Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/matsumotory/tcpriv

tcpriv: Access Control Architecture Separating Privilege Transparently via TCP Connection Based on Process Information
https://github.com/matsumotory/tcpriv

Last synced: about 2 months ago
JSON representation

tcpriv: Access Control Architecture Separating Privilege Transparently via TCP Connection Based on Process Information

Host: GitHub
URL: https://github.com/matsumotory/tcpriv
Owner: matsumotory
License: gpl-3.0
Created: 2020-03-09T05:38:17.000Z (almost 5 years ago)
Default Branch: master
Last Pushed: 2020-08-26T06:14:52.000Z (over 4 years ago)
Last Synced: 2024-10-18T18:17:41.203Z (3 months ago)
Language: C
Homepage:
Size: 205 KB
Stars: 16
Watchers: 5
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # tcpriv

#### A Design of Access Control Architecture Separating Privilege Transparently via TCP Connection Based on Process Information

`tcpriv` separates privilege on TCP using Linux owner information of `task_struct`. `tcpriv` is a kernel module for Linux. We develop `tcpriv` on Ubuntu 20.04 and Linux kernel 5.4. Please see `Vagrantfile` and `misc/provision.sh`.

Now under depelopment.

## Quick setup

- install vagrant

- setup, build and test enviroment

```

# Support mutliple vm building

vagrant up server # waiting client access after provisioning

vagrant up client # connecting server for testing

# on one terminal

vagrant ssh client

# on another terminal

vagrant ssh server

```

all setup phase was provisioned automatically by `misc/provision.sh` such as installing packages, setup kernel module enviroment, building kernel module and insmod/rmmod tcpriv as a kernel module.

- test using vagrant provision

```

$ vagrant provision server

...

server: TEST: server is waiting for client..

server: waiting...

server: connected: 192.168.0.2

server: syn_len: 60

server: found tcpriv's information: kind=254 length=10 ExID=0xf991 uid=1000 

server: tcpriv: all test success.

```

```

$ vagrant provision client

...

client: TEST: client is trying to connect server...

client: [tcpriv] connect to 192.168.0.3

client: client test done

```

## Experiment

#### Remote servers get process information like uid/gid from a client server process transparently



  



#### 1. A server (192.168.0.3)

```

# in host

vagrant up server # or vagrant provision server

vagrant ssh server

cd ~/tcpriv/test

./server

```

#### 2. A client (192.168.0.2)

```

# in host

vagrant up client # or vagrant provision client

vagrant ssh client

# in vm

cat /proc/net/tcpriv 

# tcpriv v0.0.1 was enabled.

# check uid/gid

id

# uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lxd),118(lpadmin),119(sambashare)

# access tcp port

nc -vz 192.168.0.3 55226

# Connection to 192.168.0.3 55226 port [tcp/ssh] succeeded!

# change uid

id sshd

# uid=111(sshd) gid=65534(nogroup) groups=65534(nogroup)

sudo -u sshd nc -vz 192.168.0.3 55226

# Connection to 192.168.0.3 55226 port [tcp/ssh] succeeded!

```

#### 3. The remote server (192.168.0.3)

```

vagrant@server:~/tcpriv/test$ ./server

tcpriv[info]: waiting...

tcpriv[info]: connected: 192.168.0.2

tcpriv[info]: syn_len: 60

tcpriv[info]: found tcpriv's information: kind=254 length=10 ExID=0xf991 uid=1000

tcpriv[info]: all test success.

```

```

vagrant@server:~/tcpriv/test$ ./server

tcpriv[info]: waiting...

tcpriv[info]: connected: 192.168.0.2

tcpriv[info]: syn_len: 60

tcpriv[info]: found tcpriv's information: kind=254 length=10 ExID=0xf991 uid=111

server: server.c:146: read_saved_syn: Assertion `tcpriv_uid == 1000' failed.

Aborted (core dumped)

```