Linux: highlight username if process has elevated privileges

Highlight processes started from binaries with file capabilities set, like kwin_wayland, or retaining Linux capabilities, via the ambient set, after switching from the root user, e.g. rtkit.
author: Christian Göttsche <cgzones@googlemail.com> 2022-10-29 19:21:12 +0200
committer: BenBE <BenBE@geshi.org> 2023-02-05 00:24:13 +0100
commit: e3481a9846ef01bb27c169b71eafeee704e10c68 (patch)
tree: 47e5003f85875872813677895b7fa298d14af269
parent: 8ea144df7494bad0c46d3bf4f16c9a6556c500d2 (diff)
5 files changed, 25 insertions, 1 deletions
diff --git a/CRT.c b/CRT.c
index 64c259fc..e35608b6 100644
--- a/CRT.c
+++ b/CRT.c
@@ -157,6 +157,7 @@ static int CRT_colorSchemes[LAST_COLORSCHEME][LAST_COLORELEMENT] = {
       [PROCESS_THREAD_BASENAME] = A_BOLD | ColorPair(Green, Black),
       [PROCESS_COMM] = ColorPair(Magenta, Black),
       [PROCESS_THREAD_COMM] = A_BOLD | ColorPair(Blue, Black),
+      [PROCESS_PRIV] = ColorPair(Magenta, Black),
       [BAR_BORDER] = A_BOLD,
       [BAR_SHADOW] = A_BOLD | ColorPairGrayBlack,
       [SWAP] = ColorPair(Red, Black),
@@ -264,6 +265,7 @@ static int CRT_colorSchemes[LAST_COLORSCHEME][LAST_COLORELEMENT] = {
       [PROCESS_THREAD_BASENAME] = A_REVERSE,
       [PROCESS_COMM] = A_BOLD,
       [PROCESS_THREAD_COMM] = A_REVERSE,
+      [PROCESS_PRIV] = A_BOLD,
       [BAR_BORDER] = A_BOLD,
       [BAR_SHADOW] = A_DIM,
       [SWAP] = A_BOLD,
@@ -371,6 +373,7 @@ static int CRT_colorSchemes[LAST_COLORSCHEME][LAST_COLORELEMENT] = {
       [PROCESS_THREAD_BASENAME] = A_BOLD | ColorPair(Blue, White),
       [PROCESS_COMM] = ColorPair(Magenta, White),
       [PROCESS_THREAD_COMM] = ColorPair(Green, White),
+      [PROCESS_PRIV] = ColorPair(Magenta, White),
       [BAR_BORDER] = ColorPair(Blue, White),
       [BAR_SHADOW] = ColorPair(Black, White),
       [SWAP] = ColorPair(Red, White),
@@ -478,6 +481,7 @@ static int CRT_colorSchemes[LAST_COLORSCHEME][LAST_COLORELEMENT] = {
       [PROCESS_THREAD_BASENAME] = A_BOLD | ColorPair(Blue, Black),
       [PROCESS_COMM] = ColorPair(Magenta, Black),
       [PROCESS_THREAD_COMM] = ColorPair(Yellow, Black),
+      [PROCESS_PRIV] = ColorPair(Magenta, Black),
       [BAR_BORDER] = ColorPair(Blue, Black),
       [BAR_SHADOW] = ColorPairGrayBlack,
       [SWAP] = ColorPair(Red, Black),
@@ -585,6 +589,7 @@ static int CRT_colorSchemes[LAST_COLORSCHEME][LAST_COLORELEMENT] = {
       [PROCESS_THREAD_BASENAME] = A_BOLD | ColorPair(Green, Blue),
       [PROCESS_COMM] = ColorPair(Magenta, Blue),
       [PROCESS_THREAD_COMM] = ColorPair(Black, Blue),
+      [PROCESS_PRIV] = ColorPair(Magenta, Blue),
       [BAR_BORDER] = A_BOLD | ColorPair(Yellow, Blue),
       [BAR_SHADOW] = ColorPair(Cyan, Blue),
       [SWAP] = ColorPair(Red, Blue),
@@ -692,6 +697,7 @@ static int CRT_colorSchemes[LAST_COLORSCHEME][LAST_COLORELEMENT] = {
       [PROCESS_LOW_PRIORITY] = ColorPair(Green, Black),
       [PROCESS_NEW] = ColorPair(Black, Green),
       [PROCESS_TOMB] = ColorPair(Black, Red),
+      [PROCESS_PRIV] = ColorPair(Magenta, Black),
       [BAR_BORDER] = A_BOLD | ColorPair(Green, Black),
       [BAR_SHADOW] = ColorPair(Cyan, Black),
       [SWAP] = ColorPair(Red, Black),
diff --git a/CRT.h b/CRT.h
index c06d3ae7..bf5e460e 100644
--- a/CRT.h
+++ b/CRT.h
@@ -85,6 +85,7 @@ typedef enum ColorElements_ {
    PROCESS_THREAD_BASENAME,
    PROCESS_COMM,
    PROCESS_THREAD_COMM,
+   PROCESS_PRIV,
    BAR_BORDER,
    BAR_SHADOW,
    GRAPH_1,
diff --git a/Process.c b/Process.c
index 614369b4..5a179b42 100644
--- a/Process.c
+++ b/Process.c
@@ -1020,7 +1020,9 @@ void Process_writeField(const Process* this, RichString* str, ProcessField field
       }
       break;
    case USER:
-      if (Process_getuid != this->st_uid)
+      if (this->elevated_priv)
+         attr = CRT_colors[PROCESS_PRIV];
+      else if (Process_getuid != this->st_uid)
          attr = CRT_colors[PROCESS_SHADOW];
 
       if (this->user) {
diff --git a/Process.h b/Process.h
index 0fdc392b..db32ecc1 100644
--- a/Process.h
+++ b/Process.h
@@ -151,6 +151,13 @@ typedef struct Process_ {
    /* User name */
    const char* user;
 
+   /* Non root owned process with elevated privileges
+    * Linux:
+    *   - from file capabilities
+    *   - inherited from the ambient set
+    */
+   bool elevated_priv;
+
    /* Process runtime (in hundredth of a second) */
    unsigned long long int time;
 
diff --git a/linux/LinuxProcessList.c b/linux/LinuxProcessList.c
index 0576dd67..24b7ea98 100644
--- a/linux/LinuxProcessList.c
+++ b/linux/LinuxProcessList.c
@@ -568,6 +568,14 @@ static bool LinuxProcessList_readStatusFile(Process* process, openat_arg_t procF
          if (pid_ns_count > 1)
             process->isRunningInContainer = true;
 
+      } else if (String_startsWith(buffer, "CapPrm:")) {
+         char* ptr = buffer + strlen("CapPrm:");
+         while (*ptr == ' ' || *ptr == '\t')
+            ptr++;
+
+         uint64_t cap_permitted = fast_strtoull_hex(&ptr, 16);
+         process->elevated_priv = cap_permitted != 0 && process->st_uid != 0;
+
       } else if (String_startsWith(buffer, "voluntary_ctxt_switches:")) {
          unsigned long vctxt;
          int ok = sscanf(buffer, "voluntary_ctxt_switches:\t%lu", &vctxt);
author	Christian Göttsche <cgzones@googlemail.com>	2022-10-29 19:21:12 +0200
committer	BenBE <BenBE@geshi.org>	2023-02-05 00:24:13 +0100
commit	e3481a9846ef01bb27c169b71eafeee704e10c68 (patch)
tree	47e5003f85875872813677895b7fa298d14af269
parent	8ea144df7494bad0c46d3bf4f16c9a6556c500d2 (diff)