想了解CredentialsandAccessControlinLinux的新动态吗?本文将为您提供详细的信息,此外,我们还将为您介绍关于Access-Control-Allow-Credential
想了解Credentials and Access Control in Linux的新动态吗?本文将为您提供详细的信息,此外,我们还将为您介绍关于Access-Control-Allow-Credentials 标头到底有什么作用?、ajax post 请求报错Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' heade、ajax – 在Azure网站中启用Access-Control-Allow-Credentials标头(Azure App Services)、Angular11 Web 应用程序被 CORS 策略阻止:在预检响应中 Access-Control-Allow-Headers 不允许 access-control-allow-origin的新知识。
本文目录一览:- Credentials and Access Control in Linux
- Access-Control-Allow-Credentials 标头到底有什么作用?
- ajax post 请求报错Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' heade
- ajax – 在Azure网站中启用Access-Control-Allow-Credentials标头(Azure App Services)
- Angular11 Web 应用程序被 CORS 策略阻止:在预检响应中 Access-Control-Allow-Headers 不允许 access-control-allow-origin
Credentials and Access Control in Linux
Credentials and Access Control in Linux=======================================
File ower and permission [important]
------------------------------------
File mode (permission), user ID and group ID are contained in the corresponding
inode of the file.
An inode at least contains the following members:
*) size
*) device ID (the device containing the file)
*) user ID
*) group ID
*) file mode
*) timestamp
*) link count (number of hard links)
*) pointers to the disk blocks
A direct deduction of the above statement is that if a file changes (content,
timestamp, user ID, group ID, file mode, etc.), all hardlinks pointint to it
also changes, as all these hard links share a common inode.
Process Credentials [important]
-------------------------------
Process Identifers:
*) process ID
*) parent process ID
*) process group ID
*) session ID
*) real user ID | who owns the process
*) real group ID |
*) effective user ID |used by kernel for access control to shared resources
*) effective group ID |such as message queues, semaphores, etc.)
*) file system user ID | together with supplementary group IDs, used to
*) file system group ID | determine permissions for accessing files
*) supplementary group ID | used for permission checks for accessing files
*) saved set-user-ID | used to save a copy of corresponding effective IDs when
*) saved set-group-ID | the process was executed
Related System Calls [important]
--------------------------------
*) getpid
Get process ID
*) getppid
Get parent process ID
*) getsid
Get session ID
*) getpgrp
Get process group ID
*) setsid
Create a new session. The calling process becomes the session leader.
*) setpgid
Set process''s group membership
*) getuid
Get the process''s real user ID
*) setuid
If the caller is not root, setuid sets the effective user ID of the calling
processs; if the caller is root, setuid also sets the real user ID and the
saved user ID.
*) seteuid
Set the effective user ID of the calling process. An unprivileged user
process could only set the effective user ID to real user ID, effective
user ID and saved user ID.
*) setfsuid
Set a process''s file system user ID. It''s used to make the file system user
ID to differ from the process''s effective user ID.
*) setreuid
Set real and effective user ID.
*) getgid
Get the process''s real group ID.
*) getegid
Set effective group ID.
*) getresgid
Get real, effective and saved group ID.
*) setgid
Completely analogous to setuid.
*) setregid
Set real and effective group ID.
*) setfsgid
Set file system group ID.
*) getgroups
Get supplementary group IDs of a process
*) setgroups
Set supplementary group IDs of a process
*) setresuid
Set real, effective and saved user ID.
*) setresgid
set real, effective and saved group ID.
Potential problem with suid programs [important]
------------------------------------------------
suid programs have potential security problems if not well programmed.
E.g.
User ''chenqi'' doesn''t have read permission for /etc/shadow, but if a program
owned by root has set-user-ID bit and it could be executed by ''chenqi'', then
it''s possible that the user ''chenqi'' can make use of the setuid program to get
the contents of /etc/shadow.
chenqi@pek-qchen1-d1:~/projects/mypro/linux/miscs$ cat test.c
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#ifndef MAXLINE
#define MAXLINE 4096
#endif
int main(int argc, char *argv[]) {
if (argc != 2) {
fprintf(stderr, "%s <file>\n", argv[0]);
exit(EXIT_FAILURE);
}
FILE *fp = fopen(argv[1], "r");
if (fp == NULL) {
perror("open file failed");
exit(EXIT_FAILURE);
}
char buf[MAXLINE];
while (fgets(buf, MAXLINE, fp) != NULL) {
if (fputs(buf, stdout) == EOF) {
perror("output error");
exit(EXIT_FAILURE);
}
}
if (fp != NULL)
fclose(fp);
exit(EXIT_SUCCESS);
}
chenqi@pek-qchen1-d1:~/projects/mypro/linux/miscs$ ls -l test
-rwsr-sr-x 1 root root 8774 Oct 12 15:37 test
chenqi@pek-qchen1-d1:~/projects/mypro/linux/miscs$ cat /etc/shadow
cat: /etc/shadow: Permission denied
chenqi@pek-qchen1-d1:~/projects/mypro/linux/miscs$ ./test /etc/shadow
root:<encrypted passwd for root>:15555:0:99999:7:::
daemon:*:15455:0:99999:7:::
bin:*:15455:0:99999:7:::
<the rest of the contents omitted>
It''s not quite straightforward that the above program is poorly programmed,
providing that the programmer knows that the program will be made suid
One possible way to address the above problem is to temporarily drop privilege
to real user ID when opening the file.
chenqi@pek-qchen1-d1:~/projects/mypro/linux/miscs$ ls test -l
-rwsr-sr-x 1 root root 9156 Oct 12 16:01 test
chenqi@pek-qchen1-d1:~/projects/mypro/linux/miscs$ ./test test.c
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#ifndef MAXLINE
#define MAXLINE 4096
#endif
static void xseteuid(uid_t euid) {
if (seteuid(euid)) {
perror("seteuid");
exit(EXIT_FAILURE);
}
}
static void xsetegid(gid_t egid) {
if (setegid(egid)) {
perror("setegid");
exit(EXIT_FAILURE);
}
}
int main(int argc, char *argv[]) {
if (argc != 2) {
fprintf(stderr, "%s <file>\n", argv[0]);
exit(EXIT_FAILURE);
}
uid_t old_euid = geteuid();
gid_t old_egid = getegid();
xseteuid(getuid());
xsetegid(getgid());
FILE *fp = fopen(argv[1], "r");
if (fp == NULL) {
perror("open file failed");
exit(EXIT_FAILURE);
}
xseteuid(old_euid);
xsetegid(old_egid);
char buf[MAXLINE];
while (fgets(buf, MAXLINE, fp) != NULL) {
if (fputs(buf, stdout) == EOF) {
perror("output error");
exit(EXIT_FAILURE);
}
}
if (fp != NULL)
fclose(fp);
exit(EXIT_SUCCESS);
}
chenqi@pek-qchen1-d1:~/projects/mypro/linux/miscs$ ./test /etc/shadow
open file failed: Permission denied
Q & A [important]
-----------------
1. If the euid of a process is not zero (superuser), is it possible for
the program to change its euid to zero and gain privilege?
It depends. If the saved uid is zero, the answer is yes. Because the seteuid
system call could set the effective uid to only the real uid or saved uid.
Note the case above usually indicates that a process has dropped its
privilege temporarily and it''s trying to restore its privilege.
2. (r, e, s) = (x, x, 0) where x != 0, is it possible to change (r, e, s) to
(0, x, 0) using setresuid()? What about using setreuid()?
Both can. The setreuid() user manual is not accurate. It states as follows.
"Unprivileged users may only set the real user ID to the real user ID or the
effective user ID."
However, for an unprivileged user, the real user ID could be set to the saved
user ID.
e.g.
chenqi@pek-qchen1-d1:~/projects/mypro/linux/miscs$ ./test
16079: (1000, 0, 0)
16079: (1000, 1000, 0)
16079: (0, 1000, 0)
3. Is it possible to clear the SETUID capability bit in a process whose
effective uid is zero?
No. The kernel has fixed this bug.
Notes [important]
-----------------
1. We need to know that user privilege and process privilege are two different
things. The user privilege is determined by the real user ID of the process,
i.e., the owner of the process; the process privilege is determined by the
effective user ID of the process.
Access-Control-Allow-Credentials 标头到底有什么作用?
我试图了解如何使用 CORS,但对Access-Control-Allow-Credentials标头的作用感到困惑。
文件说
指示当凭证标志为真时是否可以公开对请求的响应。
但我不明白“暴露”的反应是什么意思。
谁能解释这个标头设置为真(连同凭据标志设置为真)实际上做了什么?
答案1
小编典典默认情况下,CORS 不包含跨域请求的 cookie。这与 JSON-P 等其他跨域技术不同。JSON-P 总是在请求中包含
cookie,这种行为可能导致一类漏洞,称为跨站点请求伪造或 CSRF。
为了减少 CORS 中出现 CSRF 漏洞的机会,CORS 要求服务器和客户端都确认可以在请求中包含 cookie。这样做会使 cookie
成为一个积极的决定,而不是在没有任何控制的情况下被动发生的事情。
客户端代码 必须 在to上设置withCredentials属性才能授予权限。XMLHttpRequest``true
但是,仅此标头是不够的。服务器 必须 以标头响应Access-Control-Allow-Credentials。使用此标头响应true意味着服务器允许将 cookie(或其他用户凭据)包含在跨域请求中。
如果您希望跨域凭据请求正常工作,您还需要确保您的浏览器没有阻止第三方 cookie。
我遇到了同样的问题,结果是浏览器设置阻止了第三方 cookie(Chrome > 设置 > 高级设置 > 隐私 > 内容设置 > 阻止第三方 cookie 和站点数据)。允许cookies解决了这个问题!
请注意,无论您是发出同源请求还是跨源请求,都需要保护您的站点免受 CSRF 的影响(尤其是如果您的请求包含 cookie)。
ajax post 请求报错Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' heade
jquery ajax跨域请求,webapi webconfig配置
前台代码(放了一部分)
function CheckIn(roomno) { $.ajax({ url: ‘https://www..../RoomAssign‘,type: ‘post‘,async: false,contentType: ‘application/json;charset=utf-8‘,dataType: ‘json‘,data: JSON.stringify({ AccountId: localStorage.getItem("Accountid"),Address: localStorage.getItem("Address"),ArrivalDate: localStorage.getItem("Arrivaldate"),Birthday: localStorage.getItem("Birthday"),CertificateNo: localStorage.getItem("Certificateno"),CertificateType: localStorage.getItem("Certificatetype"),Country: localStorage.getItem("Country"),})
后台代码:
public List<RoomAssign> RoomASSign([FromBody] RoomAssignIn model) { try { RoomAssignReq req = new RoomAssignReq(); req.AccountId = model.Accountid; req.RoomNo = model.Roomno; req.Rsvno = model.Rsvno; RoomAssignRsp rsp = null; ErrorInfo error = null; List<RoomAssign> Rd = new List<RoomAssign>(); RoomAssign list = new RoomAssign(); if (db.RoomAssign(req,ref rsp,ref error) == 0) { list.resultcode = rsp.ResultCode; list.description = rsp.Description; } else { list.description = error.ErrorMessage; } Rd.Add(list); return Rd; } catch (Exception ex) { throw ex; } }
web配置以下内容
<system.web>
<!--提供Web服务访问方式-->
<webServices>
<protocols>
<add name="HttpSoap"/>
<add name="HttpPost"/>
<add name="HttpGet"/>
<add name="Documentation"/>
</protocols>
</webServices>
</system.web>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Methods" value="OPTIONS,POST,GET"/>
<add name="Access-Control-Allow-Headers" value="x-requested-with,content-type"/>
<add name="Access-Control-Allow-Origin" value="*" />
</customHeaders>
</httpProtocol>
<modules>
<add name="MyHttpModule" type="WebServiceDemo.MyHttpModule"/>
</modules>
</system.webServer>
</configuration>
如果报错:
未能加载类型“WebServiceDemo.MyHttpModule”。去掉
<modules>
<add name="MyHttpModule" type="WebServiceDemo.MyHttpModule"/>
</modules>
如果想选定的网站可能跨域访问,修改配置如下:
<add name="Access-Control-Allow-Origin" value="http://www....." />
ajax – 在Azure网站中启用Access-Control-Allow-Credentials标头(Azure App Services)
我们最近将一个API应用程序从Azure云服务迁移到Azure网站,一些客户端仍在使用我们的旧协议进行身份验证,该协议使用cookie(而不是通常的授权:承载HTTP标头).我们需要支持此身份验证协议一段时间,因为客户端无法立即迁移.
为了支持针对API的跨源ajax请求中的cookie,客户端需要在XMLHttpRequest中将withCredentials设置为true,并且服务器需要使用Access-Control-Allow-Credentials头以及任何CORS进行响应请求.
我们面临的问题是Azure网站自行管理CORS,并使用自己的配置(仅限于允许的来源列表)进行响应,这不允许设置此标头…从而打破了申请我们所有的Ajax客户端!
有没有办法(临时)在响应中添加此标头?
我们终于设法了解Azure Apps CORS中间件的行为.要禁用它,您必须清除Web应用程序的CORS刀片中的每个允许的原始条目(包括*).然后,您可以自己管理CORS,使用Web Api 2功能或使用web.config.
该信息甚至可在the documentation中获得:
Don’t try to use both Web API CORS and App Service CORS in one API app. App Service CORS will take precedence and Web API CORS will have no effect. For example,if you enable one origin domain in App Service,and enable all origin domains in your Web API code,your Azure API app will only accept calls from the domain you specified in Azure.
因此,最终的答案是:如果您的应用程序不需要非常具体的CORS管理,则可以使用Azure App Service CORS.否则,您将需要自己处理它并禁用Web应用程序中的所有CORS配置.
Angular11 Web 应用程序被 CORS 策略阻止:在预检响应中 Access-Control-Allow-Headers 不允许 access-control-allow-origin
如何解决Angular11 Web 应用程序被 CORS 策略阻止:在预检响应中 Access-Control-Allow-Headers 不允许 access-control-allow-origin?
我正在尝试使用带有 angular 11 的 reddit api 在本地开发一个网络应用程序,我正在尝试使用以下链接中的说明获取身份验证令牌:Reddit OAuth2 docs
但是,我遇到了一些问题。
我已经设置了我的标头以包含服务中的常用方法,例如:
httpOptions = {
headers: new HttpHeaders({
"Content-Type": "application/x-www-form-urlencoded","Access-Control-Allow-Origin": "*","Access-Control-Allow-Methods": "GET,HEAD,OPTIONS,POST,PUT","Access-Control-Allow-Headers": "Origin,X-Requested-With,Content-Type,Accept,x-client-key,x-client-token,x-client-secret,Authorization",})
};
我设置了在服务中检索身份验证令牌的函数:
getRedditAuthToken() {
console.log("Auth token");
return this.http.get<any>(this.redditAuthUrl,this.httpOptions);
}
redditAuthUrl 的设置参数取自 reddit 的 oAuth 文档:
https://www.reddit.com/api/v1/authorize?client_id=CLIENT_ID&response_type=TYPE&
state=RANDOM_STRING&redirect_uri=URI&duration=DURATION&scope=ScopE_STRING
最后,服务正在被组件检索:
getRedditAuthToken(): void {
this.redditService.getRedditAuthToken().subscribe((data) => {
console.log(data);
});
}
虽然在尝试访问身份验证令牌(在网络检查器上找到)时出现以下错误:
Access to XMLHttpRequest at ''https://www.reddit.com/api/v1/authorize.compact?client_id=<client_id>&response_type=code&state=<random_string>&redirect_uri=http://localhost:4200/reddit&duration=temporary&scope=identity'' from origin ''http://localhost:4200'' has been blocked by CORS policy: Request header field access-control-allow-origin is not allowed by Access-Control-Allow-Headers in preflight response
GET https://www.reddit.com/api/v1/authorize.compact?client_id=<client_id>&response_type=code&state=<random_string>&redirect_uri=http://localhost:4200/reddit&duration=temporary&scope=identity net::ERR_Failed
ERROR HttpErrorResponse {headers: HttpHeaders,status: 0,statusText: "UnkNown Error",url: "https://www.reddit.com/api/v1/authorize.compact?cl…ost:4200/reddit&duration=temporary&scope=identity",ok: false, …}
我曾多次尝试解决方案,例如使用代理 json 文件启动 angular、修改 httpHeaders、测试其他 reddit oAuth 令牌检索(使用 post 方法),但我总是遇到相同的 CORS 问题。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)
今天的关于Credentials and Access Control in Linux的分享已经结束,谢谢您的关注,如果想了解更多关于Access-Control-Allow-Credentials 标头到底有什么作用?、ajax post 请求报错Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' heade、ajax – 在Azure网站中启用Access-Control-Allow-Credentials标头(Azure App Services)、Angular11 Web 应用程序被 CORS 策略阻止:在预检响应中 Access-Control-Allow-Headers 不允许 access-control-allow-origin的相关知识,请在本站进行查询。
本文标签:
