4.4. ºÞ²z±±¨î

·í±zºÞ²z¤@³¡®a¥Î¹q¸£®É¡A¨Ï¥ÎªÌ¥²¶·¥H root ¨Ï¥ÎªÌ©ÎªÌ¬O³z¹L¤@ºØ setuid µ{¦¡ ¡]¦p sudo ©Î su¡^¨ÓÀò¨ú¦³®Äªº root Åv­­¤~¯à°õ¦æ¤@¨Ç¨t²ÎªººÞ²z ¤u§@¡C setuid µ{¦¡¥i¥H¨Ï±z¥H¸Óµ{¦¡¾Ö¦³ªÌªº¨Ï¥ÎªÌ ID (UID)¨Ó°õ¦æ¸Óµ{¦¡¡A¦Ó¤£¬O ¥H°õ¦æ¦¹µ{¦¡ªº¨Ï¥ÎªÌ¡C ¦p¦¹ªºµ{¦¡¥H¤@­Ó¤p¼gªº s ¼Ð¥Ü¦bªø®æ¦¡¦Cªí ¤¤ªº¾Ö¦³ªÌ³¡¥÷¡A¦p¥H¤Uªº¨Ò¤l©Ò¥Ü¡G

-rwsr-xr-x    1 root     root        47324 May  1 08:09 /bin/su

µM¦Ó¹ï©ó¤@¶¡¤½¥qªº¨t²ÎºÞ²z­û¡A¥L¥²¶·¨M©w¤½¥q¤º³¡ªº¨Ï¥ÎªÌ¹ï¥L­Ìªº¾÷¾¹¯à°÷¦³¦h¤ÖªººÞ²z¦s¨úÅv­­¡C ÂǥѺ٬° pam_console.so ªº¤@­Ó PAM ¼Ò²Õ¡A¬Y¨Ç¦æ¬°³q±`¥u«O¯dµ¹ root ¨Ï¥ÎªÌ¡A ¨Ò¦p­«·s¶}¾÷¥H¤Î±¾¸ü²¾°£¦¡ªº´CÅéµ¥¤u§@¶È¤¹³\¦b¹êÅé¥D±±¥x²Ä¤@­Óµn¤Jªº¨Ï¥ÎªÌ¡]½Ð°Ñ¦Ò Red Hat Enterprise Linux °Ñ¦Ò¤â¥U ¤@®Ñ¤¤ªº Pluggable Authentication Modules (PAM) ³¹¸`¥H¨ú±oÃö©ó pam_console.so ¼Ò²Õªº§ó¦h¸ê°T¡^¡C µM¦Ó¡A¨Ò¦p­×§ïºô¸ô³]©w¡B°t¸m¤@­Ó·s¥[¤Jªº·Æ¹«©Î ±¾¸üºô¸ô¸Ë¸mµ¥ªº¨ä¥L­«­n¨t²ÎºÞ²z¤u§@¡A¦b¯Ê¤ÖºÞ²zÅv­­ªº±¡ªp¤U¡A±NµLªk¦s¨ú¾Þ§@¡C ³Ì²×¡A¨t²ÎºÞ²z­ûÁÙ¬O ±o¨M©wºô¸ô¤º³¡ªº¨Ï¥ÎªÌ¥i¥H¾Ö¦³¦h¤ÖºÞ²z©Êªº¦s¨ú¡C

4.4.1. ¤¹³\ root ¦s¨ú

°²¦p¤½¥q¤º³¡ªº¬Y¨Ç¨Ï¥ÎªÌ¬O¥i«H¿àªº¡A¥BÄÝ©ó¹q¸£²z¸Ñ¯à¤O·¥¨Îªº¤@¸s¡A±z©Î³\¥i¥H¤¹³\¥L­Ì¾Ö¦³ root ªº ¦s¨úÅv­­¡A¤¹³\¨Ï¥ÎªÌªº root ¦s¨úªí¥Ü¨Ò¦p·s¼W¸Ë¸m©Î³]©wºô¸ô¤¶­±µ¥¤p¨Æ±¡¥i¥H¥Ñ­Ó§O¨Ï¥ÎªÌ¨Ó³B²z¡A¥HÅý ¨t²ÎºÞ²z­û¨Ó³B²zºô¸ô¦w¥þ©Ê¥H¤Î¨ä¥L­«­nªº°ÝÃD¡C

¦b¥t¤@¤è­±¡Aµ¹¤©­Ó§O¨Ï¥ÎªÌ root ¦s¨ú¤]¥i¯à·|¾É­P¤U¦Cªº°ÝÃDµo¥Í¡G

4.4.2. ¤£¤¹³\ root ¦s¨ú

°²¦p¨t²ÎºÞ²z­û¥Ñ©ó³o¨Ç©Î¨ä¥L­ì¦]¡A¤£·Q¤¹³\¨Ï¥ÎªÌµn¤J¬° root¡Aroot ±K½X¥²¶·«O«ù¾÷±K¡A¦Ó¥B¥²¶·³z¹L ¶}¾÷ºÞ²zµ{¦¡ªº±K½X«OÅ@¨Ó¸T¤î¶i¤J°õ¦æµ¥¯Å¤@©ÎªÌ¬O³æ¤@¨Ï¥ÎªÌ¼Ò¦¡¡]½Ð°Ñ¦Ò ²Ä 4.2.2 ¸` ¥H¨ú±oÃö©ó³o­Ó¥DÃDªº§ó¦h¸ê°T¡^¡C

ªí®æ 4-1 Åã¥Ü¥X¤@­Ó¨t²ÎºÞ²z­û¥i¥H¶i¤@¨B½T©w root µn¤J¤w°±¥Îªº¤èªk¡G

¤èªk»¡©ú®ÄÀ³¨S¦³¼vÅT
§ó§ï root shell¡C½s¿è /etc/passwd ÀɮסA¨Ã¥B§ó§ï shell ±q /bin/bash ¬° /sbin/nologin¡C

¨¾¤î root shell ªº¦s¨ú¡A¨Ã¥B¬ö¿ý©Ò§@ªº°Ê§@¡C
¥H¤Uªºµ{¦¡³Q¸T¤î¦s¨ú root ±b¸¹¡G
· login
· gdm
· kdm
· xdm
· su
· ssh
· scp
· sftp

¤£»Ý­n shell ªºµ{¦¡¡A¨Ò¦p FTP ¥Î¤áºÝ¡B¶l¥ó¥Î¤áºÝ¥H¤Î³\¦h setuid µ{¦¡¡C
¤U¦Cªºµ{¦¡±NµLªkÁ×§K¦s¨ú root ±b¸¹¡G
· sudo
· FTP ¥Î¤áºÝ
· ¹q¤l¶l¥ó¥Î¤áºÝ

³z¹L¥ô¦ó¥D±±¥x¸Ë¸m (tty) °±¥Î root ¦s¨ú¡C¤@­ÓªÅ¥Õªº /etc/securetty ÀÉ®×±N¥i¨¾¤î root µn¤J¨ì¥ô¦ó³s±µ¨ì¹q¸£ªº¸Ë¸m¡C

¨¾¤î³z¹L¥D±±¥x©Îºô¸ô¦s¨ú root ±b¸¹¡A¤U¦Cªºµ{¦¡±NµLªk¦s¨ú root ±b¸¹¡G
· login
· gdm
· kdm
· xdm
· ¨ä¥Lªººô¸ôªA°È±N¶}±Ò¤@­Ó tty

¤£µn¤J¬° root ªºµ{¦¡¡A¤£¹L«o³z¹L setuid ©Î¨ä¥L¾÷¨î¨Ó°õ¦æºÞ²z¤u§@¡C
¤U¦Cªºµ{¦¡±NµLªkÁ×§K¦s¨ú root ±b¸¹¡G
· su
· sudo
· ssh
· scp
· sftp

°±¥Î root SSH µn¤J¡C½s¿è /etc/ssh/sshd_config ÀɮסA¨Ã¥B³]©w PermitRootLogin °Ñ¼Æ¬° no¡C

¨¾¤î³z¹L OpenSSH ®M¸Ë¤u¨ã¶i¦æ root ¦s¨ú¡A¤U¦Cªºµ{¦¡³QÁ×§K¦s¨ú root ±b¸¹¡G
· ssh
· scp
· sftp

³o¥u·|Á×§K root ¦s¨ú¨ì OpenSSH ªº®M¸Ë¤u¨ã¡C

¨Ï¥Î PAM ¨Ó­­¨î root ¦s¨úªA°È¡C½Ð½s¿è /etc/pam.d/ ¥Ø¿ý¤¤¥Ø¼ÐªA°ÈªºÀɮסA½Ð½T©w pam_listfile.so ¬O»Ý­n¥Î©ó»{ÃÒªº¡C ½Ð°Ñ¦Ò ²Ä 4.4.2.4 ¸` ¥H¨ú±o¸Ô²Ó¸ê°T¡C

¨¾¤î root ¦s¨ú PAM ºÞ²zªººô¸ôªA°È¡C
¤U¦CªºªA°È³Q¨¾¤î¦s¨ú root ±b¸¹¡G
· FTP ¥Î¤áºÝ
· ¹q¤l¶l¥ó¥Î¤áºÝ
· login
· gdm
· kdm
· xdm
· ssh
· scp
· sftp
· ¥ô¦ó¥Ñ PAM ºÞ²zªºªA°È

¤£¥Ñ PAM ºÞ²zªºµ{¦¡»PªA°È¡C

ªí®æ 4-1. °±¥Î root ±b¸¹ªº¤èªk

4.4.2.1. °±¥Î Root Shell

¦p­n¨¾¤î¨Ï¥ÎªÌª½±µµn¤J¬° root¡A¨t²ÎºÞ²z­û¥i¥H¦b /etc/passwd Àɮ׳]©w root ±b¸¹ªº shell ¬° /sbin/nologin¡A³o±N¥iÁ×§K³z¹L»Ý­n shell ¤§«ü¥O¨Ó¦s¨ú root ±b¸¹¡A¨Ò¦p su »P ssh «ü¥O¡C

­«­n­«­n
 

¤£»Ý¨Ï¥Î shell ªºµ{¦¡¡]¦p¹q¤l¶l¥ó¥Î¤áºÝ©Î sudo «ü¥O¡^¡A¤´µM¥i¥H¦s¨ú root ±b¸¹¡C

4.4.2.2. °±¥Î root µn¤J

¦p­n¶i¤@¨B¦a­­¨î¦s¨ú root ±b¸¹¡A¨t²ÎºÞ²z­û¥i¥H½s¿è /etc/securetty ÀɮרӰ±¥Î ¦b¥D±±¥xªº root µn¤J¡C ³o­ÓÀɮצC¥X root ¨Ï¥ÎªÌ¤¹³\µn¤Jªº©Ò¦³¸Ë¸m¡A°²¦p¦¹ÀÉ®×®Ú¥»¤£¦s¦bªº¸Ü¡Aroot ¨Ï¥ÎªÌ¥i¥H³z¹L¥ô¦ó¨t²Î¤Wªº³q°T¸Ë¸m¶i¦æµn¤J¡A¤£ºÞ¬O³z¹L¥D±±¥x©Î¬O¤@­Ó­ì¥Íªººô¸ô¤¶­±¡C ³o¼Ë°µ¬O«Ü¦M ÀIªº¡A¦]¬°¨Ï¥ÎªÌ¥i¥H¥H root ¨­¥÷ Telnet ¨ì¥Lªº¾÷¾¹¡A¦A±N¥Lªº±K½X¥H©ú¤å¸g¥Ñºô¸ô¶Ç°e¡C ¹w³]±¡ªp¤U¡A Red Hat Enterprise Linux /etc/securetty ÀÉ®×¥u¤¹³\ root ¨Ï¥ÎªÌ¦b¹êÅé³s±µ¨ì¾÷¾¹ªº¥D±±¥xµn¤J¡A¦p­n ¨¾¤î root µn¤J¡A½Ð¿é¤J¤U¦C«ü¥O¨Ó²¾°£¦¹Àɮתº¤º®e¡G

echo > /etc/securetty

ĵ§iĵ§i
 

¤@­ÓªÅ¥Õªº /etc/securetty ÀÉ®×µLªkÁ×§K root ¨Ï¥ÎªÌ¨Ï¥Î OpenSSH ®M¸Ë¤u¨ã»·ºÝµn¤J¡A¦]¬°¦b»{ÃÒ¦¨¥\«á¡A¥D±±¥x¤~·|¶}±Ò¡C

4.4.2.3. °±¥Î root ªº SSH µn¤J

¦p­n¨¾¤î³z¹L SSH ¨ó©wªº root µn¤J¡A½Ð½s¿è SSH ¨t²Îµ{¦¡ªº³]©wÀÉ®× (/etc/ssh/sshd_config)¡A §ó§ï¦p¤Uªº³o¤@¦æ¡G

# PermitRootLogin yes

¬°¦p¤U©Ò¥Ü¡G

 
PermitRootLogin no

4.4.2.4. ¨Ï¥Î PAM °±¥Î root

³z¹L /lib/security/pam_listfile.so ¼Ò²Õ¡APAM ¤¹³\¬Û·í¤jªº¼u©Ê¥Î¨Ó©Úµ´¯S©wªº±b¸¹¡C ³o¨Ï±o¨t²ÎºÞ²z­û¥i¥H«ü©w³o­Ó¼Ò²Õµ¹¤£¤¹³\µn¤Jªº¨Ï¥ÎªÌ²M³æ¡C ¥H¤U¬°¦b /etc/pam.d/vsftpd PAM ³]©wÀɮפ¤¦p¦ó¨Ï¥Î³o­Ó¼Ò²Õ¦b vsftpd FTP ¦øªA¾¹ªº¨Ò¤l¡]°²¦p³o­Ó«ü¥O¥u ¦³¤@¦æªº¸Ü¡A¤U¦C¨Ò¤l²Ä¤@¦æ³Ì«áªº \ ²Å¸¹¬O¤£ »Ý­nªº¡^¡G

auth   required   /lib/security/pam_listfile.so   item=user \
sense=deny file=/etc/vsftpd.ftpusers onerr=succeed

³o±N§iª¾ PAM ¼Ò²Õ¨Ó¬d¸ß /etc/vsftpd.ftpusers ÀɮסA¨Ã¥B©Úµ´¥ô¦ó¦C¥Xªº¨Ï¥ÎªÌ ¦s¨ú³o­ÓªA°È¡A¨t²ÎºÞ²z­û¥i¥H;Åܧó³o­ÓÀɮתº¦WºÙ¡A¦Ó¥B¤]¥i¥H¬°¨C¤@­ÓªA°È«O¦s¤@­Ó¤£¦Pªº²M³æ¡A©ÎªÌ¬O ¨Ï¥Î¤@­Ó¤¤¥¡ªº²M³æ¨Ó©Úµ´¦s¨ú¦h­ÓªA°È¡C

°²¦p¨t²ÎºÞ²z­û·Q­n©Úµ´¹ï¦h­ÓªA°Èªº¦s¨ú¡A¥i¥H¼W¥[Ãþ¦üªº¤@¦æ¨ì PAM ³]©wªA°È¤¤¡A¦p¥Î©ó¹q¤l¶l¥ó¥Î¤áºÝ ªº /etc/pam.d/pop »P /etc/pam.d/imap ÀɮסA©Î¥Î©ó SSH ¥Î¤áºÝªº /etc/pam.d/ssh ÀɮסC

¦p»ÝÃö©ó PAM ªº§ó¦h¸ê°T¡A½Ð°Ñ¦Ò Red Hat Enterprise Linux °Ñ¦Ò¤â¥U ¤@®Ñ¤¤ªº Pluggable Authentication Modules (PAM) ³¹¸`¡C

4.4.3. ­­¨î root ¦s¨ú

°£¤F§¹¥þ¦a­­¨î root ¨Ï¥ÎªÌªº¦s¨ú¥~¡A¨t²ÎºÞ²z­û¤]¥i¥H¥u¤¹³\³z¹L setuid µ{¦¡ªº¦s¨ú¡A¦p su ©Î sudo¡C

4.4.3.1. su «ü¥O

¦b¿é¤J su «ü¥O«á¡A¨Ï¥ÎªÌ±N·|³Q´£¥Ü¿é¤J root ªº±K½X¡AµM«á¦b»{ÃÒ¦¨¥\«á¡A±N¥i¥H¨ú±o ¤@­Ó root ªº shell ´£¥Ü²Å¸¹¡C

¤@¥¹³z¹L su «ü¥Oµn¤J«á¡A¨Ï¥ÎªÌ«K¦¨¬° root ¨Ï¥ÎªÌ¡A¨Ã¥B¾Ö¦³ §¹¥þªº¨t²ÎºÞ²z¦s¨úÅv­­¡C °£¦¹¤§¥~¡A¤@¥¹¨Ï¥ÎªÌ¨ú±o root µn¤J«á¡A¥L­ÌÁÙ¥i¥H¨Ï¥Î su «ü¥OÂà´«¦¨¨t²Î¤W¥ô¦óªº¨Ï¥ÎªÌ¡A¦Ó¥B¤£»Ý­n¿é¤J¥ô¦óªº±K½X¡C

¦]¬°³o­Óµ{¦¡ªº¥\¯à¦p¦¹±j¤j¡A¤½¥q¤¤ªº¨t²ÎºÞ²z­û¤]³\·Q­n­­¨î½Ö¥i¥H¦s¨ú¨Ï¥Î³o­Ó«ü¥O¡C

³Ì²³æªº¤èªk«K¬O±N¨Ï¥ÎªÌ¥[¤J¨ìºÙ¬° wheel ªº¯S®íºÞ²zªÌ¸s²Õ¡A¦p­n¦p¦¹°µ¡A½Ð¥H root ¨­¥÷¿é¤J¤U¦C«ü¥O¡G

usermod -G wheel <username>

¦b¤W¤@­Ó«ü¥O¤¤¡A½Ð¥H­è­è¼W¥[¨ì wheel ¸s²Õªº¨Ï¥ÎªÌ¦WºÙ¨ú¥N <username>¡C

¦p­n¨Ï¥Î ¨Ï¥ÎªÌºÞ²z­û¡A½Ð¿ï¾Ü­±ªO¤Wªº ¡y¥D¿ï³æ«ö¶s¡z => ¡y¨t²Î³]©w¡z => ¡y¨Ï¥ÎªÌ»P¸s²Õ¡z¡A©ÎªÌ¬O¦b shell ´£¥Ü²Å¸¹¤U¿é¤J redhat-config-users «ü¥O¡C ¿ï¨ú ¡y¨Ï¥ÎªÌ¡z ¼Ðñ­¶¡A¦A±q¨Ï¥ÎªÌ²M³æ¤¤¿ï¨ú¨Ï¥ÎªÌ¡AµM«á±q«ö¶s¿ï³æ¤¤ÂI¿ï ¤º®e¡]©ÎªÌ¬O±q¤U©Ô¦¡ ¿ï³æ¤¤¿ï¾Ü ¡yÀɮסz => ¡y¤º®e¡z¡^¡C

µM«á¿ï¾Ü ¡y¸s²Õ¡z ¼Ðñ­¶¡A¦AÂI¿ï whell ¸s²Õ¡A¦p ¹Ï§Î 4-2.©Ò¥Ü¡C

¹Ï§Î 4-2. ¡y¸s²Õ¡z ¤è®Ø

¦A¨Ó¡A½Ð¦b¤å¦r½s¿è¾¹¤¤¶}±Ò su ªº PAM ³]©wÀÉ®× (/etc/pam.d/su)¡A µM«á±q¤U¦C³o¤@¦æ¤¤²¾°£ [#] µù¸Ñ²Å¸¹¡G

auth  required /lib/security/pam_wheel.so use_uid

¦p¦¹°µªº¸Ü¡A±N¥u·|¤¹³\ºÞ²zªÌ¸s²Õ wheel ªº¦¨­û¨Ï¥Î³o­Óµ{¦¡¡C

ª`½Ðª`·N
 

¹w³]±¡ªp¤U¡Aroot ¨Ï¥ÎªÌ¤w¸g¬O wheel ¸s²Õªº¦¨­û¤§¤@¡C

4.4.3.2. sudo «ü¥O

sudo «ü¥O´£¨Ñµ¹¤©¨Ï¥ÎªÌºÞ²zÅv¦s¨úªº¥t¤@ºØ¤èªk¡A·í¤@­Ó¥i«H¿àªº¨Ï¥ÎªÌ¦b sudo «ü¥O¤§«á¥[¤W¤@­ÓºÞ²zªº«ü¥O¡A¸Ó¨Ï¥ÎªÌ±N·|³Q´£¥Ü¿é¤J¥L¦Û¤vªº±K½X¡A»{ÃÒ¦¨¥\«á¡A¦Ó¥B¤]¤¹³\¨Ï¥Î¸Ó«ü¥O¡A ³o­ÓºÞ²zªº«ü¥O±N·|³Q°õ¦æ¡A¦p¦P¬O¥Ñ root ¨Ï¥ÎªÌ©Ò°õ¦æªº¤@¼Ë¡C

sudo «ü¥Oªº°ò¥»®æ¦¡¦p¤U¡G

sudo <command>

¦b¥H¤Wªº¨Ò¤l¤¤¡A<command> ¥i¥H¥Ñ³q±`¥u«O¯dµ¹ root ¨Ï¥ÎªÌªº¤@­Ó«ü¥O ¨ú¥N¡A¦p mount¡C

­«­n­«­n
 

sudo «ü¥Oªº¨Ï¥ÎªÌ¦bÂ÷¶}¥L­Ìªº¾÷¾¹«e¡A¤@©w­n°O±o¥ýµn¥X¡A¦]¬°¨Ï¥Î sudo ¨Ï¥ÎªÌ¦b ¤­¤ÀÄÁ¤º¥i¥H¦A«×¨Ï¥Î¸Ó«ü¥O¡A¦Ó¤£»Ý­n¿é¤J¥ô¦óªº±K½X¡C ±z¥i¥H³z¹L /etc/sudoers ³]©wÀɮרӭקï³o­Ó³]©w¡C

sudo «ü¥O¤¹³\¬Û·í°ªªºÆF¬¡«×¡A¨Ò¦p¡A¥u¦³©ó /etc/sudoers ³]©w Àɮפ¤¦C¥Xªº¨Ï¥ÎªÌ¤~¥i¥H¨Ï¥Î sudo «ü¥O¡A¦Ó¥B«ü¥O¬O¦b¸Ó¨Ï¥ÎªÌªº shell ¤U°õ¦æ¡A¦Ó¤£¬O root ªº shell¡C ³oªí¥Ü¥i¥H§¹¥þ¦a°±¥Î root shell¡A¦p ²Ä 4.4.2.1 ¸` ©Ò¥Ü¡C

sudo «ü¥O¤]´£¨Ñ¤@­Ó¼sªxªº½]®Ö¦s©³¡A¨C¤@¦¸¦¨¥\ªºµn¤J³£·|¬ö¿ý¨ì /var/log/messages ÀɮסA¦Ó¥B©Ò°õ¦æªºÀÉ®×»P¸Ó¨Ï¥ÎªÌ¦WºÙ¤]³£·|³Q¬ö¿ý¨ì /var/log/secure Àɮפ¤¡C

sudo «ü¥Oªº¥t¤@­ÓÀuÂI¬O¨t²ÎºÞ²z­û¥i¥H¨Ì¾Ú¥L­Ìªº»Ý¨D¨Ó¤¹³\¤£¦Pªº¨Ï¥ÎªÌ¨Ï¥Î¯S©w ªº«ü¥O¡C

·Q­n½s¿è sudo ³]©wÀÉ®× /etc/sudoers ªº¨t²ÎºÞ²z­ûÀ³¸Ó­n¨Ï¥Î visudo «ü¥O¡C

¦p­nµ¹¤©¬Y¤H§¹¾ãªººÞ²zªÌÅv­­¡A½Ð¿é¤J visudo¡A¦A¼W¥[Ãþ¦ü¥H¤Uªº³o¤@¦æ¦b # User privilege specification ³¡¥÷¡G

juan ALL=(ALL) ALL

³o­Ó½d¨Òªí¥Ü¨Ï¥ÎªÌ juan ¥i¥H±q¥ô¦óªº¥D¾÷¨Ï¥Î sudo ¨Ó°õ¦æ¥ô¦óªº«ü¥O¡C

¤U¦Cªº½d¨ÒÅã¥Ü¥X³]©w sudo ®É©Ò¯à°t¸mªº³]©w¡G

%users  localhost=/sbin/shutdown -h now

³o­Ó½d¨Òªí¥Ü¥ô¦ó¨Ï¥ÎªÌ¥i¥H°õ¦æ /sbin/shutdown -h now «ü¥O¡A¥u­n¸Ó«ü¥O¬O±q¥D±±¥x¤¤°õ¦æªº¸Ü¡C

sudoers ªº man page §t¦³³o­ÓÀÉ®×¥i¥H¨Ï¥Îªº¤@­Ó¸Ô²Ó¿ï¶µ²M³æ¡C