>John Plocher wrote: >> What is the basic use case for this priv? > >I assumed it was to let setuid programs have one more thing they could >give up, to reduce the number of things an exploit could do if you did >find a security hole in them that allowed running arbitrary code, like >most of the rest of the "basic" privileges.
It is also possible to contain users in a "can't break out" shell; they can run their application but they cannot copy data outside of the machine. In Solaris 8 you can get this functionality by adding an ACL to /dev/tcp; >> I think the difference is that for those, the set of system middleware >> we provide doesn't silently rely on them for proper operation; > >Just various non-obvious functions in libc(). (Do you think most programmers >realize wordexp(), pututxline() or grantpt() call fork+exec?) Absolutely; I think, though, that grantpt() no longer calls exec: pt_chmod is gone (or is it now running devfsadm). Having testing the net_access privilege, I can say that few library calls use AF_INET sockets for IPC. Note that localhost RPC will not use AF_INET; name service lookups will use sockets but you nscd will do it for you. With cscope, I wasn't able to find a library routine which uses networking as IPC without clearly being a network function. But even such interface exists, I don't believe that that is fatal to this proposal; similarly to issues with wordexp(), pututxline(), grantpt(). Casper
