On Feb 6 2008 18:04, Justin McCann wrote: >>> >>>I'd like to use libnetfilter_conntrack to track connections per >>>UID and/or by PID, ... >> >> You are facing the same issues as xt_socket (currently, and >> unfortunately, still named xt_owner) - in that sockets do not >> necessarily have an owner, much less exactly one associated PID. > >That doesn't surprise me too much, given how e.g. sshd handles >connections (sockets are uid 0). - sshd created the socket as root (dunno why it did that as root :-) - so skb->sk->sk_socket->file->f_uid is root, no matter if it called setuid(2) or not. - binds to port 22 (requires root) - accept(2), privilege separation and all that (I notice an interesting upcoming problem for input-path owner processing as projected with tproxy's help.) >Is this mainly a setuid issue, or >is there something else interesting going on behind the scenes? > >I'm attempting to make an auto-updating tcpdump filter, so >unprivileged users could tcpdump their own connections without >compromising privacy. In that case, using ->f_uid should work for all (locally-generated) outgoing traffic. It is the best you can get right now. About input, a test would be needed (examining things) because I suspect that ssh sessions can be wrongly attributed to root when there's a normal user sitting behind it. PID matching is not possible. Or rather, if it was, you'd spend a ridiculous amount of time scanning all processes' fd tables on every packet. And that's just the kernel side. How you wire that up in netlink is another story. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html