Subject: Re: trusted BSD?
To: Simon Gerraty <>
From: Thor Lancelot Simon <>
List: tech-security
Date: 08/08/2005 18:36:32
On Mon, Aug 08, 2005 at 10:56:14AM -0700, Simon Gerraty wrote:
> On Mon, 8 Aug 2005 11:15:11 -0400, Thor Lancelot Simon writes:
> >I think this is the wrong way to go.  I think that it would be much better
> >to associate systrace policies with executables using verified exec, as
> I've been thinking of that too, but my colleages haven't been convinced
> that systrace is the right answer.  Anyone got some example systrace
> configs that show for instance how ping can run without setuid and still
> work - and preferably not being run via a setuid wrapper.

It's trivial: you just run the program with a systrace policy that does
"permit as root" the open of the raw socket.

This is a very good example of what we were talking about as a combination
of systrace and veriexec last time the topic came up: if you only allow
root to load the policies' fingerprints into the kernel, then it's safe
to run all the systrace policies as if they were invoked with systrace -c
uid and the uid of the user executing the associated executable -- so it
is possible to do "permit as root" and so forth without using a setuid

 Thor Lancelot Simon	                            

"The inconsistency is startling, though admittedly, if consistency is to be
 abandoned or transcended, there is no problem."		- Noam Chomsky