Subject: Re: finer grained IPNOPRIVPORTing
To: None <tech-kern@NetBSD.org>
From: Michael Santos <email@example.com>
Date: 05/25/2005 16:57:26
On Wed, May 25, 2005 at 10:11:53AM -0500, Eric Haszlakiewicz wrote:
> On Wed, May 25, 2005 at 08:57:36AM +1000, Daniel Carosone wrote:
> > On Wed, May 25, 2005 at 12:47:15AM +0200, Michael S. wrote:
> > > I was thinking about privileged ports could be bound depending on having
> > > entries in a file (e.g. /etc/privports) with application name and port
> > > number it is allowed do bind without beeing root.
> > systrace already supports this, and much more.
> hmm.. I'm a little confused as to how systrace is supposed to work.
> When you want to use systrace policies, do you always need to run the
> programs with "systrace <foo>", or is there a systrace daemon somewhere
> that checks the policies for all programs that are run? or, do the policies
> end up loaded into the kernel somehow, like ipf rules?
> If you always need to run the systrace binary, how does that help
> get rid of setuid binaries if, in order to enable the privilege elevation,
> you need to be root to start with?
Well, I don't know if this is the "proper" way, but previously I've:
1. created a small setuid wrapper utility (/sbin/sp)
2. moved the setuid utilities to /sbin/setuid and done a chmod -s
3. chown root:wheel /sbin/setuid; chmod 700 /sbin/setuid
4. ln -s /sbin/sp /sbin/ping # e.g.
5. the wrapper searches /sbin/setuid for the app
6. the wrapper calls the app with "-a -U -c <your uid>:<your gid>" to drop privs
7. systrace enforces your policies