Re: Get UID from netlink/conntrack

Re: Get UID from netlink/conntrack

[Justin McCann]

----- Original Message ----
> From: Jan Engelhardt <jengelh@computergmbh.de>
> >I'd like to use libnetfilter_conntrack to track connections per UID
> >and/or by PID, ...
> 
> You are facing the same issues as xt_socket (currently, and
> unfortunately, still named xt_owner) - in that sockets do not
> necessarily have an owner, much less exactly one associated PID.

That doesn't surprise me too much, given how e.g. sshd handles connections (sockets are uid 0). Is this mainly a setuid issue, or is there something else interesting going on behind the scenes?

I'm attempting to make an auto-updating tcpdump filter, so unprivileged users could tcpdump their own connections without compromising privacy. For those purposes having the largest possible subset of connections 'owned/initiated' by a given user will do-- better something than nothing. In the cases where there isn't a known PID/UID, 0 would suffice (maybe -1 for PID since it appears to be a signed int). There are probably other applications this wouldn't work too well for, e.g. using the firewall to prevent any new connections by a user. But there are probably better ways to do that. 

It doesn't look like nfnetlink_log does any special handling in case the real uid isn't known. Is distinguishing between 'unknown/not set' and 0 important enough to handle specially (e.g. with a separate flag)?

BTW, I see that in 2.6.23, net/netfilter/nfnetlink_log.c:505 just grabs the uid directly out of the skb->.... Should that use sock_i_uid(skb) instead? That chain of macros/functions uses vfs_inode instead of sk_socket->file->f_uid, FWIW.

   Justin


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

Re: Get UID from netlink/conntrack

[Jan Engelhardt]

On Feb 6 2008 18:04, Justin McCann wrote:
>>>
>>>I'd like to use libnetfilter_conntrack to track connections per
>>>UID and/or by PID, ...
>> 
>> You are facing the same issues as xt_socket (currently, and
>> unfortunately, still named xt_owner) - in that sockets do not
>> necessarily have an owner, much less exactly one associated PID.
>
>That doesn't surprise me too much, given how e.g. sshd handles
>connections (sockets are uid 0).

- sshd created the socket as root (dunno why it did that as root :-)
- so skb->sk->sk_socket->file->f_uid is root, no matter
  if it called setuid(2) or not.
- binds to port 22 (requires root)
- accept(2), privilege separation and all that

(I notice an interesting upcoming problem for input-path owner
processing as projected with tproxy's help.)

>Is this mainly a setuid issue, or
>is there something else interesting going on behind the scenes?
>
>I'm attempting to make an auto-updating tcpdump filter, so
>unprivileged users could tcpdump their own connections without
>compromising privacy.

In that case, using ->f_uid should work for all (locally-generated)
outgoing traffic. It is the best you can get right now.

About input, a test would be needed (examining things) because I
suspect that ssh sessions can be wrongly attributed to root when
there's a normal user sitting behind it.

PID matching is not possible. Or rather, if it was, you'd spend a
ridiculous amount of time scanning all processes' fd tables on every
packet.

And that's just the kernel side. How you wire that up in netlink
is another story.

Re: Get UID from netlink/conntrack

[Justin McCann]

----- Original Message ----
> From: Jan Engelhardt <jengelh@computergmbh.de>
> >I'm attempting to make an auto-updating tcpdump filter, so
> >unprivileged users could tcpdump their own connections without
> >compromising privacy.
> 
> In that case, using ->f_uid should work for all (locally-generated)
> outgoing traffic. It is the best you can get right now.

I see that where /proc/net/tcp gets populated in net/ipv4/tcp_ipv4.c, the inode and uid use sock_i_uid() and sock_i_ino() for connections in TCP_SEQ_STATE_{LISTENING,ESTABLISHED}. Is there a reason to use ->f_uid instead?

That should get both incoming and outgoing, no? Or is the uid/inode not set up for outgoing connections in the SYN_SENT state? My question here is-- is there any chance I'd be notified of active-open/locally-initiated connections before the outgoing SYN packet gets sent?

> About input, a test would be needed (examining things) because I
> suspect that ssh sessions can be wrongly attributed to root when
> there's a normal user sitting behind it.

Right-- but although I'd like to see those connections as well, I'll take what I can get without too many changes. Clearly a problem for other applications.

> PID matching is not possible. Or rather, if it was, you'd spend a
> ridiculous amount of time scanning all processes' fd tables on every
> packet.

I was thinking the same thing, but the kernel has to actually queue up the data to socket. It would be nice if the sk_peercred actually got populated once the socket was created, but only for AF_UNIX. But then again, you can actually pass sockets between processes, so who owns it then? The PID isn't so important, just a nice-to-have.

Also, I only care to update the bpf filter when the connections change (which is exactly why conntrack is almost perfect for it), so I think/hope there shouldn't be any particular per-packet overhead. 

> And that's just the kernel side. How you wire that up in netlink
> is another story.

Yeah, about that....

    Justin


      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping

Get UID from netlink/conntrack

[Justin McCann]

I'd like to use libnetfilter_conntrack to track connections per UID and/or by PID, but AFAICT the nfnetlink conntrack messages don't include the user id, process id, or inode (useful for cross-referencing). I noticed that the nfnetlink_log messages have the uid, but I don't think I want to invoke the filtering & logging subsystem just to track connection changes.

If I were to add the UID and/or pid or inode to the conntrack messages, what's the right way to go about doing that? I realize I'd have to patch the kernel,  libnetfilter_conntrack, and conntrack-tools, but I'd like to do that in a way that won't break the messaging protocol for other applications if possible.

On the kernel side, I think this requires:
- make an additional enum ctattr_type (CTA_UID) 
- include that attribute in the IPCNTL_MSG_CT_{NEW,UPDATE,DELETE} messages
- add a ctnetlink_dump_uid() function, using NFA_PUT with the result of sock_i_uid(skb->sock)
- add the call to ctnetlink_dump_uid() in ctnetlink_fill_info()

With the appropriate mods in libnetfilter_conntrack, and maybe an option to the conntrack command line tool to output that info if requested. 

Is this the right way to go about it, and if so would that break anything in terms of backwards compatibility (e.g. programs using older versions of the libraries)? Any other reason not to do it?

Thanks,
   Justin McCann








      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

Re: Get UID from netlink/conntrack

[Jan Engelhardt]

On Feb 6 2008 12:30, Justin McCann wrote:
>
>I'd like to use libnetfilter_conntrack to track connections per UID
>and/or by PID, but AFAICT the nfnetlink conntrack messages don't
>include the user id, process id, or inode (useful for
>cross-referencing). I noticed that the nfnetlink_log messages have
>the uid, but I don't think I want to invoke the filtering & logging
>subsystem just to track connection changes.

You are facing the same issues as xt_socket (currently, and
unfortunately, still named xt_owner) - in that sockets do not
necessarily have an owner, much less exactly one associated PID.
Just be aware of that.