From owner-freebsd-hackers Sat Jun 1 16:23: 4 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from citi.umich.edu (citi.umich.edu [141.211.92.141]) by hub.freebsd.org (Postfix) with ESMTP id DCB3B37B40B for ; Sat, 1 Jun 2002 16:22:55 -0700 (PDT) Received: by citi.umich.edu (Postfix, from userid 104123) id 30744207C3; Sat, 1 Jun 2002 19:22:55 -0400 (EDT) Date: Sat, 1 Jun 2002 19:22:55 -0400 From: Niels Provos To: karin@root66.org Cc: freebsd-hackers@FreeBSD.ORG, bfischer@Techfak.Uni-Bielefeld.DE Subject: Re: sandboxing untrusted binaries Message-ID: <20020601232254.GE19245@citi.citi.umich.edu> References: <20020531105059.GA720_no-support.loc@ns.sol.net> <20020531165629.H86421_root66.org@ns.sol.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020531165629.H86421_root66.org@ns.sol.net> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, May 31, 2002 at 02:56:53PM +0000, karin@root66.org wrote: > Netscape for instance needs to execute other binaries, the user should > be allowed to specify which binaries. Netscape needs to write cache > files, any hacker exploiting netscape can use that to create a new > process which isn't systrace-profiled. This is not correct. I suggest that you look at the systrace web page again and read all the information there. It is very feasible and desirable to run any third-party software under systrace. For example, it is not possible for netscape to create a process that is not monitored. I suggest that you look at the sample konquerer policy. > I suggest getting over the illusion hackers won't be able to hack the > system if you narrow them a bit, the binaries you run still need > capabilities to correctly function, which are always enough to hack the > system. This is not correct either. There is no illusion here. Please, give me an example where the capabilities needed "are always enough to hack the system." Say gaim or opera. > this is very specific for the program, you can't make judgements like > this without being sure for what applications this applies. In reverse, for which application is the assumption that read and write are frequently executed system calls incorrect? Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message