Given a ssh-agent The simple reason is that the ssh-agent explicitly disables tracing.
``` #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ if (prctl(PR_SET_DUMPABLE, 0) != 0 && strict) fatal("unable to make process undumpable: %s", strerror(errno)); #endif ``` So you won't be able to dump anything on this process, even if your user owns it. You can do a little experiment by rebuilding the ssh agent without the call to `platform_disable_tracing()` in `main()`. fuser will then be able to list the socket.
I cannot quite see why you would want to make it
For security reasons, a lot of processes would call `prctl(PR_SET_DUMPABLE, 0)`, it is very impractical to patch out this call just to list their sockets without root privilege.
(as in: lie) They are not lying, please see `man prctl.2`.
--- Paul M. Ärloch Lingvam scriptvm habere debes vt hanc paginam inspicias. ------- Original Message ------- On Wednesday, August 16th, 2023 at 3:37 PM, Hauke Fath <hf@spg.tu-darmstadt.de> wrote:
On 8/16/23 17:20, memchr wrote:
not able to get any information on active unix domain sockets
What do you mean by this? Can you provide more context, such as the command you tried to run and the resulting error message?
Sure.
Given a ssh-agent(8) socket, running lsof/sockstat/fuser as non-privileged user
% ls -l /tmp/ssh-XXXXXXXw5UyQ/ total 0 srw------- 1 hf4kh spgmit 0 Aug 16 16:44 agent.629 % lsof -U % sockstat -u | grep /tmp/ssh- % fuser /tmp/ssh-XXXXXXXw5UyQ/agent.629 %
whereas for root
# lsof -U | grep /tmp/ssh- ssh-agent 630 hf4kh 3u unix 0x00000000f56378b9 0t0 21916 /tmp/ssh-XXXXXXXw5UyQ/agent.629 type=STREAM # # sockstat -u | grep /tmp/ssh- root rserver 363 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root rserver 363 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root sendmail 401 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root lxdm-greeter-gt 575 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root ssh-agent 630 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 # fuser /tmp/ssh-XXXXXXXw5UyQ/agent.629 /tmp/ssh-XXXXXXXw5UyQ/agent.629: 630 #
(the sockstat(1) output looks a bit off, though).
I can see that you might want the option to restrict information access that way, but I cannot quite see why you would want to make it the default, and just return nothing (as in: lie) instead of flagging a lack of permissions.
HTH, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344