Re: Соотнесение процесса и поля QoS

2019-09-21 Пенетрантность Stanislav Maslovski 
Доброго времени суток,

On Sun, Sep 15, 2019 at 12:12:10PM +0300, Pavel Volkov wrote:
> Я налуркал, что в iptables есть таблица owner, где можно матчить по UID,
> GID, PID.
> Я использую nftables, там есть матчинг по UID, GID.
> Может быть при запуске этих процессов как-то менять им GID?

У меня для аналогичного эффекта (ограничение доступа к сети для некой
проприетарщины) много лет используется вот такой простенький setgid
wrapper в комбинации c owner GID match в OUTPUT chain:

/* 8< /

#define _GNU_SOURCE
#include 
#include 

extern char **environ;

int main(int argc, char *argv[])
{
   gid_t rgid, egid, sgid;

   /* needs at least one argument (an executable file to run) */
   if (argc < 2)
 return 1;

   /* get the process GIDs */
   if (getresgid(, , ) < 0)
 return 2;

   /* set all GIDs to EGID, so that no further change is possible */
   if (setresgid(egid, egid, egid) < 0)
 return 3;

   /* execute argv[1] with the rest of args, in the same evironment */
   return execve(argv[1], [1], environ);
}

/* >8 /

Компилируется, кладётся в /sbin или ещё куда.

# chgrp <нужная_группа> /sbin/grpwrapper
# chmod g+s /sbin/grpwrapper


> Но я бы хотел, чтобы создаваемые ими файлы всё-таки имели исходный GID.

С wrapper-ом типа вышеприведённого этого можно добиться, 
если GID != EGID. Например, заменив соответствующую строчку в коде на

   setresgid(egid, rgid, egid)

Но, как я понимаю, в такой постановке, запущенная через execve()
программа сможет поменять свой GID (исходный egid родителя) на свой же
EGID (исходный rgid родителя), что может оказаться дырой в защите,
или же, приравняв EGID к GID, поломать нужное поведение с файлами.

И CAPABILITIES тут не помогут (поправьте, если вру)...

-- 
Stanislav

Validation failed

2019-09-21 Пенетрантность Debian Webmaster 
*** Errors validating /srv/www.debian.org/www/intro/cn.ru.html: ***
Line 204, character 88:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 205, character 7:  end tag for "FORM" which is not finished
Line 207, character 97:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 208, character 7:  end tag for "FORM" which is not finished
Line 210, character 134:  document type does not allow element "INPUT"
here; missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6",
"PRE", "DIV", "ADDRESS" start-tag
Line 211, character 7:  end tag for "FORM" which is not finished
Line 213, character 63:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 214, character 7:  end tag for "FORM" which is not finished
Line 216, character 56:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 217, character 7:  end tag for "FORM" which is not finished
Line 219, character 51:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 220, character 7:  end tag for "FORM" which is not finished
Line 222, character 54:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 223, character 7:  end tag for "FORM" which is not finished
Line 225, character 112:  document type does not allow element "INPUT"
here; missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6",
"PRE", "DIV", "ADDRESS" start-tag
Line 226, character 7:  end tag for "FORM" which is not finished
Line 228, character 56:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 229, character 7:  end tag for "FORM" which is not finished
Line 231, character 62:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 232, character 7:  end tag for "FORM" which is not finished
Line 234, character 57:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 235, character 7:  end tag for "FORM" which is not finished
Line 237, character 102:  document type does not allow element "INPUT"
here; missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6",
"PRE", "DIV", "ADDRESS" start-tag
Line 238, character 7:  end tag for "FORM" which is not finished
Line 240, character 65:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 241, character 7:  end tag for "FORM" which is not finished
Line 243, character 56:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 244, character 7:  end tag for "FORM" which is not finished
Line 246, character 112:  document type does not allow element "INPUT"
here; missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6",
"PRE", "DIV", "ADDRESS" start-tag
Line 247, character 7:  end tag for "FORM" which is not finished
Line 249, character 57:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 250, character 7:  end tag for "FORM" which is not finished
Line 252, character 61:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 253, character 7:  end tag for "FORM" which is not finished
Line 255, character 58:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 256, character 7:  end tag for "FORM" which is not finished
Line 258, character 92:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 259, character 7:  end tag for "FORM" which is not finished
Line 261, character 86:  document type does not allow element "INPUT" here;
missing one of "P", "H1", "H2", "H3", "H4", "H5", "H6", "PRE",
"DIV", "ADDRESS" start-tag
Line 262, character 7:  end tag for "FORM" which is