lsof -i Issue

Ra'Jiska · 05-19-2015, 08:11 AM

Hello,

I would like to use the lsof -i command without a privilege elevated user, however it doesn't work, the output is null. It does only work when I sudo it. On another server, I've got it working perfectly, without the user being root or having to use sudo (web user). How would I be able to proceed ?
Linux - Ubuntu 14.04.

Thanks.

smallpond · 05-19-2015, 10:32 AM

On the other server is it setuid root?

MensaWater · 05-19-2015, 10:34 AM

It's related to how it was compiled. You can recompile your own to allow non-root users to use it but I prefer to use sudo to give access to the few folks that might need it.

From "man lsof"

Quote:

SECURITY
Lsof has three features that may cause security concerns. First, its
default compilation mode allows anyone to list all open files with it.
Second, by default it creates a user-readable and user-writable device
cache file in the home directory of the real user ID that executes
lsof. (The list-all-open-files and device cache features may be dis-
abled when lsof is compiled.) Third, its -k and -m options name alter-
nate kernel name list or memory files.

Restricting the listing of all open files is controlled by the com-
pile-time HASSECURITY and HASNOSOCKSECURITY options. When HASSECURITY
is defined, lsof will allow only the root user to list all open files.
The non-root user may list only open files of processes with the same
user IDentification number as the real user ID number of the lsof pro-
cess (the one that its user logged on with).

However, if HASSECURITY and HASNOSOCKSECURITY are both defined, anyone
may list open socket files, provided they are selected with the -i
option.

When HASSECURITY is not defined, anyone may list all open files.

Help output, presented in response to the -h or -? option, gives the
status of the HASSECURITY and HASNOSOCKSECURITY definitions.

See the Security section of the 00README file of the lsof distribution
for information on building lsof with the HASSECURITY and HASNOSOCKSE-
CURITY options enabled.

P.S. lsof is one of the greatest tools for UNIX/Linux. It can do so many different things. I heartily recommend it to all who haven't learned of it yet. It's author, Vic Abel, was even kind enough to work with me and one of the big UNIX vendors a few years back when I discovered issues with it on their platform.

Ra'Jiska · 05-19-2015, 11:08 AM

@smallpod
Not setuid root for the process and the lsof file (/usr/bin/lsof).

@MensaWater
How would I be able to proceed ?

Also, I've noticed something, the process created by the other server have 'dr-xr-xr-x 7 www-data www-data' while the other one have 'dr-x------ 7 www-data www-data'.
Not sure it'd be very important since owner in both cases have read access.
Two log files were added, both strace of the working and non working lsof from servers. 'lsof.log' is the non working and 'lsof-good.log' is the one working.
The file 'lsof-good.log' was cutted since it was too big to be uploaded.

Thanks for your help.