From owner-freebsd-hackers@FreeBSD.ORG Thu Aug 21 09:11:53 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10AB616A4BF for ; Thu, 21 Aug 2003 09:11:53 -0700 (PDT) Received: from milla.ask33.net (milla.ask33.net [217.197.166.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3D7743FDD for ; Thu, 21 Aug 2003 09:11:51 -0700 (PDT) (envelope-from nick@milla.ask33.net) Received: by milla.ask33.net (Postfix, from userid 1001) id B77753ABB4F; Thu, 21 Aug 2003 18:12:38 +0200 (CEST) Date: Thu, 21 Aug 2003 18:12:38 +0200 From: Pawel Jakub Dawidek To: Kris Kennaway Message-ID: <20030821161238.GK47959@garage.freebsd.pl> References: <20030817181315.GL55671@episec.com> <20030821065854.GA11586@dan.emsphone.com> <20030821073900.GA90003@rot13.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Jtds+vpI57xq70EV" Content-Disposition: inline In-Reply-To: <20030821073900.GA90003@rot13.obsecurity.org> X-PGP-Key-URL: http://garage.freebsd.pl/jules.asc X-OS: FreeBSD 4.8-RELEASE-p3 i386 X-URL: http://garage.freebsd.pl User-Agent: Mutt/1.5.1i cc: freebsd-hackers@freebsd.org cc: Dan Nelson cc: ari Subject: Re: [future patch] dropping user privileges on demand X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Aug 2003 16:11:53 -0000 --Jtds+vpI57xq70EV Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Aug 21, 2003 at 12:39:00AM -0700, Kris Kennaway wrote: +> > It does something similar, but uses a C-like language to control a +> > processes actions. This lets you get extremely fine-grained control +> > (allow httpd to bind to only port 80, once), but the rules run as +> > "root", so they can grant as well as revoke privileges. A useful +> > modification would be to allow users to submit their own policies that +> > can only disallow actions (i.e. all arguments and process variables are +> > read-only, and the script can either pass the syscall through or return +> > a failure code, nothing else). +>=20 +> Exercise for the reader: find a situation where the failure to perform +> a syscall that normally succeeds, leads to privilege escalation :-) The answer is: Every network daemon. If you could compromise it, you get local access. --=20 Pawel Jakub Dawidek pawel@dawidek.net UNIX Systems Programmer/Administrator http://garage.freebsd.pl Am I Evil? Yes, I Am! http://cerber.sourceforge.net --Jtds+vpI57xq70EV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBP0Tvdj/PhmMH/Mf1AQGKXAQAnsgjvghr9nxOKnUb7Njo+cXscMJGr4je 4MOMIb/hxwvspl6yjBye+aRc02W7X2rZNd7lae5KOMbFE3Eh7zzSqHSZKuFpcQdY 2zMvcGecrRep0A9ZjNqVy+bjN9GcTIwk4rc23pzIQsS5liRMxDxIdaTuwVtsPkh9 5czPA3RgtCU= =sjHU -----END PGP SIGNATURE----- --Jtds+vpI57xq70EV--