Wednesday, September 27, 2006

tcpdump and ps

Today I was doing some network tracing and figured out how to track the start and end of TCP connections. The following tcpdump command will get all SYN, FIN, and RST packets on port 80 and all ICMP packets:

tcpdump -i bond0 -n "port 80 and tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0 or icmp"

Also recently I was tracking down some minor security issues related to programs that call setuid() to drop privs but never call setgid() and therefore always run with GID==0 which gives them a lot of access to the system. The following ps command gives the real, effective, saved, and filesystem UIDs and GIDs mapped to names. Note that with some versions of ps different fields have different truncation lengths.

ps -eo pid,user,euser,suser,fuser,group,egroup,sgroup,fgroup,comm

The next thing I have to do is to patch PS to show the supplementary groups.


Anonymous said...

> GID==0 which gives them a lot of access
> to the system

Where to, exactly?

etbe said...

find / -gid 0 -perm -020 \! -type l

Run the above command on a Linux system and find out. Exactly what is granted to GID==0 varies a lot between systems. My observation is that most systems which have been in use for a while have some files that GID==0 can write to and get root access.

If you have a system that is running in a default distribution configuration and no-one has done anything to it then it SHOULD be OK for a hostile GID==0 user, but if it's been in service for a while there's very little chance.

Anonymous said...

Silly me, I have forgotten that /dev is a separate partition nowadays.

According to the udev documentation, it "defaults to creating nodes with Unix permissions of 0660". This doesn't seem to be good idea.