Subject: Re: Privilege Elevation with systrace
To: None <>
From: Niels Provos <>
List: current-users
Date: 10/12/2002 15:47:05
On Sat, Oct 12, 2002 at 12:03:45PM +0100, wrote:
> This rule does differ from what ping could do before. ping drops its
> privileges after it has created a raw socket. But with such a policy,
> it can keep opening raw sockets because systrace policies are
> stateless.
You can actually predicate the policy on uid and gid.  So, a ping
policy could permit raw socket creation only once:

netbsd-socket: socktype eq "SOCK_RAW" then permit as root, if user = sys1
netbsd-setuid: uid eq "sys2" the permit as root, if user = sys1

Systrace would start ping with uid sys1, ping would then do

  fd = socket(AF_INET, SOCK_RAW, 0);