Subject: Re: Systrace policy fingerprints? (Re: finer grained IPNOPRIVPORTing)
To: Thor Lancelot Simon <>
From: Daniel Carosone <>
List: tech-kern
Date: 05/27/2005 20:48:01
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, May 27, 2005 at 08:18:00PM +1000, Daniel Carosone wrote:
>   /bin/systrace is setuid root. If the systrace *policy file* is
>   setuid, it changes to that setuid user, and runs as if invoked with
>   -c the original uid.

Er, to be a little clearer and expand on the implications of this:

  If the systrace policy file is setuid root, systrace retains root
  and runs as if invoked -c the original user, and can thus use
  privilege elevation.  (root marked the policy, including any "as
  root" entries, as setuid).

  If the policy file is setuid some other user, systrace runs as that
  user, and thus can no longer use privilege elevation (preventing
  normal users creating setuid policies that allow "... as root". =20

  If the policy file is not setuid, it drops root and runs as now, as
  the original user.

The second case is probably just about the same as having the binary
itself setuid; perhaps we can make the distinction meaningful for
something better?  Perhaps systrace policies setuid "fred" can use a
limited form of privilege elevation, only "... as fred"?  This would
require extensions to the kernel part of systrace as well, not just
the userland program (which is enough for the rest of the above).


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.1 (NetBSD)