From owner-freebsd-hackers@FreeBSD.ORG Thu Aug 21 00:39:02 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 929C716A4BF for ; Thu, 21 Aug 2003 00:39:02 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-169-107-97.dsl.lsan03.pacbell.net [64.169.107.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF11343FBF for ; Thu, 21 Aug 2003 00:39:00 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 8D58566B04; Thu, 21 Aug 2003 00:39:00 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 5F8D6A56; Thu, 21 Aug 2003 00:39:00 -0700 (PDT) Date: Thu, 21 Aug 2003 00:39:00 -0700 From: Kris Kennaway To: Dan Nelson Message-ID: <20030821073900.GA90003@rot13.obsecurity.org> References: <20030817181315.GL55671@episec.com> <20030821065854.GA11586@dan.emsphone.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <20030821065854.GA11586@dan.emsphone.com> User-Agent: Mutt/1.4.1i cc: freebsd-hackers@freebsd.org cc: ari Subject: Re: [future patch] dropping user privileges on demand X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2003 07:39:02 -0000 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Aug 21, 2003 at 01:58:54AM -0500, Dan Nelson wrote: > It does something similar, but uses a C-like language to control a > processes actions. This lets you get extremely fine-grained control > (allow httpd to bind to only port 80, once), but the rules run as > "root", so they can grant as well as revoke privileges. A useful > modification would be to allow users to submit their own policies that > can only disallow actions (i.e. all arguments and process variables are > read-only, and the script can either pass the syscall through or return > a failure code, nothing else). Exercise for the reader: find a situation where the failure to perform a syscall that normally succeeds, leads to privilege escalation :-) Kris --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/RHcUWry0BWjoQKURAuEzAJ9o49lyrY3Vol2F96FMTalpPeXXLgCdGXqb Dm3gcK2ZlBscCY1a9a+3jJE= =KWP8 -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA--