Access to unix socket files
Hi, while scripting around ssh-agent(8), I noticed that on Arch a non-privileged user is not able to get any information on active unix domain sockets - not even her own. I tried fuser(1), lsof(8) and sockstat(1). While the lsof(8) man page hints at requiring 'setuid root' on some OSes, that doesn't make a difference, nor does it for the other two tools. You appear to only get information on domain sockets as root. Is this behaviour intended? It is certainly not documented. A Debian 11 machine I tried behaves differently, as do NetBSD, FreeBSD and OmniOS. What is the rationale for this default? And how can I change it? Cheerio, Hauke -- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
Hi,
not able to get any information on active unix domain sockets What do you mean by this? Can you provide more context, such as the command you tried to run and the resulting error message?
--- Paul M. Ärloch Lingvam scriptvm habere debes vt hanc paginam inspicias. ------- Original Message ------- On Wednesday, August 16th, 2023 at 3:12 PM, Hauke Fath <hf@spg.tu-darmstadt.de> wrote:
Hi,
while scripting around ssh-agent(8), I noticed that on Arch a non-privileged user is not able to get any information on active unix domain sockets - not even her own.
I tried fuser(1), lsof(8) and sockstat(1). While the lsof(8) man page hints at requiring 'setuid root' on some OSes, that doesn't make a difference, nor does it for the other two tools.
You appear to only get information on domain sockets as root.
Is this behaviour intended? It is certainly not documented. A Debian 11 machine I tried behaves differently, as do NetBSD, FreeBSD and OmniOS.
What is the rationale for this default? And how can I change it?
Cheerio, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
On 8/16/23 17:20, memchr wrote:
not able to get any information on active unix domain sockets
What do you mean by this? Can you provide more context, such as the command you tried to run and the resulting error message?
Sure. Given a ssh-agent(8) socket, running lsof/sockstat/fuser as non-privileged user % ls -l /tmp/ssh-XXXXXXXw5UyQ/ total 0 srw------- 1 hf4kh spgmit 0 Aug 16 16:44 agent.629 % lsof -U % sockstat -u | grep /tmp/ssh- % fuser /tmp/ssh-XXXXXXXw5UyQ/agent.629 % whereas for root # lsof -U | grep /tmp/ssh- ssh-agent 630 hf4kh 3u unix 0x00000000f56378b9 0t0 21916 /tmp/ssh-XXXXXXXw5UyQ/agent.629 type=STREAM # # sockstat -u | grep /tmp/ssh- root rserver 363 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root rserver 363 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root sendmail 401 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root lxdm-greeter-gt 575 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root ssh-agent 630 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 # fuser /tmp/ssh-XXXXXXXw5UyQ/agent.629 /tmp/ssh-XXXXXXXw5UyQ/agent.629: 630 # (the sockstat(1) output looks a bit off, though). I can see that you might want the _option_ to restrict information access that way, but I cannot quite see why you would want to make it the default, and just return nothing (as in: lie) instead of flagging a lack of permissions. HTH, Hauke -- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
Given a ssh-agent The simple reason is that the ssh-agent explicitly disables tracing.
``` #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ if (prctl(PR_SET_DUMPABLE, 0) != 0 && strict) fatal("unable to make process undumpable: %s", strerror(errno)); #endif ``` So you won't be able to dump anything on this process, even if your user owns it. You can do a little experiment by rebuilding the ssh agent without the call to `platform_disable_tracing()` in `main()`. fuser will then be able to list the socket.
I cannot quite see why you would want to make it
For security reasons, a lot of processes would call `prctl(PR_SET_DUMPABLE, 0)`, it is very impractical to patch out this call just to list their sockets without root privilege.
(as in: lie) They are not lying, please see `man prctl.2`.
--- Paul M. Ärloch Lingvam scriptvm habere debes vt hanc paginam inspicias. ------- Original Message ------- On Wednesday, August 16th, 2023 at 3:37 PM, Hauke Fath <hf@spg.tu-darmstadt.de> wrote:
On 8/16/23 17:20, memchr wrote:
not able to get any information on active unix domain sockets
What do you mean by this? Can you provide more context, such as the command you tried to run and the resulting error message?
Sure.
Given a ssh-agent(8) socket, running lsof/sockstat/fuser as non-privileged user
% ls -l /tmp/ssh-XXXXXXXw5UyQ/ total 0 srw------- 1 hf4kh spgmit 0 Aug 16 16:44 agent.629 % lsof -U % sockstat -u | grep /tmp/ssh- % fuser /tmp/ssh-XXXXXXXw5UyQ/agent.629 %
whereas for root
# lsof -U | grep /tmp/ssh- ssh-agent 630 hf4kh 3u unix 0x00000000f56378b9 0t0 21916 /tmp/ssh-XXXXXXXw5UyQ/agent.629 type=STREAM # # sockstat -u | grep /tmp/ssh- root rserver 363 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root rserver 363 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root sendmail 401 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root lxdm-greeter-gt 575 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root ssh-agent 630 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 # fuser /tmp/ssh-XXXXXXXw5UyQ/agent.629 /tmp/ssh-XXXXXXXw5UyQ/agent.629: 630 #
(the sockstat(1) output looks a bit off, though).
I can see that you might want the option to restrict information access that way, but I cannot quite see why you would want to make it the default, and just return nothing (as in: lie) instead of flagging a lack of permissions.
HTH, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
Additionally, disabling the call to `prctl(PR_SET_DUMPABLE, 0)` for the processes that store sensitive data, such as ssh-agent, is a very bad idea, as the other process will be able to ptrace the these processes and stole the data. --- Paul M. Ärloch Lingvam scriptvm habere debes vt hanc paginam inspicias. ------- Original Message ------- On Wednesday, August 16th, 2023 at 4:38 PM, memchr <memchr@proton.me> wrote:
Given a ssh-agent
The simple reason is that the ssh-agent explicitly disables tracing.
`#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) /* Disable ptrace on Linux without sgid bit */ if (prctl(PR_SET_DUMPABLE, 0) != 0 && strict) fatal("unable to make process undumpable: %s", strerror(errno)); #endif`
So you won't be able to dump anything on this process, even if your user owns it.
You can do a little experiment by rebuilding the ssh agent without the call to `platform_disable_tracing()` in `main()`. fuser will then be able to list the socket.
I cannot quite see why you would want to make it
For security reasons, a lot of processes would call `prctl(PR_SET_DUMPABLE, 0)`, it is very impractical to patch out this call just to list their sockets without root privilege.
(as in: lie)
They are not lying, please see `man prctl.2`.
--- Paul M. Ärloch Lingvam scriptvm habere debes vt hanc paginam inspicias.
------- Original Message ------- On Wednesday, August 16th, 2023 at 3:37 PM, Hauke Fath hf@spg.tu-darmstadt.de wrote:
On 8/16/23 17:20, memchr wrote:
not able to get any information on active unix domain sockets
What do you mean by this? Can you provide more context, such as the command you tried to run and the resulting error message?
Sure.
Given a ssh-agent(8) socket, running lsof/sockstat/fuser as non-privileged user
% ls -l /tmp/ssh-XXXXXXXw5UyQ/ total 0 srw------- 1 hf4kh spgmit 0 Aug 16 16:44 agent.629 % lsof -U % sockstat -u | grep /tmp/ssh- % fuser /tmp/ssh-XXXXXXXw5UyQ/agent.629 %
whereas for root
# lsof -U | grep /tmp/ssh- ssh-agent 630 hf4kh 3u unix 0x00000000f56378b9 0t0 21916 /tmp/ssh-XXXXXXXw5UyQ/agent.629 type=STREAM # # sockstat -u | grep /tmp/ssh- root rserver 363 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root rserver 363 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root sendmail 401 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root lxdm-greeter-gt 575 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 root ssh-agent 630 unix /tmp/ssh-XXXXXXXw5UyQ/agent.629 # fuser /tmp/ssh-XXXXXXXw5UyQ/agent.629 /tmp/ssh-XXXXXXXw5UyQ/agent.629: 630 #
(the sockstat(1) output looks a bit off, though).
I can see that you might want the option to restrict information access that way, but I cannot quite see why you would want to make it the default, and just return nothing (as in: lie) instead of flagging a lack of permissions.
HTH, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
participants (2)
-
Hauke Fath
-
memchr