Glenn Brunette's Security Weblog

« RSA 2006 Security... | Main | FREE Sun Beta Certif... »

I see you! snoop(1M)'ing in non-global zones!

Tuesday Apr 25, 2006

Dear diary... It has been quite a while since my last posting...

While I have not posted very much to my blog lately, I have been quite busy writing. In fact, since February, the following Sun BluePrints articles have been published:

Today's article talks about how to enable snoop(1M) in a non-global (or local) zone. In Solaris 10 today, the ability to use the snoop(1M) command or any other packet sniffer for that matter is restricted to the global zone. There is no way to snoop traffic from within a zone. Enter the Configurable Privileges for Zones project which integrated into Nevada build 37 and of course is available in OpenSolaris today.

Using this project and a little device manipulation, you can today get snoop working in a non-global zone, and here is how to do it... But first, a few warnings:

WARNING #1: This approach will allow the local zone to see all of the network traffic associated with the device that is added. Unless you use separate network interfaces for the global zone and other non-global zones, this means that following these instructions will allow a zone to see traffic intended for or exchanged with another zone.

WARNING #2: This approach is likely not generally recommended. This is meant only as an illustration of what can be done and may serve as a useful workaround in some environments until a more recommended, secure and supportable solution is available.

With that out of the way, let's give it a try!

First, you must configure your zone to include the net_rawaccess privilege. This is done using a new zonecfg(1M) parameter, limitpriv. In the following example, we will assume that we have previously created and installed a non-global zone, called test. To add the new net_rawaccess privilege, simply use the following command:

# zonecfg -z test
zonecfg:test> set limitpriv=default,net_rawaccess
zonecfg:test> exit

Next, let's boot up the zone and check that the privilege has been successfully added:

# zoneadm -z test boot
# zlogin test
[Connected to zone 'test' pts/5]
Last login: Mon Apr 24 23:49:15 on pts/5
Sun Microsystems Inc.   SunOS 5.11      snv_38  October 2007
# ppriv $$
4547:   -sh
flags = 
        E: basic,contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute,
           file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,
           ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_privaddr,
           net_rawaccess,proc_audit,proc_chroot,proc_owner,proc_setid,proc_taskid,sys_acct,
           sys_admin,sys_audit,sys_mount,sys_nfs,sys_resource
        I: basic
        P: basic,contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute,
           file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,
           ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_privaddr,
           net_rawaccess,proc_audit,proc_chroot,proc_owner,proc_setid,proc_taskid,sys_acct,
           sys_admin,sys_audit,sys_mount,sys_nfs,sys_resource
        L: basic,contract_event,contract_observer,file_chown,file_chown_self,file_dac_execute,
           file_dac_read,file_dac_search,file_dac_write,file_owner,file_setid,ipc_dac_read,
           ipc_dac_write,ipc_owner,net_bindmlp,net_icmpaccess,net_mac_aware,net_privaddr,
           net_rawaccess,proc_audit,proc_chroot,proc_owner,proc_setid,proc_taskid,sys_acct,
           sys_admin,sys_audit,sys_mount,sys_nfs,sys_resource

Technically speaking what comes next is likely not recommended, but it does work and can help you out in a pinch if you need to get this functionality working in a non-global zone until a more recommended method becomes available.

In order to get snoop working in a non-global zone, you must also introduce the network devices into the zone. The following commands must be executed from the global zone and are representative only (based on my system's configuration). The actual command you should use will vary (based on the actual interface name and the major/minor numbers of the device.

On my system, the network interface name is nge0. My first goal is to determine the major and minor device number associated with the network interface:

# ls -l /dev/nge0
lrwxrwxrwx   1 root     root          38 Apr 21 10:02 /dev/nge0 -> ../devices/pci@0,0/pci108e,5347@a:nge0
# ls -l /devices/pci@0,0/pci108e,5347@a:nge0
crw-rw-rw-   1 root     root      96,  1 Apr 22 10:46 /devices/pci@0,0/pci108e,5347@a:nge0

With this information, we can now create the network device in the non-global zone:

# zonecfg -z test info zonepath
zonepath: /my/zones/test
# cd /my/zones/test/dev
# mknod nge0 c 96 1
# ls -l nge0
crw-r--r--   1 root     root      96,  1 Apr 25 13:00 nge0

All the hard work is now done. With the privilege and device added to the zone, you can now use snoop!

# snoop -d nge0
Using device /dev/nge0 (promiscuous mode)
192.168.1.11 -> test         TCP D=22 S=62991 Syn Seq=2109859625 Len=0 Win=49640 Options=
      test   -> 192.168.1.11 TCP D=62991 S=22 Syn Ack=2109859626 Seq=377273646 Len=0 Win=49640 Options=
192.168.1.11 -> test         TCP D=22 S=62991 Ack=377273647 Seq=2109859626 Len=0 Win=49640
      test   -> 192.168.1.11 TCP D=62991 S=22 Push Ack=2109859626 Seq=377273647 Len=20 Win=49640

Voila! Piece of cake! Just use this tip with caution as you do not inadvertantly want to expose yourself. Peek-a-boo! I'll see you (later!)

Take care,

Technorati Tag: OpenSolaris Solaris security