Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ifconfig RX/TX stats
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Wed Jan 18, 2017 12:53 pm    Post subject: ifconfig RX/TX stats Reply with quote

The RX and TX stats aren't appearing in ifconfig for one of my systems, they all show zero. That system has a specific application and I strip as much out of its filesystem as I can so I probably stripped something that is required for those stats. Any hints on where to look?
Back to top
View user's profile Send private message
lovelytux
Tux's lil' helper
Tux's lil' helper


Joined: 23 Aug 2013
Posts: 93
Location: Westwoods of Germany

PostPosted: Wed Jan 18, 2017 2:03 pm    Post subject: Reply with quote

Hey grant 123,
does exist rx_packets in
Code:
cat /sys/class/net/eth0????/statistics/rx_packets


lovelytux
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Wed Jan 18, 2017 2:47 pm    Post subject: Reply with quote

I do have that file but you led me to a big clue:

ifconfig does yield stats for root and for my own regular user but it does not yield stats for any other user even though all users can 'cat /sys/class/net/net0/statistics/rx_packets' and see numbers that way.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Wed Jan 18, 2017 3:17 pm    Post subject: Reply with quote

grant123 wrote:
I do have that file but you led me to a big clue: ifconfig does yield stats for root and for my own regular user but it does not yield stats for any other user even though all users can 'cat /sys/class/net/net0/statistics/rx_packets' and see numbers that way.

grant123 ... and busybox?

Code:
# busybox ifconfig -a

best ... khay
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Wed Jan 18, 2017 3:19 pm    Post subject: Reply with quote

I get zeros from busybox too.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Jan 19, 2017 2:22 am    Post subject: Reply with quote

grant123 wrote:
I get zeros from busybox too.

grant123 ... again, just with this one user? If so then this would suggest 'groups' (but I'm not aware there is such a group). You don't happen to have hardened kernel/userland?

best ... khay
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13498

PostPosted: Thu Jan 19, 2017 2:40 am    Post subject: Reply with quote

Are there any interesting differences in the output of strace ifconfig as compared between the good non-root user and bad non-root user? Per khayyam's question, what is the output of id for each user?
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Thu Jan 19, 2017 2:46 am    Post subject: Reply with quote

I do use a hardened kernel. I will test without it tomorrow but how could only one of two regular users exhibit the problem? The groups don't look like they could explain it.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Thu Jan 19, 2017 2:16 pm    Post subject: Reply with quote

It turns out if I'm using a hardened kernel then the user must be in the wheel group to get ifconfig stats. Under a gentoo-sources kernel the user does not need to be in the wheel group to get ifconfig stats.

Can I grant non-wheel users access to stats in ifconfig under a hardened kernel?
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Jan 19, 2017 2:56 pm    Post subject: Reply with quote

grant123 wrote:
It turns out if I'm using a hardened kernel then the user must be in the wheel group to get ifconfig stats. Under a gentoo-sources kernel the user does not need to be in the wheel group to get ifconfig stats.

grant123 ... as I remember hardened provides some additional sysctl mechanisms for access to dmesg, proc, and it seems it may apply other ACL's (well, it may not be the hardended patchset, there is CONFIG_SECURITY_DMESG_RESTRICT already in kernel, but hardened-sources may enable them). So, it seems the place to look is in your .config (under "Security options").

grant123 wrote:
Can I grant non-wheel users access to stats in ifconfig under a hardened kernel?

Perhaps you should be asking why they need such data, they are users after all, and so are not doing the sort of thing that requires them to know TX/RX. The short answer is I don't know, I imagine the security features are not fine grained, by the sound of it they are wired to 'wheel'.

best ... khay
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Thu Jan 19, 2017 6:40 pm    Post subject: Reply with quote

It must be this:

[*] Proc restrictions
[ ] Restrict /proc to user only
[*] Allow special group
(10) GID for special group

GID 10 is, of course, wheel.

From where in /proc are these network stats pulled? Maybe I can change the permissions manually.
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Thu Jan 19, 2017 7:26 pm    Post subject: Reply with quote

/proc/net/dev
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Thu Jan 19, 2017 7:38 pm    Post subject: Reply with quote

cboldt wrote:
/proc/net/dev

That one is root:wheel but it's readable by everyone so there must be something more involved. Using chmod to change the group to users does not seem to have any affect, it remains group wheel.

EDIT: I'm able to cat that file as any user but the stats are all zeros.
Back to top
View user's profile Send private message
cboldt
l33t
l33t


Joined: 24 Aug 2005
Posts: 829

PostPosted: Thu Jan 19, 2017 7:52 pm    Post subject: Reply with quote

Running gentoo-sources here, not hardened, and that file contains stats for any user.

There is also /proc/net/netstat with the same permissions (world readable)
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13498

PostPosted: Fri Jan 20, 2017 2:56 am    Post subject: Reply with quote

I suspect that the hardened developer responsible for this change found that making the file inaccessible to normal users caused problems, so he settled for making the file lie to unprivileged users instead. Returning all zeroes is a common choice when refusing to return data is not an acceptable path. Yes, you could patch the kernel to remove this restriction, but why do you need ordinary users to see this data? Do you even want the proc restrictions enabled at all?
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 980

PostPosted: Sat Jan 21, 2017 10:34 pm    Post subject: Reply with quote

I do want high security in general. If there were a way to restrict access to /proc while allowing anyone to read this generic traffic data (without patching the kernel) then I would probably do that. But it doesn't look like we have that degree of control.

I want a regular user to be able to read this data simply so that their xfce4 panel network traffic monitor works. It's not critical by any means but it doesn't hurt to have more eyes on the network.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum