问题复现

编写一个简单的a.c程序

#include <stdio.h>


void main(){
	printf("zzz\n");	
}

编译该程序，生成a.out可执行程序

greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ gcc a.c
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ll
总用量 24
drwxrwxr-x  2 greatwall greatwall 4096 6月   9 14:49 ./
drwx------ 26 greatwall greatwall 4096 6月   9 14:39 ../
-rw-rw-r--  1 greatwall greatwall   55 6月   9 14:38 a.c
-rwxrwxr-x  1 greatwall greatwall 9488 6月   9 14:49 a.out*

可以看到生成的a.out具备可执行权限

执行该程序

greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ./a.out
bash: ./a.out: 权限不够

报错

权限不够

 

解决方案

方案一：设置麒麟系统安全状态为Softmode

greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ sudo setstatus Softmode
[sudo] greatwall 的密码：
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ getstatus 
KySec status: Softmode

exec control: on
file protect: on
kmod protect: on
three admin : off
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ./a.out
zzz

方案二：单独设置a.out文件kysec执行权限

greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ sudo kysec_set -n exectl -v trusted ./a.out
[sudo] greatwall 的密码：
greatwall@greatwall-KVM-Virtual-Machine:~/cproj$ ./a.out
zzz

总结

1. 方案一适合用在开发环境，可有效避免编译生成的各类文件不可执行故障

2. 方案二适合Normal模式下，安装软件后为软件制定可执行权限

附件

kysec_set man手册

kysec_set(8)              System Manager's Manual              kysec_set(8)

NAME
       kysec_set - set kysec label for specfied path(s)

SYNOPSIS
       kysec_set [ -n part ] [ -r ] -v value path1 ..

DESCRIPTION
       kysec_set  set  the kysec label of specified files or directories to
       value.  Kysec label is composed of three parts: identify part,  pro‐
       tect part and exectl part.

       when  not used with -n option, kysec label should be in such format:
       "identify:protect:exectl". Set the new value to 'none' to clear  the
       corresponding part of kysec label.

       for identify part, these values are valid:

           secadm          commands for secadm

           audadm          commands for auditadm

       for exectl part, these values are valid:

           unknown              unknown files

           original             original system files

           verified             verified 3rd party files

           kysoft               software installer

           trusted              trusted files

       for protect part, only readonly is valid.

OPTIONS
       -n          set  specified part of kysec labels. part can be exectl,
              userid or protect.

       -r          process labels recursively, only usable for directories.

       -v          the new label value

EE ALSO
       getstatus(8), setstatus(8), kysec_get(8)

                                                               kysec_set(8)