C Giving up the ability to exec ?

J

Juha Nurmela

How would you give up the ability to execute another program?

Say I have a misc program that has some network connection or otherwise handles tainted input data. An unprivileged user starts and runs it. It does not need to do anything privileged, and does not use routines from libc that execute helper programs (this might change later). Something like an extern
Code: 
int execve() { abort(); }
might catch some rare situations, but not the more likely machine level exploits.

I would not like to use chrooting or jailing, as they require (?) root while initializing. Intent is to give up powers, not to escalate. OpenBSD has pledge, which sounds like it would fit the bill.

Juha
 
Capsicum. Once you enter capability mode (see cap_enter(2)) you can't exec anymore. To lock the process the process down more you would also need to limit open file descriptors (and all accept(2)-ed (if the process is a server) or received fds later) with cap_rights_limit(2), cap_ioctls_limit(2) etc.

Things get hairy when your process needs to do more work like e.g. DNS requests, which you need to delegate to an external daemon casperd since libc doesn't have the rights to do them anymore (only available on FreeBSD >= 11.0, libcasper(3)).
 
Fits the bill exactly. Thanks!

I guess I'm missing a few billion synapses, having ignored the casperd on ps output so many times.
Juha
 
You must log in or register to reply here.
Back
Top