Skip to content
Advertisement

Read /proc//fd/ without full root access

I have a program (https://github.com/raboof/connbeat) that relies on /proc/[pid]/fd/* to find processes given a (networking) inode.

/proc/[pid]/fd can only be read by root, but I’d like to drop privileges as much as possible for security.

Is there some way I could (efficiently) get to the relationship between processes and inodes without requiring full root rights? Perhaps some syscall that I can selectively give access to using capabilities?

Advertisement

Answer

To be able to read fd’s of all the processes you need:

  • CAP_DAC_READ_SEARCH – for access to /proc/[pid]/fd
  • CAP_SYS_PTRACE – to read symlinks under /proc/[pid]/fd/*

You can restrict your program to just these two capabilities. Then you can access the information in question using ordinary API calls like readdir() or readlink() or whatever else you prefer.

For a broader description of these two capabilities please refer to capabilities(7)

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement