29.3 Privilege Elevation with systrace
The systrace system can also be used to remove setuid and setgid binaries. Normally, only a single step or two needs to be performed as an elevated privilege user. This can include binding to a low-numbered socket or reading a protected ﬁle.
In systrace, the permit as action can be used to allow a system call to proceed as a speciﬁed user. For example, an application that captures packets from the network will have to read these packets using the BPF devices as root. This privilege can be allowed for non-root users using the permit as root option:
native-fswrite: filename eq "/dev/bpf0" then permit as root native-fswrite: filename eq "/dev/bpf1" then permit as root
Note that the parent systrace command must be run as root for this technique to work, as arbitrary users cannot run various system calls as elevated privilege users. Failure to do so will result in an error in the execution of the program:
$ systrace dnstop wi0 Privilege elevation not allowed.
The program will attempt to operate normally under these circumstances, but will typically fail. Instead, use the -c option to systrace to set the user ID (and optionally the group ID) for the child process. Here, root runs the dnstop program as user 1000, but is still allowed to open the BPF devices (normally accessible only by root):
# systrace -c 1000:1000 -a dnstop wi0
This approach can be used to greatly limit the scope of programs that would otherwise require root privileges.