Re: systrace replacement

[Thor Lancelot Simon <tls%rek.tjls.com@localhost>]

On Thu, Mar 19, 2009 at 04:00:48PM +0100, Jonathan Schleifer wrote:
> Am 19.03.2009 um 14:08 schrieb Christos Zoulas:
>
>> Yes, it is harder to do, but you could do the same in a chroot, or run
>> it as another user that does not have priviledges to write anywhere  
>> but ~/.
>
>
> To chroot, I need root - I think this will be just another issue then.

To use systrace, you need root.  Worse, systrace can (and did!) create
security holes where it gives away root privileges to malicious
applications that know how to exploit systrace.  The problem is where
the systrace syscall argument handling code was implemented: other
threads of control in user processes could simply overwrite its input
or output.

Nobody stepped up to fundamentally rewrite systrace to eliminate this
very basic problem, which actually _created_ new security holes instead
of eliminating existing ones -- so systrace was removed, basically as a
security measure.  It's a volunteer project, and I don't see anyone
stepping up as a volunteer to take on this rather large piece of work.

Thor