How to grant access permission on network interface?
You need to be root to do the kind of snooping that tcpflow and tcpdump do. So you either need sudo or a setuid root wrapper.
Well, technically all you need the CAP_NET_RAW capability. If you install the libcap2-bin package¹, you can use the setcap command to create a “setcap-CAP_NET_RAW” wrapper around tcpflow, rather than a setuid wrapper. But that only helps make a security hole in the wrapper be a little less damaging (a user who obtains CAP_NET_RAW access can probably gain root with little effort).
You can use sudo or a setuid root wrapper to let user1 run a command like tcpflow -i eth0 tcp and \( src host 1.2.3.4 and src port 3000 or dst host 1.2.3.4 and src port 3000 \). Note that you can't just let user1 run an arbitrary tcpflow command: that would allow user1 to run things like tcpflow -r … -r /path/to/foo and read (at least partially) /path/to/foo with root permissions.
I don't think you'll be decently able to allow the user to specify an expression to match packets. Rather than give extra permissions to run tcpflow, I suggest giving extra permissions to run a fixed tcpdump command (writing to stdout, let the user redirect into a file if necessary). Then the user can run tcpflow -r to analyze tcpdump output (even in real time, through a pipe).
Now for lo, allow user1 to run this exact command:
tcpdump -i lo tcp
For other interfaces, I think the following command selects tcp ports 3000–3999 (but make extensive tests to be sure):
tcpdump -i eth0 tcp and \( \
\( src host 1.2.3.4 and 'tcp[0:2] >= 3000' and 'tcp[0:2] <= 3999' \) or
\( dst host 1.2.3.4 and 'tcp[2:2] >= 3000' and 'tcp[2:2] <= 3999' \) \)
Replace 1.2.3.4 by the IP address associated with the interface. I don't have a good solution to offer if the IP address isn't fixed: if you read it from ifconfig output or otherwise at the beginning of the wrapper script, it's open to a race condition.
My recommendation for a wrapper is not to use a shell script (I don't know if any of the shells in Debian is suitable for writing setuid scripts — shells tend to use a lot of environment variables), but rather Perl (where this kind of thing is explicitly supported), like this:
#!/usr/bin/perl -T
exec '/usr/sbin/tmpdump', '-i', 'lo', 'tcp'
Make the script an ordinary executable (mode 755), and allow user1 to run it through sudo.
¹
For other Linux distributions: you need kernel 2.6.24 or above and the setcap command.
zhouxiang
Updated on September 17, 2022Comments
-
zhouxiang over 1 year
i'm using centos 6 and jboss 7.1.1 final. i using this command to start jboss:./domain.sh,when it start,it output a lot of logs,and the worst thing is just when i disconnect the ssh,the server is down.i've already tried another command ./domain.sh & ,nothing changes. in the domain.sh,it says,
if [ "x$LAUNCH_JBOSS_IN_BACKGROUND" = "x" ]; then # Execute the JVM in the foreground eval \"$JAVA\" -D\"[Process Controller]\" $PROCESS_CONTROLLER_JAVA_OPTS \ \"-Dorg.jboss.boot.log.file=$JBOSS_LOG_DIR/process-controller.log\" \ \"-Dlogging.configuration=file:$JBOSS_CONFIG_DIR/logging.properties\" \ -jar \"$JBOSS_HOME/jboss-modules.jar\" \ -mp \"${JBOSS_MODULEPATH}\" \ org.jboss.as.process-controller \ -jboss-home \"$JBOSS_HOME\" \ -jvm \"$JAVA_FROM_JVM\" \ -mp \"${JBOSS_MODULEPATH}\" \ -- \ \"-Dorg.jboss.boot.log.file=$JBOSS_LOG_DIR/host-controller.log\" \ \"-Dlogging.configuration=file:$JBOSS_CONFIG_DIR/logging.properties\" \ $HOST_CONTROLLER_JAVA_OPTS \ -- \ -default-jvm \"$JAVA_FROM_JVM\" \ "$@" JBOSS_STATUS=$? else # Execute the JVM in the background eval \"$JAVA\" -D\"[Process Controller]\" $PROCESS_CONTROLLER_JAVA_OPTS \ \"-Dorg.jboss.boot.log.file=$JBOSS_LOG_DIR/process-controller.log\" \ \"-Dlogging.configuration=file:$JBOSS_CONFIG_DIR/logging.properties\" \ -jar \"$JBOSS_HOME/jboss-modules.jar\" \ -mp \"${JBOSS_MODULEPATH}\" \ org.jboss.as.process-controller \ -jboss-home \"$JBOSS_HOME\" \ -jvm \"$JAVA_FROM_JVM\" \ -mp \"${JBOSS_MODULEPATH}\" \ -- \ \"-Dorg.jboss.boot.log.file=$JBOSS_LOG_DIR/host-controller.log\" \ \"-Dlogging.configuration=file:$JBOSS_CONFIG_DIR/logging.properties\" \ $HOST_CONTROLLER_JAVA_OPTS \ -- \ -default-jvm \"$JAVA_FROM_JVM\" \ "$@" "&" JBOSS_PID=$! # Trap common signals and relay them to the jboss process trap "kill -HUP $JBOSS_PID" HUP trap "kill -TERM $JBOSS_PID" INT trap "kill -QUIT $JBOSS_PID" QUIT trap "kill -PIPE $JBOSS_PID" PIPE trap "kill -TERM $JBOSS_PID" TERM if [ "x$JBOSS_PIDFILE" != "x" ]; then echo $JBOSS_PID > $JBOSS_PIDFILE fi # Wait until the background process exits WAIT_STATUS=128 while [ "$WAIT_STATUS" -ge 128 ]; do wait $JBOSS_PID 2>/dev/null WAIT_STATUS=$? if [ "$WAIT_STATUS" -gt 128 ]; then SIGNAL=`expr $WAIT_STATUS - 128` SIGNAL_NAME=`kill -l $SIGNAL` echo "*** JBossAS process ($JBOSS_PID) received $SIGNAL_NAME signal ***" >&2 fi done if [ "$WAIT_STATUS" -lt 127 ]; then JBOSS_STATUS=$WAIT_STATUS else JBOSS_STATUS=0 fi if [ "$JBOSS_STATUS" -ne 10 ]; then # Wait for a complete shudown wait $JBOSS_PID 2>/dev/null fi if [ "x$JBOSS_PIDFILE" != "x" ]; then grep "$JBOSS_PID" $JBOSS_PIDFILE && rm $JBOSS_PIDFILE fi fi if [ "$JBOSS_STATUS" -eq 10 ]; then echo "Restarting JBoss..." else exit $JBOSS_STATUS fii tried to remove the if clause,but there is no miracle
or how to install the jboss 7 as service.thanks a lot.
-
Guntram Blohm over 10 yearsBetter ask this on serverfault.com or possibly superuser.com, since it's more of an administration problem than a programming problem.
-
-
Xiè Jìléi over 13 yearsVery detailed explanation!
