Subject: Re: Privilege Elevation with systrace
To: None <firstname.lastname@example.org>
From: None <email@example.com>
Date: 10/12/2002 12:03:45
on Sat, Oct 12, 2002 at 01:16:55AM -0700, Simon J. Gerraty wrote:
> >Using systrace, ping can run without any privileges and a policy
> > netbsd-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then \
> > permit as root
> I'm not familiar with systrace, but I _hope_ the policy can be more
> specific than that?
> The above looks like it would allow any program to open raw sockets
> "as root". Just what I'd need if wanting to run rawpkt or whatever to
> spew fordged packets into the net ;-)
Each policy is per-process, so the rule would be included in a policy
for just ping.
This rule does differ from what ping could do before. ping drops its
privileges after it has created a raw socket. But with such a policy,
it can keep opening raw sockets because systrace policies are
It seems that something similar to filter->match_count may help here.
netbsd-socket: sockdom eq "AF_INET" and socktype eq "SOCK_RAW" then \
permit as root for count = 1