Subject: Re: Privilege Elevation with systrace
To: Simon J. Gerraty <sjg@crufty.net>
From: Niels Provos <provos@citi.umich.edu>
List: current-users
Date: 10/12/2002 08:31:51
On Sat, Oct 12, 2002 at 01:16:55AM -0700, Simon J. Gerraty wrote:
> I'm not familiar with systrace, but I _hope_ the policy can be more
> specific than that?
> The above looks like it would allow any program to open raw sockets
> "as root". Just what I'd need if wanting to run rawpkt or whatever to
> spew fordged packets into the net ;-)
I suggest that you read the man page and study the web page to get
some more background information on the usage of systrace. Have a
look at
http://www.citi.umich.edu/u/provos/systrace/
Of course, policies are program specific, and privilege elevation is
used to allow a single system call to run as e.g. root instead of the
whole process.
Niels.