Subject: Re: Systrace policy fingerprints? (Re: finer grained IPNOPRIVPORTing)
To: Thor Lancelot Simon <firstname.lastname@example.org>
From: Daniel Carosone <email@example.com>
Date: 05/27/2005 20:48:01
Content-Type: text/plain; charset=us-ascii
On Fri, May 27, 2005 at 08:18:00PM +1000, Daniel Carosone wrote:
> /bin/systrace is setuid root. If the systrace *policy file* is
> setuid, it changes to that setuid user, and runs as if invoked with
> -c the original uid.
Er, to be a little clearer and expand on the implications of this:
If the systrace policy file is setuid root, systrace retains root
and runs as if invoked -c the original user, and can thus use
privilege elevation. (root marked the policy, including any "as
root" entries, as setuid).
If the policy file is setuid some other user, systrace runs as that
user, and thus can no longer use privilege elevation (preventing
normal users creating setuid policies that allow "... as root". =20
If the policy file is not setuid, it drops root and runs as now, as
the original user.
The second case is probably just about the same as having the binary
itself setuid; perhaps we can make the distinction meaningful for
something better? Perhaps systrace policies setuid "fred" can use a
limited form of privilege elevation, only "... as fred"? This would
require extensions to the kernel part of systrace as well, not just
the userland program (which is enough for the rest of the above).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)
-----END PGP SIGNATURE-----