[RndTbl] iptables match for creator's id
Gilbert E. Detillieux
gedetil at cs.umanitoba.ca
Thu Feb 12 10:14:32 CST 2009
On 2009-02-11 19:46, Dan Martin wrote:
> p 103 of "Linux Firewalls" 2nd Ed by Robert Ziegler
> discusses the 'owner match extension' that matches the packet's creator.
>
> A match can occur on uid, gid, pid, or sid. The extension can be used
> on the OUTPUT chain only.
And right in the iptables(1) man page...
owner
This module attempts to match various characteristics of the packet
creator, for locally-generated packets. It is only valid in the OUTPUT
chain, and even this some packets (such as ICMP ping responses) may
have no owner, and hence never match.
--uid-owner userid
Matches if the packet was created by a process with the given
effective user id.
--gid-owner groupid
Matches if the packet was created by a process with the given
effective group id.
--pid-owner processid
Matches if the packet was created by a process with the given
process id.
--sid-owner sessionid
Matches if the packet was created by a process in the given ses-
sion group.
--cmd-owner name
Matches if the packet was created by a process with the given
command name. (this option is present only if iptables was com-
piled under a kernel supporting this feature)
NOTE: pid, sid and command matching are broken on SMP
So, apparently, you can even match based on the command name. Note, however, the very last line about SMP... With multi-core CPU's becoming the norm, that means it's pretty much broken for any new hardware.
Of course, there is always a simple work-around: run the daemons you want to track this way each with their own uid and/or gid. (Red Hat systems mostly do this already these days, at least for most network services, to avoid collateral damage if a particular daemon is vulnerable.)
--
Gilbert E. Detillieux E-mail: <gedetil at cs.umanitoba.ca>
Dept. of Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba Phone: (204)474-8161
Winnipeg MB CANADA R3T 2N2 Fax: (204)474-7609
More information about the Roundtable
mailing list