Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

29.3 Privilege Elevation with systrace

The systrace system can also be used to remove setuid and setgid binaries. Normally, only a single step or two needs to be performed as an elevated privilege user. This can include binding to a low-numbered socket or reading a protected file.

In systrace, the permit as action can be used to allow a system call to proceed as a specified user. For example, an application that captures packets from the network will have to read these packets using the BPF devices as root. This privilege can be allowed for non-root users using the permit as root option:

native-fswrite: filename eq "/dev/bpf0" then permit as root
native-fswrite: filename eq "/dev/bpf1" then permit as root

Note that the parent systrace command must be run as root for this technique to work, as arbitrary users cannot run various system calls as elevated privilege users. Failure to do so will result in an error in the execution of the program:

$ systrace dnstop wi0 
Privilege elevation not allowed. 

The program will attempt to operate normally under these circumstances, but will typically fail. Instead, use the -c option to systrace to set the user ID (and optionally the group ID) for the child process. Here, root runs the dnstop program as user 1000, but is still allowed to open the BPF devices (normally accessible only by root):

# systrace -c 1000:1000 -a dnstop wi0 

This approach can be used to greatly limit the scope of programs that would otherwise require root privileges.

  • + Share This
  • 🔖 Save To Your Account