0

I am on Debian 12 and I am trying to write a script to identify processes with certain inodes (from /proc/net/raw and /proc/net/packet).

My original grep command is this (to get only the pid itself):

inode=$(cat /proc/net/packet | sed -r 's/\s+/,/g' | cut -d"," -f9 | sed '1d')
sudo ls -l /proc/*/fd/* 2>/dev/null | grep -oP "(?<=proc\/)[0-9]+(?=\/fd.*\[$inode\])"

I've used a simpler one as example below

The user that will be running the script is not root, but needs to be able to read the only root accessible files in /proc. For this I have elected to use a nopasswd line in sudoers for specifically the ls command into a particular /proc directory (rather than sudo for the entire script).

user ALL=(ALL) NOPASSWD: /usr/bin/ls -l /proc/*/fd/*

Sudo allows the command to run without password as expected but the missing file doesn't even show up as an access error. It seems that the sudo command doesn't even work since doing a raw listing without grep only shows files owned by user

Sudo from User

user@localhost:~/# sudo /usr/bin/ls -l /proc/*/fd/* | grep "946"
lr-x------ 1 user user 64 Jun 30 11:39 /proc/10251/fd/17 -> pipe:[89462]
l-wx------ 1 user user 64 Jun 30 11:39 /proc/10251/fd/18 -> pipe:[89462]
lr-x------ 1 user user 64 Jun 30 11:39 /proc/10251/fd/19 -> pipe:[89463]
l-wx------ 1 user user 64 Jun 30 11:39 /proc/10251/fd/20 -> pipe:[89463]
lr-x------ 1 user user 64 Jun 30 11:39 /proc/10251/fd/44 -> pipe:[89464]
l-wx------ 1 user user 64 Jun 30 11:39 /proc/10251/fd/45 -> pipe:[89464]
lrwx------ 1 user user 64 Jun 30 12:14 /proc/1424/fd/12 -> socket:[24946]
lr-x------ 1 user user 64 Jun 30 07:53 /proc/2958/fd/44 -> pipe:[32946]
l-wx------ 1 user user 64 Jun 30 07:53 /proc/2958/fd/45 -> pipe:[32946]

Su into Root

root@localhost:~/# sudo /usr/bin/ls -l /proc/*/fd/* | grep "946"
lr-x------ 1 user     user     64 Jun 30 11:39 /proc/10251/fd/17 -> pipe:[89462]
l-wx------ 1 user     user     64 Jun 30 11:39 /proc/10251/fd/18 -> pipe:[89462]
lr-x------ 1 user     user     64 Jun 30 11:39 /proc/10251/fd/19 -> pipe:[89463]
l-wx------ 1 user     user     64 Jun 30 11:39 /proc/10251/fd/20 -> pipe:[89463]
lr-x------ 1 user     user     64 Jun 30 11:39 /proc/10251/fd/44 -> pipe:[89464]
l-wx------ 1 user     user     64 Jun 30 11:39 /proc/10251/fd/45 -> pipe:[89464]
lrwx------ 1 root     root     64 Jun 30 12:14 /proc/1191/fd/22 -> socket:[946]
lrwx------ 1 user     user     64 Jun 30 12:14 /proc/1424/fd/12 -> socket:[24946]
lr-x------ 1 user     user     64 Jun 30 07:53 /proc/2958/fd/44 -> pipe:[32946]
l-wx------ 1 user     user     64 Jun 30 07:53 /proc/2958/fd/45 -> pipe:[32946]

Sudo cannot see the root owned fd directory of PID 1191 (NetworkManager). But if I su to root, I can see it. I even tried making the sudoers line like so:

user ALL=(ALL) NOPASSWD: /usr/bin/ls*

And while the command does work without asking for a password, the return data is the same - no root owned files.

Why is this happening? I thought sudo was effectively root?

How can I give the least permissions to user to be able to grep through /proc//fd/ for an inode?

1 Answers1

1

The problem is that the shell globbing takes place before sudo is started i.e. with regular user permissions.

You need something like

sudo bash -c 'ls -l /proc/*/fd/*'

Edit 1

The sudoers line would be something like this:

user ALL=(ALL) NOPASSWD: /usr/bin/bash -c ls -l /proc/\*/fd/\*
Hauke Laging
  • 90,279