Subject: Re: Privilege Elevation with systrace
To: None <xs@kittenz.org>
From: Niels Provos <provos@citi.umich.edu>
List: current-users
Date: 10/12/2002 15:47:05
On Sat, Oct 12, 2002 at 12:03:45PM +0100, xs@kittenz.org wrote:
> This rule does differ from what ping could do before. ping drops its
> privileges after it has created a raw socket. But with such a policy,
> it can keep opening raw sockets because systrace policies are
> stateless.
You can actually predicate the policy on uid and gid. So, a ping
policy could permit raw socket creation only once:
netbsd-socket: socktype eq "SOCK_RAW" then permit as root, if user = sys1
netbsd-setuid: uid eq "sys2" the permit as root, if user = sys1
Systrace would start ping with uid sys1, ping would then do
fd = socket(AF_INET, SOCK_RAW, 0);
setuid(sys2);
Niels.