Subject: Re: finer grained IPNOPRIVPORTing
To: Michael S. <zyp@charm.at>
From: Eric Haszlakiewicz <erh@jodi.nimenees.com>
List: tech-kern
Date: 05/25/2005 10:11:53
On Wed, May 25, 2005 at 08:57:36AM +1000, Daniel Carosone wrote:
> On Wed, May 25, 2005 at 12:47:15AM +0200, Michael S. wrote:
> > I was thinking about privileged ports could be bound depending on having
> > entries in a file (e.g. /etc/privports) with application name and port
> > number it is allowed do bind without beeing root.=20
>=20
> systrace already supports this, and much more.

	hmm.. I'm a little confused as to how systrace is supposed to work.

When you want to use systrace policies, do you always need to run the
programs with "systrace <foo>", or is there a systrace daemon somewhere
that checks the policies for all programs that are run?  or, do the policies
end up loaded into the kernel somehow, like ipf rules?

	If you always need to run the systrace binary, how does that help
get rid of setuid binaries if, in order to enable the privilege elevation,
you need to be root to start with?

eric