From owner-freebsd-hackers  Sat Jun  1 16:23: 4 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from citi.umich.edu (citi.umich.edu [141.211.92.141])
	by hub.freebsd.org (Postfix) with ESMTP id DCB3B37B40B
	for <freebsd-hackers@FreeBSD.ORG>; Sat,  1 Jun 2002 16:22:55 -0700 (PDT)
Received: by citi.umich.edu (Postfix, from userid 104123)
	id 30744207C3; Sat,  1 Jun 2002 19:22:55 -0400 (EDT)
Date: Sat, 1 Jun 2002 19:22:55 -0400
From: Niels Provos <provos@citi.umich.edu>
To: karin@root66.org
Cc: freebsd-hackers@FreeBSD.ORG, bfischer@Techfak.Uni-Bielefeld.DE
Subject: Re: sandboxing untrusted binaries
Message-ID: <20020601232254.GE19245@citi.citi.umich.edu>
References: <20020531105059.GA720_no-support.loc@ns.sol.net> <20020531165629.H86421_root66.org@ns.sol.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020531165629.H86421_root66.org@ns.sol.net>
User-Agent: Mutt/1.3.27i
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

On Fri, May 31, 2002 at 02:56:53PM +0000, karin@root66.org wrote:
> Netscape for instance needs to execute other binaries, the user should
> be allowed to specify which binaries. Netscape needs to write cache
> files, any hacker exploiting netscape can use that to create a new
> process which isn't systrace-profiled.
This is not correct.  I suggest that you look at the systrace web page
again and read all the information there.  It is very feasible and
desirable to run any third-party software under systrace.

For example, it is not possible for netscape to create a process that
is not monitored.  I suggest that you look at the sample konquerer
policy.

> I suggest getting over the illusion hackers won't be able to hack the
> system if you narrow them a bit, the binaries you run still need
> capabilities to correctly function, which are always enough to hack the
> system.
This is not correct either.  There is no illusion here.  Please, give
me an example where the capabilities needed "are always enough to hack
the system."  Say gaim or opera.

> this is very specific for the program, you can't make judgements like
> this without being sure for what applications this applies.
In reverse, for which application is the assumption that read and
write are frequently executed system calls incorrect?

Niels.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message