問題：
有非root進程A，pid 為 N, 當(dāng)我們查看/proc/N/ 下的文件屬性時，發(fā)現(xiàn)這些文件的user:group 為root:root, 而不是A的所屬的user:group.

分析：
根據(jù) https://man7.org/linux/man-pages/man5/proc.5.html 的描述

/proc/[pid]
There is a numerical subdirectory for each running process;
the subdirectory is named by the process ID. Each /proc/[pid]
subdirectory contains the pseudo-files and directories
described below.
The files inside each /proc/[pid] directory are normally owned
by the effective user and effective group ID of the process.
However, as a security measure, the ownership is made
root:root if the process's "dumpable" attribute is set to a
value other than 1.

如果一個進程的 dumpable 屬性被設(shè)置成了非1的值，那么/proc/pid/ 的用戶屬性就會是root:root

那么我們再來看，什么時候進程的dumpable 屬性會被設(shè)置成非1.
根據(jù) https://man7.org/linux/man-pages/man2/prctl.2.html 的描述：

PR_SET_DUMPABLE (since Linux 2.3.20)
Set the state of the "dumpable" attribute, which determines
whether core dumps are produced for the calling process upon
delivery of a signal whose default behavior is to produce a
core dump.
In kernels up to and including 2.6.12, arg2 must be either 0
(SUID_DUMP_DISABLE, process is not dumpable) or 1
(SUID_DUMP_USER, process is dumpable). Between kernels 2.6.13
and 2.6.17, the value 2 was also permitted, which caused any
binary which normally would not be dumped to be dumped
readable by root only; for security reasons, this feature has
been removed. (See also the description of /proc/sys/fs/
suid_dumpable in proc(5).)
Normally, the "dumpable" attribute is set to 1. However, it
is reset to the current value contained in the file
/proc/sys/fs/suid_dumpable (which by default has the value 0),
in the following circumstances:

• The process's effective user or group ID is changed.
• The process's filesystem user or group ID is changed (see
  credentials(7)).
• The process executes (execve(2)) a set-user-ID or set-
  group-ID program, resulting in a change of either the
  effective user ID or the effective group ID.
• The process executes (execve(2)) a program that has file
  capabilities (see capabilities(7)), but only if the
  permitted capabilities gained exceed those already
  permitted for the process.

正常情況下進程的dumpable 默認(rèn)是1，但有一些場景下，這個值會被重置成/proc/sys/fs/suid_dumpable 里的值。符合我們的場景的就是最后一條：進程的exe 文件被設(shè)置了capabilities, 并且它的permitted capabilities 大于父進程。再看我們的/proc/sys/fs/suid_dumpable 的確為非1。