preset operation if the task flow meets the flow validity when the behavior of calling the shell program to execute the preset operation occurs, and otherwise, intercept the behavior of calling the shell program to execute the preset operation.
Further, the first judgment unit includes:
the monitoring module is used for monitoring the behavior of calling the shell program to execute the preset operation by utilizing the hook function;
and the judging module is used for judging whether the shell program has the authority for executing the preset operation according to the execution authority distributed by the shell program when the behavior of calling the shell program to execute the preset operation is monitored.
According to yet another aspect of the present invention, there is provided a computer device comprising a memory storing a computer program and a processor implementing the steps of the method for determining the permissions of a shell program when the processor executes the computer program.
According to a further aspect of the present invention, there is provided a computer storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method for determining a permission of a shell program.
By means of the technical scheme, the method and the device for determining the permission of the shell program are characterized in that the execution permission is distributed to the shell program according to the permission information of the main program in the operating system, so that the shell program inherits the execution permission of the main program to manage the permission of the shell program, and therefore when the behavior that the shell program is called to execute the preset operation is monitored, the shell program can intercept the behavior which does not have the execution preset operation permission. Compared with the prior art that the shell program permission determining mode does not have an interception mechanism, the shell program has a plurality of functions and permissions, and if the shell program is not managed, an attacker can easily control the whole operating system by using system bugs.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
An embodiment of the present invention provides a method for determining a shell program permission, which can reduce a security risk existing in a computer system, and as shown in fig. 1, the method includes:
101. and acquiring a main program of the shell program in the operating system.
The shell program is a program with special functions, mainly provides an interface for a user to interact with a kernel, reads a command through an input device, converts the command into a mechanical code which can be known by a computer, and then executes the mechanical code.
In general, different operating systems have their own shell programs, for example, a shell program in a Windows system is a cmd.com file, a user can input a command which needs to be executed by the user, and when a program is executed, the command first finds an executable file according to the file name by inputting the executable file name of the program, and then loads the program of the executable file into a memory.
For the embodiment of the invention, after a user logs in an operating system, the system can start a user shell program, and in the user shell program, shell command statement variables can be used, and a shell script program can also be created and run. When the shell script program is run, the system creates a sub-shell program. At this time, the hell programs in the system are respectively a shell program started by the system during login and a shell program created by the system during script program running. When a script program is finished, its script shell is terminated, and the program can return to the shell program before executing the script. Here, a user may have a plurality of shell programs, each shell program is derived from a certain shell program, and a certain program of the derived shell programs is equivalent to a main program of the shell program in an operating system.
It should be noted that the essence of the main program is also a shell program, which also has the same characteristics as the shell program, but the shell program and the main program are completely independent, and the shell program can only inherit some attributes of the main program, such as the current working directory, environment variables, standard input and output, error output, and the like.
102. And distributing an execution authority for the shell program according to the authority information of the main program in the operating system, so that the shell program inherits the execution authority of the main program.
Since the main program and the shell program are both given the execution authority at the time of creation, and the authority information given to the main program may not be the same as the authority information given to the shell program, for example, the main program prohibits a commands or operations at the time of creation, while the shell program does not prohibit a commands or operations at the time of creation, and the shell program does not inherit the authority information of the main program.
In an operating system, when a user logs in the system, a shell program process is created, and the uid and gid of the corresponding user are obtained to uniquely mark the user, and when a kernel executes a file access request of a user process, the uid and gid of the process are compared with an access mode bit of a file, so that whether the process has operation authority on the file or not is determined. For the embodiment of the invention, the permission information of the main program can be determined according to the identification information of the user when the main program is created, and then the shell program is distributed with the execution permission which is the same as that of the main program. It should be noted that, a user with zero uid is a super user, and may manage any resource, which may cause incompleteness of system security, and once an attacker occupies the super user right, the security risk of the operating system is increased.
103. And monitoring the behavior of calling the shell program to execute the preset operation, and judging whether the shell program has the authority of executing the preset operation according to the execution authority distributed by the shell program.
The preset operation behavior may be a behavior of calling a shell program to create a system account, a behavior of calling the shell program to delete a file, and the like, and the preset operation behavior is not limited herein. When the behavior of calling the shell program to execute the preset operation is monitored, because the shell program inherits the execution permission of the main program, not all the behaviors of the operation can be executed, and whether the shell program has the permission of executing the preset operation needs to be judged.
According to the embodiment of the invention, by monitoring the execution behavior of the preset operation of the shell program, whether the shell program has the execution authority can be judged before the execution of the preset operation of the shell program, so that the preset operation behavior of the shell program which is not in the authority can be intercepted in time, and the execution safety of the shell program is improved.
104. If not, intercepting and calling the behavior of the shell program for executing the preset operation.
For the embodiment of the invention, if the shell program does not have the authority for executing the preset operation, the main program does not have the authority for executing the preset operation, and the shell program inherits the authority of the main program, so that the behavior of the shell program for executing the preset operation is intercepted.
When a shell program is created, the content of the shell program, the running environment of the shell program and the executed command line are set, and executable rights are added to the shell program, wherein the executable rights can limit the visitor of the shell program, for example, anyone is allowed to access the shell program, the users in the affiliated group are allowed to access the shell program, and the like. However, the executable authority added by the shell program is that if the execution authority of the shell program is not managed properly, an attacker can easily acquire the execution authority of the shell program and inject a malicious system command into a normal command, so that command execution attack is caused. According to the embodiment of the invention, the shell program inherits the authority information of the main program, so that the execution authority of the shell program can be more finely controlled, and the safety of an operating system is improved.
The invention provides a method for determining the authority of a shell program, which is characterized in that the execution authority is distributed to the shell program according to the authority information of a main program in an operating system, so that the shell program inherits the execution authority of the main program to manage the authority of the shell program, and therefore when the behavior of calling the shell program to execute the preset operation is monitored, the shell program can intercept the behavior which does not have the execution preset operation authority. Compared with the prior art that the shell program permission determining mode does not have an interception mechanism, the shell program has a plurality of functions and permissions, and if the shell program is not managed, an attacker can easily control the whole operating system by using system bugs.
An embodiment of the present invention provides another method for determining a shell program permission, which can reduce a security risk existing in a computer system, and as shown in fig. 2, the method includes:
201. and searching the main process called and executed by the shell program by traversing the program file in the system directory.
Generally, each process on the system has certain authority, for example, a statepad can read and write a file, but cannot perform network connection, and some programs need to call a shell program in the running process, where a main body calling the shell program is called a main body program.
For the embodiment of the present invention, program files providing various functions, for example, a program file providing a search function, and a program file providing a scan function, are recorded in the system directory. And the main process of the shell program can call the shell program in the execution process, so that the called and executed main process of the shell program can be searched by traversing the program files in the system directory.
It should be noted that a plurality of shell program files may exist in one system, and command syntaxes supported by different shell program files are different, and the shell program files stored in the system directory may be specifically viewed through different commands.
202. And acquiring the main program of the shell program in an operating system according to the main process of the shell program which is called and executed.
For the embodiment of the invention, when the main process calls the shell program, the main process called and executed by the shell program is recorded to the system directory, and the main process of the shell program in the operating system can be further obtained according to the called main process of the shell program.
It should be noted that, in general, the shell program is created by default without an execution authority, and needs to be executed after an executable authority is given by using a command, and the execution authority of the shell program is not limited to the same authority as that of the main process.
203. And collecting behavior operation of the main program in the operating system, and determining authority information of the main program in the operating system according to the behavior operation.
The behavior operation of the main body program in the operating system can be file content query, file resource access, file creation and the like, and the behavior operation of the main body program in the operating system is collected, so that the behavior operation of the main body program can indicate that the main body program has the authority to execute the behavior operation, and further the authority information of the main body program in the operating system is determined according to the behavior operation of the main body program.
For example, if the main program can execute the authority to create the user account, it indicates that the main program has the authority to execute the creation of the user account, and if the main program cannot execute the operation to create the system account, it indicates that the main program does not have the authority to execute the creation of the account.
204. And distributing an execution authority for the shell program according to the authority information of the main program in the operating system, so that the shell program inherits the execution authority of the main program.
For the embodiment of the present invention, an execution permission is allocated to the shell program according to the permission information of the main program in the operating system, so that a specific implementation process of the shell program inheriting the execution permission of the main program may be referred to in step 102, which is not described herein again.
For the embodiment of the invention, when a certain main program calls and executes the shell program, the shell program and the sub-process created by the shell program inherit the authority of the main program, for example, when a statepad process calls and executes the shell program, the shell program inherits the authority of the statepad program, namely, the file can be read and written, but network connection cannot be carried out.
205. And monitoring the behavior of calling the shell program to execute the preset operation, and judging whether the shell program has the authority of executing the preset operation according to the execution authority distributed by the shell program.
For the embodiment of the invention, the behavior of the calling shell program for executing the preset operation can be monitored by utilizing the hook function, when the hook function is created, the Windows creates a data structure in the memory, the data structure comprises the relevant information of the hook function, and the message of the behavior of the calling shell program for executing the preset operation is captured through the relevant information.
The hook function is a first part of a Windows message processing mechanism, and can capture events in a process or other processes by setting the hook function, for this embodiment, a message for calling a shell program to execute a preset operation behavior can be specifically acquired by the hook function, and whether the shell program has a behavior permission for executing the preset operation is judged by using an execution permission allocated by the shell program.
It should be noted that the hook function has no interruption function of the system, and cannot arbitrarily intercept the bottom layer function of the system, the hook function is only a monitoring point set in the Windows message mechanism, and can capture a preset behavior occurring in a process, and once the preset behavior is monitored, different processing functions can be realized by calling other processing functions.
In addition, when the behavior of calling the shell program to execute the preset operation is monitored, before the step of judging whether the shell program has the authority to execute the preset operation according to the execution authority distributed by the shell program is executed, whether the behavior of the preset operation is in the set range of the minimum behavior authority set or not can be judged in advance, if the operation of the preset behavior is in the set range of the minimum behavior authority set, the operation of the preset behavior is allowed to be executed, and if not, whether the shell program has the authority to execute the preset operation or not can be further judged according to the execution authority distributed by the main program for the shell program.
The setting range of the minimum behavior permission set can ensure that uncontrollable dangers can be avoided to the maximum extent, meanwhile, the normal operation of the system and the third-party application program is influenced to the minimum extent, and the normal operation of a user in using the system and the application program is not disturbed.
206a, if not, intercepting the behavior of calling the shell program to execute the preset operation.
For the embodiment of the invention, if the shell program does not have the authority of executing the preset operation, the behavior of the preset operation is not authorized by the main program, and the main program cannot execute the preset operation, so that the behavior of calling the shell program to execute the preset operation is intercepted.
And step 206b corresponds to step 206a, and if so, the behavior of calling the shell program to execute the preset operation is started.
For the embodiment of the invention, if the shell program does not have the authority of executing the preset operation, the behavior of the preset operation is authorized by the main program, and the main program can execute the preset operation, so that the shell program is started to be called to execute the behavior of the preset operation.
207b, judging whether the task flow when the behavior of calling the shell program to execute the preset operation occurs accords with the flow validity or not through a task flow set collected in advance.
The task flow set comprises a task flow when the shell program executes the operation behavior, for example, the task flow when the shell program is called to delete the file may comprise a path for searching the target file, the target file to be deleted is searched according to the path of the target file, and the shell program is started to delete the target file, where the task flow is not particularly limited.
208b, if so, allowing the calling shell program to execute the behavior of the preset operation, otherwise, intercepting the behavior of the calling shell program for executing the preset operation.
For the embodiment of the invention, only the operation behavior conforming to the flow validity allows the calling shell program to execute the behavior of the preset operation, otherwise, the behavior of the calling shell program executing the preset operation is intercepted, and an alarm is given.
The invention provides another method for determining the authority of a shell program, which is characterized in that the execution authority is distributed to the shell program according to the authority information of a main program in an operating system, so that the shell program inherits the execution authority of the main program to manage the authority of the shell program, and therefore when the behavior of calling the shell program to execute the preset operation is monitored, the shell program can intercept the behavior which does not have the execution preset operation authority. Compared with the prior art that the shell program permission determining mode does not have an interception mechanism, the shell program has a plurality of functions and permissions, and if the shell program is not managed, an attacker can easily control the whole operating system by using system bugs.
Further, as a specific implementation of the method shown in fig. 1, an embodiment of the present invention provides an apparatus for determining a shell program permission, where as shown in fig. 3, the apparatus includes: an acquisition unit 31, an allocation unit 32, a first judgment unit 33, and a determination unit 34.
An obtaining unit 31, configured to obtain a main program of a shell program in an operating system;
the allocating unit 32 may be configured to allocate an execution permission to the shell program according to permission information of the main program in the operating system, so that the shell program inherits the execution permission of the main program;
the first determining unit 33 may be configured to monitor a behavior of calling a shell program to perform a preset operation, and determine whether the shell program has a permission to perform the preset operation according to an execution permission allocated to the shell program;
the determining unit 34 may be configured to intercept a behavior of calling the shell program to perform a preset operation if the shell program does not have a permission to perform the preset operation.
The invention provides a device for determining the authority of a shell program, which is characterized in that the execution authority is distributed to the shell program according to the authority information of a main program in an operating system, so that the shell program inherits the execution authority of the main program to manage the authority of the shell program, and therefore when the behavior of calling the shell program to execute the preset operation is monitored, the shell program can intercept the behavior which does not have the execution preset operation authority. Compared with the prior art that the shell program permission determining mode does not have an interception mechanism, the shell program has a plurality of functions and permissions, and if the shell program is not managed, an attacker can easily control the whole operating system by using system bugs.
As a further description of the device for determining the program permission shown in fig. 4, fig. 4 is a schematic structural diagram of another device for determining the program permission according to an embodiment of the present invention, and as shown in fig. 4, the device further includes:
a collecting unit 35, configured to collect behavior operations of the main program in an operating system before the execution permission is allocated to the shell program according to the permission information of the main program in the operating system, and determine, according to the behavior operations, permission information that the main program has in the operating system;
a second determining unit 36, configured to determine, after the starting of the behavior for calling the shell program to perform the preset operation, whether a task flow occurring when the behavior for calling the shell program to perform the preset operation occurs meets flow correctness or not according to a task flow set collected in advance, where the task flow set includes a task flow when the shell program performs the operation behavior;
the second determining unit 36 may be specifically configured to allow the calling shell program to execute the behavior of the preset operation if the task flow meets the flow validity when the behavior of calling the shell program to execute the preset operation occurs, and otherwise intercept the behavior of calling the shell program to execute the preset operation.
Further, the determining unit 34 may be further configured to start a behavior of calling the shell program to execute a preset operation if the shell program has a right to execute the preset operation.
Further, the acquiring unit 31 includes:
the searching module 311 may be configured to search for a main process that the shell program is called to execute by traversing the program file in the system directory;
the obtaining module 312 may be configured to obtain a main program of the shell program in the operating system according to the main process called and executed by the shell program.
Further, the main body program includes at least one process, and the collection unit 35 includes:
the recording module 351 may be configured to record permission information for performing the behavior operation by each process belonging to the main program by monitoring the behavior operation of each process belonging to the main program in the operating system;
the determining module 352 may be configured to determine, according to the authority information of the behavior operation executed by each process, the authority information that the main program has in the operating system.
It should be noted that other corresponding descriptions of the functional units related to the determining device for determining the program permission in the present embodiment may refer to the corresponding descriptions in fig. 1 and fig. 2, and are not described herein again.
Further, the first judgment unit 33 includes:
the monitoring module 331 may be configured to monitor a behavior of calling a shell program to execute a preset operation by using a hook function;
the determining module 332 may be configured to, when monitoring a behavior of calling a shell program to execute a preset operation, determine whether the shell program has a permission to execute the preset operation according to an execution permission allocated to the shell program.
Based on the above method shown in fig. 1 and fig. 2, correspondingly, the present embodiment further provides a storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for determining the permission of the shell program shown in fig. 1 and fig. 2 is implemented.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.), and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the implementation scenarios of the present application.
Based on the method shown in fig. 1 and fig. 2 and the virtual device embodiment shown in fig. 3 and fig. 4, in order to achieve the above object, an embodiment of the present application further provides a computer device, which may specifically be a personal computer, a server, a network device, and the like, where the entity device includes a storage medium and a processor; a storage medium for storing a computer program; and a processor, configured to execute a computer program to implement the method for determining the permission of the shell program as shown in fig. 1 and fig. 2.
Optionally, the computer device may also include a user interface, a network interface, a camera, Radio Frequency (RF) circuitry, sensors, audio circuitry, a WI-FI module, and so forth. The user interface may include a Display screen (Display), an input unit such as a keypad (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., a bluetooth interface, WI-FI interface), etc.
Those skilled in the art will appreciate that the determined physical device structure of the shell program authority provided in the present embodiment does not constitute a limitation to the physical device, and may include more or fewer components, or combine some components, or arrange different components.
The storage medium may further include an operating system and a network communication module. The operating system is a program that manages the hardware and software resources of the computer device described above, supporting the operation of information handling programs and other software and/or programs. The network communication module is used for realizing communication among components in the storage medium and other hardware and software in the entity device.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. By applying the technical scheme of the application, compared with the prior art, the shell program has a plurality of functions and permissions, and if the shell program is not managed, an attacker can easily control the whole operating system by using system bugs.
Those skilled in the art will appreciate that the figures are merely schematic representations of one preferred implementation scenario and that the blocks or flow diagrams in the figures are not necessarily required to practice the present application. Those skilled in the art will appreciate that the modules in the devices in the implementation scenario may be distributed in the devices in the implementation scenario according to the description of the implementation scenario, or may be located in one or more devices different from the present implementation scenario with corresponding changes. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The above application serial numbers are for description purposes only and do not represent the superiority or inferiority of the implementation scenarios. The above disclosure is only a few specific implementation scenarios of the present application, but the present application is not limited thereto, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.