Subject: Re: trusted BSD?
To: Simon Gerraty <email@example.com>
From: Thor Lancelot Simon <firstname.lastname@example.org>
Date: 08/08/2005 18:36:32
On Mon, Aug 08, 2005 at 10:56:14AM -0700, Simon Gerraty wrote:
> On Mon, 8 Aug 2005 11:15:11 -0400, Thor Lancelot Simon writes:
> >I think this is the wrong way to go. I think that it would be much better
> >to associate systrace policies with executables using verified exec, as
> I've been thinking of that too, but my colleages haven't been convinced
> that systrace is the right answer. Anyone got some example systrace
> configs that show for instance how ping can run without setuid and still
> work - and preferably not being run via a setuid wrapper.
It's trivial: you just run the program with a systrace policy that does
"permit as root" the open of the raw socket.
This is a very good example of what we were talking about as a combination
of systrace and veriexec last time the topic came up: if you only allow
root to load the policies' fingerprints into the kernel, then it's safe
to run all the systrace policies as if they were invoked with systrace -c
uid and the uid of the user executing the associated executable -- so it
is possible to do "permit as root" and so forth without using a setuid
Thor Lancelot Simon email@example.com
"The inconsistency is startling, though admittedly, if consistency is to be
abandoned or transcended, there is no problem." - Noam Chomsky