I have a program (https://github.com/raboof/connbeat) that relies on /proc/[pid]/fd/*
to find processes given a (networking) inode.
/proc/[pid]/fd
can only be read by root, but I’d like to drop privileges as much as possible for security.
Is there some way I could (efficiently) get to the relationship between processes and inodes without requiring full root rights? Perhaps some syscall that I can selectively give access to using capabilities?
Advertisement
Answer
To be able to read fd’s of all the processes you need:
- CAP_DAC_READ_SEARCH – for access to /proc/[pid]/fd
- CAP_SYS_PTRACE – to read symlinks under /proc/[pid]/fd/*
You can restrict your program to just these two capabilities. Then you can access the information in question using ordinary API calls like readdir()
or readlink()
or whatever else you prefer.
For a broader description of these two capabilities please refer to capabilities(7)