Comments (4)
I have access to one server using a grsecurity enhanced kernel. Looking at the content of /proc/net/dev, I really can't see any way to identify if the lack of traffic is caused by the interface actually having seen no traffic or by some masking by kernel related changes. Therefore, producing any warnings based on that data could result in false warnings.
Possibly a note to the non-root install instructions and the RESTRICTIONS section of the man page would be the correct place to include documentation related to this use scenario.
from vnstat.
I misunderstood the problem at first, so the previous suggestions are void.
A note on the man page sounds good.
What about this patch
diff --git a/src/vnstatd.c b/src/vnstatd.c
index f42f562..4ef1440 100644
--- a/src/vnstatd.c
+++ b/src/vnstatd.c
@@ -162,6 +162,32 @@ int main(int argc, char *argv[])
snprintf(errorstring, 512, "vnStat daemon %s started. (pid:%d uid:%d gid:%d)", getversion(), (int)getpid(), (int)getuid(), (int)getgid());
printe(PT_Info);
+#if defined(__linux__)
+ /* grsecurity check, regarding /proc access */
+ {
+ const uid_t curr_euid = geteuid();
+ const struct group *grsec_grp = getgrnam("grsec-proc");
+
+ if (curr_euid != 0 && grsec_grp != NULL) {
+ gid_t list[8];
+ const int group_count = getgroups(8, list);
+ if (group_count > 0) {
+ int match = 0;
+ for (int i = 0; i < group_count; ++i) {
+ if (list[i] == grsec_grp->gr_gid) {
+ match = 1;
+ break;
+ }
+ }
+ if (!match) {
+ snprintf(errorstring, 512, "grsecurity might block data collection, see man:vnstatd(1)");
+ printe(PT_Info);
+ }
+ }
+ }
+ }
+#endif
+
/* main loop */
while (s.running) {
from vnstat.
I'd prefer to have some way of detecting when a grsecurity enhanced kernel is being used. That way, the logic could be to check if the user is something else than root, then check for grsecurity and if found and traffic equals zero, show the warning.
The problem is, even after reading the grsecurity documentation, I haven't seen a way of detecting when grsecurity is enabled. The grsec-proc group at most indicates that the system may have had grsecurity enabled at some point. That group name may also be Debian specific as I didn't see such group name suggested by the grsecurity documentation directly.
from vnstat.
Maybe for now an addition to the man page is sufficient, as adding detection for a running grsecurity enhanced kernel is not (meant to be?) simple and might invoke too extensive access (e.g. when using an LSM, like SELinux).
Also with the latest grsecurity announcement I do not know if and how grsecurity is shipped by distros in the future.
from vnstat.
Related Issues (20)
- Pfsense retention HOT 1
- vnstat: no longer works after databases/sqlite3 disabled DQS HOT 2
- Database size growing at alarming rate. Best ways to curb it? HOT 18
- Vnstat virtual interface not appearing HOT 7
- New VLANs not discovered HOT 2
- 95th percentile bandwidth calculation HOT 18
- wrong stat data for some interface HOT 17
- Calculate Traffic when vnstat stopped! HOT 4
- how to recover the database when i modify the time and updae the database force HOT 2
- How to install latest version? HOT 6
- Publish to snap store HOT 7
- vnstat measures file sharing from one device to another as transmission HOT 3
- How to install vnstat 2.9+ on Debian Bookworm. HOT 4
- Wireguard interface disabled, can't enable HOT 3
- Reset db in version 2 HOT 2
- do not exit with non-zero exit code when using `--alert` flag and `Failed to open database "/var/lib/vnstat/vnstat.db" in read-only mode.` throws HOT 5
- Accessing Vnstat figures HOT 2
- Send interface traffic result periodically to external server (URL) to avoid writing in the device HOT 2
- No interface matching "XXX" found in database. HOT 12
- SaveInterval Unit HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vnstat.