[RndTbl] iptables match for creator's id

Gilbert E. Detillieux gedetil at cs.umanitoba.ca
Thu Feb 12 10:14:32 CST 2009


On 2009-02-11 19:46, Dan Martin wrote:
> p 103 of "Linux Firewalls" 2nd Ed by Robert Ziegler
> discusses the 'owner match extension' that matches the packet's creator.
> 
> A match can occur on uid, gid, pid, or sid.  The extension can be used 
> on the OUTPUT chain only.

And right in the iptables(1) man page...

   owner
       This  module  attempts  to  match various characteristics of the packet
       creator, for locally-generated packets.  It is only valid in the OUTPUT
       chain,  and  even  this  some packets (such as ICMP ping responses) may
       have no owner, and hence never match.

       --uid-owner userid
              Matches if the packet was created by a process  with  the  given
              effective user id.

       --gid-owner groupid
              Matches  if  the  packet was created by a process with the given
              effective group id.

       --pid-owner processid
              Matches if the packet was created by a process  with  the  given
              process id.

       --sid-owner sessionid
              Matches if the packet was created by a process in the given ses-
              sion group.

       --cmd-owner name
              Matches if the packet was created by a process  with  the  given
              command name.  (this option is present only if iptables was com-
              piled under a kernel supporting this feature)

       NOTE: pid, sid and command matching are broken on SMP

So, apparently, you can even match based on the command name.  Note, however, the very last line about SMP...  With multi-core CPU's becoming the norm, that means it's pretty much broken for any new hardware.

Of course, there is always a simple work-around: run the daemons you want to track this way each with their own uid and/or gid.  (Red Hat systems mostly do this already these days, at least for most network services, to avoid collateral damage if a particular daemon is vulnerable.)

-- 
Gilbert E. Detillieux		E-mail:	<gedetil at cs.umanitoba.ca>
Dept. of Computer Science	Web:	http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba		Phone:	(204)474-8161
Winnipeg MB CANADA  R3T 2N2	Fax:	(204)474-7609


More information about the Roundtable mailing list