Re: Get UID from netlink/conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Feb 6 2008 18:04, Justin McCann wrote:
>>>
>>>I'd like to use libnetfilter_conntrack to track connections per
>>>UID and/or by PID, ...
>> 
>> You are facing the same issues as xt_socket (currently, and
>> unfortunately, still named xt_owner) - in that sockets do not
>> necessarily have an owner, much less exactly one associated PID.
>
>That doesn't surprise me too much, given how e.g. sshd handles
>connections (sockets are uid 0).

- sshd created the socket as root (dunno why it did that as root :-)
- so skb->sk->sk_socket->file->f_uid is root, no matter
  if it called setuid(2) or not.
- binds to port 22 (requires root)
- accept(2), privilege separation and all that

(I notice an interesting upcoming problem for input-path owner
processing as projected with tproxy's help.)

>Is this mainly a setuid issue, or
>is there something else interesting going on behind the scenes?
>
>I'm attempting to make an auto-updating tcpdump filter, so
>unprivileged users could tcpdump their own connections without
>compromising privacy.

In that case, using ->f_uid should work for all (locally-generated)
outgoing traffic. It is the best you can get right now.

About input, a test would be needed (examining things) because I
suspect that ssh sessions can be wrongly attributed to root when
there's a normal user sitting behind it.

PID matching is not possible. Or rather, if it was, you'd spend a
ridiculous amount of time scanning all processes' fd tables on every
packet.

And that's just the kernel side. How you wire that up in netlink
is another story.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux