Re: systrace replacement

To: Jonathan Schleifer <js-netbsd-users%webkeks.org@localhost>
Subject: Re: systrace replacement
From: Thor Lancelot Simon <tls%rek.tjls.com@localhost>
Date: Thu, 19 Mar 2009 14:41:34 -0400

On Thu, Mar 19, 2009 at 04:13:57PM +0100, Jonathan Schleifer wrote:
> Am 19.03.2009 um 16:11 schrieb Thor Lancelot Simon:
>
>> To use systrace, you need root.
>
> Nope. You can perfectly run it as a user. It looks in ~/.systrace for  
> systrace files first and then in /etc/systrace. Works just fine. No root 
> involved at all!

Ah.  Yes, you can do that.  My apologies -- you couldn't do anything I ever
found particularly interesting about systrace that way (that is, you
can't dole out superuser privilege in a fine-grained way) so it didn't
occur to me.

>> Worse, systrace can (and did!) create
>> security holes where it gives away root privileges to malicious
>> applications that know how to exploit systrace.
>
> There is no systrace running as root, thus nobody can't gain root  
> through it.

I'm not sure what you're getting at here.  Systrace runs in the kernel.
Bugs in systrace can unquestionably give processes root priveleges when
they should not have them.

>> The problem is where
>> the systrace syscall argument handling code was implemented: other
>> threads of control in user processes could simply overwrite its input
>> or output.
>>
>> Nobody stepped up to fundamentally rewrite systrace to eliminate this
>> very basic problem, which actually _created_ new security holes  
>> instead
>> of eliminating existing ones -- so systrace was removed, basically as a
>> security measure.  It's a volunteer project, and I don't see anyone
>> stepping up as a volunteer to take on this rather large piece of work.
>
> Erm, if a user can already override it, it means he got access somewhere 
> else - so there's no point in even exploiting systrace, as it's not 
> running as root anyway. You would gain access to the same user again.

I'm not sure what you mean here, but I cannot see how it matters.  The code
had a severe design problem with both system stability and security
implications, nobody was willing to fix it, and the code was removed.  If
you want it put back, you probably need to fix it first, at the very least.

It's a volunteer project.

Thor

Follow-Ups:
- Re: systrace replacement
  - From: Jonathan Schleifer

References:
- systrace replacement
  - From: Jonathan Schleifer
- Re: systrace replacement
  - From: Christos Zoulas
- Re: systrace replacement
  - From: Jonathan Schleifer
- Re: systrace replacement
  - From: Jonathan Schleifer
- Re: systrace replacement
  - From: Christos Zoulas
- Re: systrace replacement
  - From: Jonathan Schleifer
- Re: systrace replacement
  - From: Thor Lancelot Simon
- Re: systrace replacement
  - From: Jonathan Schleifer

Prev by Date: Re: systrace replacement
Next by Date: hotswap drives an i386/amd64?
Previous by Thread: Re: systrace replacement
Next by Thread: Re: systrace replacement
Indexes:

Home | Main Index | Thread Index | Old Index