if someone's interested, here a list of fs differences
between 6.0 upgraded from 5.9, and 6.0 install, i found,
with some obvious differences like smtpd spool or sysmerge
backups removed (amd64/qemu):
http://pastebin.com/raw/VPkdbvxy (text/plain)
(not pasting because of long lines)
hth
Sent from my iPhone
On Sep 3, 2016, at 12:46 PM, Michal Bozon wrote:
>> good(?) news: sysmerge is gone in 6.0
>> but not removed by 5.9 to 6.0 uprade process.
>
> s/sysmerge/systrace/
>
pledge()
> > good(?) news: sysmerge is gone in 6.0
> > but not removed by 5.9 to 6.0 uprade process.
> >
>
> I really have a hard time understanding what you're trying to point out.
>
> Yes, systrace is gone, but it's an ordinary binary that does no harm,
>
> good(?) news: sysmerge is gone in 6.0
> but not removed by 5.9 to 6.0 uprade process.
s/sysmerge/systrace/
On Sat, Sep 03, 2016 at 05:37:22PM +, Michal Bozon wrote:
> > Why?
>
> good(?) news: sysmerge is gone in 6.0
> but not removed by 5.9 to 6.0 uprade process.
>
I really have a hard time understanding what you're trying to point out.
Yes, systrace is gone, but it&#x
> Why?
good(?) news: sysmerge is gone in 6.0
but not removed by 5.9 to 6.0 uprade process.
On 2016-04-27, Marc Espie wrote:
> Race-conditiony things that make you go hum, oh shit is this thing
> more dangerous than what it's actually potecting. Plus semantic bugs.
> Like the time we had to hunt a really weird copy bug in the qt code until
> we realized it was just sy
There were some significant issues with systrace over the years.
Race-conditiony things that make you go hum, oh shit is this thing
more dangerous than what it's actually potecting. Plus semantic bugs.
Like the time we had to hunt a really weird copy bug in the qt code until
we realized i
> it is not important.
>
> systrace was effectively deprecated 4-10 years ago, when there stopped
> being a maintainer for it, or the broken ecosystem surrounding.
>
> That was a gap needed to consider a replacement model.
>
> What do you want here?
I guess nothing imp
>> how do you mean? what happens on 5.9 when you use systrace with pledged
>> programs? Does cpu usage go through the roof by any chance? That would
>> explain why I have had to disable it to avoid waiting so long for
>> systraced desktop programs.
>
>hmmm, actually I
>> > Unfortunately systrace overhead can be significant for monitoring
>> > complex programs but it could potentially be useful as a part of a
>> > (HIPS or system intrusion or malfunction detection for a secure
>> > server). hmmm, assuming pledge does
> how do you mean? what happens on 5.9 when you use systrace with pledged
> programs? Does cpu usage go through the roof by any chance? That would
> explain why I have had to disable it to avoid waiting so long for
> systraced desktop programs.
hmmm, actually I guess the claws-mail
> > Unfortunately systrace overhead can be significant for monitoring
> > complex programs but it could potentially be useful as a part of a
> > (HIPS or system intrusion or malfunction detection for a secure
> > server). hmmm, assuming pledge doesn't kill the offe
> > I guess the question is: how many people actually use systrace in
> > scripts? Probably very very few.
>From yesterday onwards, noone uses it.
> I use it in scripts but will look to switching to pledge when I
> have time, which I *should* be able to find in the next 6
> I guess the question is: how many people actually use systrace in
> scripts? Probably very very few.
I use it in scripts but will look to switching to pledge when I
have time, which I *should* be able to find in the next 6 months, haha.
It is however sometimes insightful as a quick and
On 2016-04-26, arrowscr...@mail.com wrote:
> Of course, you can put it on packages
Nope.
arrowscr...@mail.com wrote:
> I know about the pledge(2) development, but systrace and pledge are
> not mutually exclusive. Pledge need to be used inline, where systrace
> can be used as a command line tool.
>
> If you remove it, many scripts that use systrace for privilege
&
I know about the pledge(2) development, but systrace and pledge are not
mutually exclusive. Pledge need to be used inline, where systrace can be used
as a command line tool.
If you remove it, many scripts that use systrace for privilege reduction will
broke.
Of course, you can put it on
Why not? In a more serious way, read misc@ and tech@ particuarly in the
subject about pledge.
-luis
On Monday, 25 April 2016, wrote:
> Why?
Why?
>I can't quite figure out what you're trying to do, but running big GUI
>programs and libraries with root privileges (whether that's from systrace
or >doas or sudo or su or whatever) is usually not a good idea.
Thinking about it now, I guess if you add root write privileg
On 2015-12-03, Luke Small wrote:
> I want to be able to use systrace for privilege escalation for kompare for
> sysmerge diffs and kate. Why isn't systrace able to do this?
I can't quite figure out what you're trying to do, but running big
GUI programs and libraries with roo
2015-12-04 0:10 GMT+01:00 Luke Small :
> There must be some sort of kernel lock, because if you su - twice into the
> 1000 user, it won't open a x window either! I'm sure there is a
> conservative security policy at play,
X and switching users requires you to read up on xauth, always has.
--
write a
program that doesn't suid but can open a privileged socket under systrace
-c 1000:1000 ./server
On Dec 2, 2015 19:44, "Vadim Zhukov" wrote:
> 03 дек. 2015 г. 4:27 полÑзоваÑÐµÐ»Ñ "Luke Small"
> напиÑал:
> >
> > I want to be able
03 дек. 2015 г. 4:27 полÑзоваÑÐµÐ»Ñ "Luke Small"
напиÑал:
>
> I want to be able to use systrace for privilege escalation for kompare for
> sysmerge diffs and kate. Why isn't systrace able to do this?
Because noone wrote a systrace policy for Ka
I want to be able to use systrace for privilege escalation for kompare for
sysmerge diffs and kate. Why isn't systrace able to do this?
-Luke
On Sun, Sep 20, 2015 at 03:28:41PM +0800, johnw wrote:
> Hi all,
>
> I run my program will systrace, I noticed the program can by pass systrace,
> If I add the tame(2) call to my program.
>
Hi John,
Yes, it is the expected behaviour than when a program call tame(2),
systrace(4
Hi all,
I run my program will systrace, I noticed the program can by pass
systrace, If I add the tame(2) call to my program.
my program will connect to inet, if I run my program will systrace, I
need to add systrace rule like this "native-connect: permit",
I noticed, if I ad
On 03/22/15 07:44, Kevin Chadwick wrote:
Systrace is also an option but the policy writing could be a little
work, the regex support is certainly helpful there.
systrace -A is very helpful
Excellent info; thanks. (This list has the
highest signal/noise ratio among tech lists that
come to mind
On Sat, 21 Mar 2015 14:14:22 -0700
luke...@onemodel.org wrote:
> Thanks to all who've commented: this has been educational & useful.
Systrace is also an option but the policy writing could be a little
work, the regex support is certainly helpful there.
systrace -A is very helpf
On Wed, Dec 24, 2014 at 09:12, Dan Becker wrote:
> asking for a friend
>
> Is the systrace policy format fully documented anywhere? There's a quick
> explanation on systrace(1) but there's no dedicated page for the format
The explanation may be quick, but as far as i know it is also complete.
asking for a friend
Is the systrace policy format fully documented anywhere? There's a quick
explanation on systrace(1) but there's no dedicated page for the format
--
--Dan
On May 14, 2014, at 10:49, Philip Guenther wrote:
> On Tue, May 13, 2014 at 8:06 AM, ÐлÑÑ ÐÑжанников
wrote:
> I am trying to use linux port systrace. And I found the problem. When I run
under systrace (it does not matter with -A or -a (actually it never came till
-a)) som
On Tue, May 13, 2014 at 8:06 AM, ÐлÑÑ ÐÑжанников
wrote:
> I am trying to use linux port systrace. And I found the problem. When I
> run under systrace (it does not matter with -A or -a (actually it never
> came till -a)) something that use vfork systrace and children
net.ipv6.nf_conntrack_frag6_high_thresh = 262144
net.ipv6.ip6frag_secret_interval = 600
net.ipv6.mld_max_msf = 64
net.nf_conntrack_max = 15692
net.unix.max_dgram_qlen = 10
abi.vsyscall32 = 1
crypto.fips_enabled = 0
On May 13, 2014, at 21:37, Илья Аржанников wrote:
>
> On May 13, 2014, at 21:13, Vad
On May 13, 2014, at 21:13, Vadim Zhukov wrote:
> 2014-05-13 19:06 GMT+04:00 Илья Аржанников :
>> Hello.
>>
>> I am trying to use linux port systrace. And I found the problem. When I run
>> under systrace (it does not matter with -A or -a (actually it never came
>
2014-05-13 19:06 GMT+04:00 Илья Аржанников :
> Hello.
>
> I am trying to use linux port systrace. And I found the problem. When I run
> under systrace (it does not matter with -A or -a (actually it never came till
> -a)) something that use vfork systrace and children processe
Hello.
I am trying to use linux port systrace. And I found the problem. When I run
under systrace (it does not matter with -A or -a (actually it never came till
-a)) something that use vfork systrace and children processes hangup. I saw in
sources that linux port uses ptrace as backend because
Stuart Henderson wrote on Fri, Oct 21, 2011 at 10:17:11AM +:
> On 2011-10-21, johnw wrote:
>> after upgrade to current, now /etc/rc use the new rc.d system.
>> my question is how to start the daemon(ntpd, named etc ..) with systrace?
>> before upgrade to new rc.d syste
On 2011-10-21, johnw wrote:
> after upgrade to current, now /etc/rc use the new rc.d system.
> my question is how to start the daemon(ntpd, named etc ..) with systrace?
> before upgrade to new rc.d system, i can edit /etc/rc like this
>
> echo 'starting named'; named
after upgrade to current, now /etc/rc use the new rc.d system.
my question is how to start the daemon(ntpd, named etc ..) with systrace?
before upgrade to new rc.d system, i can edit /etc/rc like this
echo 'starting named'; named $named_flags
to
echo 'starting named'
The new systrace in openssh is great. Good work djm! How would someone go
about putting that into inetd? Since inetd is only 1 root process you can't
attach a child to it. Can you just make a policy without attaching a child
process?
-peter
On Wed, 15 Jul 2009 09:57:33 -0600
Bob Beck wrote:
> Now it's not to say that *theoretically* systrace can't be a help.
> I'm certain it could if you knew 100% what you were doing and knew the
> inside and outs of the code. but really that's a job for the
&
* Ross Cameron [2009-07-15 03:19]:
> On Wed, Jul 15, 2009 at 9:21 AM, Anton Karpov wrote:
> > According to Provos's blog,
> >
> http://www.provos.org/index.php?/archives/34-Evading-System-Sandbox-Containme
> nt.html
> >
> > "The initial prototype of Syst
On Wed, Jul 15, 2009 at 3:21 AM, Anton Karpov wrote:
> But we have no idea about was this solution included into OpenBSD sources
> tree or not...
> 2009/7/14 Theo de Raadt
>>
>> No, it isn't fixed.
On Wed, Jul 15, 2009 at 9:21 AM, Anton Karpov wrote:
> According to Provos's blog,
>
http://www.provos.org/index.php?/archives/34-Evading-System-Sandbox-Containme
nt.html
>
> "The initial prototype of Systrace as described in the paper avoided this
> problem by using a
According to Provos's blog,
http://www.provos.org/index.php?/archives/34-Evading-System-Sandbox-Containment.html
"The initial prototype of Systrace as described in the
paper<http://www.citi.umich.edu/u/provos/papers/systrace.pdf>avoided
this problem by using a look-aside buff
> I've just been pondering,... were the systrace issues identified with in:
> http://it.slashdot.org/it/07/08/09/138224.shtml
> ever delt with and corrected?
They were not identified there. They were documented in the manual page
right from the start.
> If so where can
I've just been pondering,... were the systrace issues identified with in:
http://it.slashdot.org/it/07/08/09/138224.shtml
ever delt with and corrected?
If so where can I find some more info on the fixes made?
Many thanks...
Howdy,
On Thu, Mar 26, 2009 at 09:12:42AM -0600, Theo de Raadt wrote:
> That said, this is not enough reason to entirely delete the code. It
> still has uses.
It's useful for checking ports are not dumping junk all over the
file-system. Please keep it.
Best Regards
Edd Barrett
(Freelance softw
On Thu, Mar 26, 2009 at 8:23 AM, Jonathan Schleifer
wrote:
> It was removed when I reported a bug in NETBSD-5-0 that would crash
> the Kernel when you tried to use systrace. Instead of fixing that,
> they removed it.
Looks like you will have to run OpenBSD then. For my personal us
> On Thu, Mar 26, 2009 at 10:12 AM, Theo de Raadt
> wrote:
>
> > real; systrace does have the ability to "grant root" unless you build
>
> Should that read "does not"?
>
> > the policy specifically to do such a stupid thing (actually, I am no
On Thu, Mar 26, 2009 at 10:12 AM, Theo de Raadt wrote:
> real; systrace does have the ability to "grant root" unless you build
Should that read "does not"?
> the policy specifically to do such a stupid thing (actually, I am not
-g
Am 26.03.2009 um 16:12 schrieb Theo de Raadt:
> They freaked out and did the wrong thing.
It was removed when I reported a bug in NETBSD-5-0 that would crash
the Kernel when you tried to use systrace. Instead of fixing that,
they removed it.
> systrace has a small problem. It is
> > I guess you should take a look at Systrace:
> > http://en.wikipedia.org/wiki/Systrace
>
>
> This was removed from NetBSD some time ago because it is vulnerable.
> They said it's not only possible to circumvent it, but also gain root
> using it. Is this
Am 26.03.2009 um 07:17 schrieb Tobias Weisserth:
> I guess you should take a look at Systrace:
> http://en.wikipedia.org/wiki/Systrace
This was removed from NetBSD some time ago because it is vulnerable.
They said it's not only possible to circumvent it, but also gain root
using
On Tue, 4 Dec 2007, Edd Barrett wrote:
On 04/12/2007, Antoine Jacoutot <[EMAIL PROTECTED]> wrote:
Better fix the port then.
I think you misunderstood. The port is fixed, but only because
systrace allowed me to cut the build short when the build offended.
Ah ok yes, I did misunderstand
Hi,
On 04/12/2007, Antoine Jacoutot <[EMAIL PROTECTED]> wrote:
> Better fix the port then.
I think you misunderstood. The port is fixed, but only because
systrace allowed me to cut the build short when the build offended.
--
Best Reg
On Tue, 4 Dec 2007, Edd Barrett wrote:
I ask because I find USE_SYSTRACE (/etc/mk.conf) essential for the
TeXLive port. It writes all over the place during the build.
Better fix the port then.
--
Antoine
Hi there,
I was speaking to someone at OpenCON about the fundamental systrace
flaw regarding processes forking in order to bypass the checks. The
general impression I was given was that systrace is to be removed at
some point.
If this is the case, will there be a similar tool available?
I ask
> Unless I am sorely mistaken, systrace can be broken by any user with
> enough priviliges to run two processes.
Well, then you are sorely mistaken. One of your processes can break
the other one. What's the big deal. Where's the priviledge
escalation? There is none.
Y
greatest versions of software, due to
> simplicity/security's sake.
Sounds pretty good.
> (...) [I] _know_ I would
> had a fit trying to get systrace policies set up, if not worse thinking i
> had them set up right and figuring out later they weren't and i had in fact
>
Aaron wrote:
Joachim Schipper wrote:
On Thu, Oct 11, 2007 at 08:54:42PM +0200, Xavier Mertens wrote:
Hi *,
I'm busy with a systrace/stsh implementation but there is a lack of
standard
policies (IMHO). Any idea where I can find some ready-to-use policies?
I must be missing some impo
.
>I'm fairly new to OpenBSD and have set up a few machines, nothing
> production (...). One thing I did read up on (...) was hardening
> beyond the default install. Two of the tools that most of the
> hardening articles i found, Securelevels and systrace, (the third one
>
I actually dont think it is all worthless. Imagine a machine running a
server daemon. If you systrace that particurlar daemon to not be able to
fork()/exec*() or system(), you could be quite sure it wont start random
apps on your machine in case someone manages to trick it somehow.
Now, if the att
On 10/14/07, Steve Shockley <[EMAIL PROTECTED]> wrote:
> The white paper for the systrace vulnerability was a little bit beyond
> me; what's the impact of the issue? Is a system running systrace *more*
> vulnerable than a normal system, or is the problem just that a
&
on and audit bypass."
(Paper at
<http://www.usenix.org/events/woot07/tech/full_papers/watson/watson.pdf>)
and Neils Provos says
<http://www.systrace.org/index.php?/archives/14-Evading-System-Sandbox-Containment.html>
"The initial prototype of Systrace as described in the paper avo
t;[EMAIL PROTECTED]> wrote:
> Joachim Schipper wrote:
> > You should probably do a Google search on systrace before continuing
> > further down this road. In particular, I believe the issue highlighted
> > by Robert Watson has not been fixed yet (although I could be wrong, an
2007/10/14, Aaron <[EMAIL PROTECTED]>:
> I guess with all the hoopla about 'hardening'/trusted this and
> that/fuzzy knobs(i.e. SE Linux) i got a little overzealous looking for
As others have already pointed out these knobs might not be useful to
your setup and your needs. Think also that more
Joachim Schipper wrote:
You should probably do a Google search on systrace before continuing
further down this road. In particular, I believe the issue highlighted
by Robert Watson has not been fixed yet (although I could be wrong, and
would be happy to be wrong in this case).
The white paper
On 10/14/07, Aaron <[EMAIL PROTECTED]> wrote:
[snip]
> I guess with all the hoopla about 'hardening'/trusted this and
> that/fuzzy knobs(i.e. SE Linux) i got a little overzealous looking for
> ways to tweak things (which i know can end up either making things less
> secure (especially with fa
Joachim Schipper wrote:
On Thu, Oct 11, 2007 at 08:54:42PM +0200, Xavier Mertens wrote:
Hi *,
I'm busy with a systrace/stsh implementation but there is a lack of standard
policies (IMHO). Any idea where I can find some ready-to-use policies?
I must be missing some important ones, whe
On Thu, Oct 11, 2007 at 08:54:42PM +0200, Xavier Mertens wrote:
> Hi *,
>
> I'm busy with a systrace/stsh implementation but there is a lack of standard
> policies (IMHO). Any idea where I can find some ready-to-use policies?
>
> I must be missing some important ones, wh
Hi *,
I'm busy with a systrace/stsh implementation but there is a lack of standard
policies (IMHO). Any idea where I can find some ready-to-use policies?
I must be missing some important ones, when the user logs in, he got immediately
the following error:
systrace: getcwd: Permission d
Pawel Jakub Dawidek <[EMAIL PROTECTED]> writes:
> In my opinion there are just too many potential problems with syscall
> wrappers that I fully agree with Robert - they should not be used.
I must fully agree here. I never liked systrace and bashed sysjail really
hard because the so
On Thu, Aug 09, 2007 at 11:30:47AM -0400, Niels Provos wrote:
> There is a straight forward solution for this problem. The initial
> prototype of Systrace had a look-aside buffer in the kernel for
> copyin. I told Robert about this, not sure if he mentioned that in
> his paper or
There is a straight forward solution for this problem. The initial
prototype of Systrace had a look-aside buffer in the kernel for
copyin. I told Robert about this, not sure if he mentioned that in
his paper or not. There obviously would be some associated
performance impacts.
Niels.
On 8/7
> I am using sysjail, so I am very interested how to mitigate attacks or
> is there anything OpenBSD could change to mitigate these issues?
Until the kernel wrapper issues have been addressed, the sysjail
page has been updated to indicate that it SHOULD NOT be used
(nor should any syst
In the First USENIX Workshop on Offensive Technologies (WOOT07)
there was presentation
by Robert N. M. Watson:
"Exploiting Concurrency Vulnerabilities in System Call Wrappers"
with exploit code included how to bypass restrictions:
http://www.watson.org/~robert/2007woot/2007usenixwoot-exploit
Hi,
I'm looking for a systrace policy that ensures that a user logged in
sftp isn't able to change directories.
I've tired dugsong's sshd policy, but that is outdated and would require a
systrace master to update it.
Also, I've tried to get the one[1] that appea
On Sun, 12 Nov 2006 12:15:39 -0600 (CST)
Jacob Yocom-Piatt <[EMAIL PROTECTED]> wrote:
> Original message
> >Date: Sun, 12 Nov 2006 10:26:10 -0500
> >From: Okan Demirmen <[EMAIL PROTECTED]>
> >Subject: Re: systrace: vi policy
> >To: misc@openbs
On Sun 2006.11.12 at 12:15 -0600, Jacob Yocom-Piatt wrote:
> Original message
> >Date: Sun, 12 Nov 2006 10:26:10 -0500
> >From: Okan Demirmen <[EMAIL PROTECTED]>
> >Subject: Re: systrace: vi policy
> >To: misc@openbsd.org
> >
> >On Sun
Original message
>Date: Sun, 12 Nov 2006 10:26:10 -0500
>From: Okan Demirmen <[EMAIL PROTECTED]>
>Subject: Re: systrace: vi policy
>To: misc@openbsd.org
>
>On Sun 2006.11.12 at 08:55 -0600, Jacob Yocom-Piatt wrote:
>
>consider sorting your policies...a
On Sun 2006.11.12 at 08:55 -0600, Jacob Yocom-Piatt wrote:
consider sorting your policies...also, try to be more generic in other
places, for example, match "/usr/lib/libc.so.*"
> Policy: /usr/bin/vi, Emulation: native
> native-issetugid: permit
> native-mprotect: permit
>
i've read through all the docs that i can find on systrace policy generation and
enforcement and have hit a snag when trying to generate a working policy for vi
that restricts the files that can be read and written by a user. the policy is
generated by running "systrace -A vi test.t
shell" error. does anyone have a strong suggestion as to which stsh
source to use?
when a syscall is denied, i get a lot of repeated messages in /var/log/messages
(haven't changed where systrace logs to yet) like so
Nov 4 19:21:00 rp systrace: deny user: stest, prog: /usr/bin/vi, pid:
1
On 24/10/06, Nicolas Martzel <[EMAIL PROTECTED]> wrote:
I thank you all, but M ropers whom the reaction is displaced.
:D
Thank you. :-) That's almost the only time I've laughed today.
(Hey, no hard feelings, right?)
--ropers
, and now tells me "Wow they are
quicker than apple". Lol.
Again thanks, bye.
> Message du 24/10/06 15:25
> De : "Matthias Kilian" <[EMAIL PROTECTED]>
> A : "Nicolas Martzel" <[EMAIL PROTECTED]>
> Copie C : misc@openbsd.org
> Objet : Re:
On Tue, Oct 24, 2006 at 03:09:12PM +0200, Nicolas Martzel wrote:
> http://scary.beasts.org/security/CESA-2006-003.html
http://www.openbsd.org/errata.html#systrace
On 24/10/06, Nicolas Martzel <[EMAIL PROTECTED]> wrote:
http://scary.beasts.org/security/CESA-2006-003.html
Feedback about that ?
Corrected or always active ?
Thanks, and hope that could help.
Ask question?
Complete sentence?
You talking to me?
Thanks, and hope that could help.
On Tue, 24 Oct 2006, Nicolas Martzel wrote:
> http://scary.beasts.org/security/CESA-2006-003.html
>
> Feedback about that ?
> Corrected or always active ?
>
> Thanks, and hope that could help.
Eh, why don't you look at http://www.openbsd.org/errata.html first?
It's already fixed for more than t
Nicolas Martzel wrote:
http://scary.beasts.org/security/CESA-2006-003.html
Feedback about that ?
Corrected or always active ?
http://www.openbsd.org/errata.html#systrace
http://scary.beasts.org/security/CESA-2006-003.html
Feedback about that ?
Corrected or always active ?
Thanks, and hope that could help.
Steffen Schuetz wrote on 02/09/2006 22:47:
>> "native-getuid: permit as root" doesn't work in a systrace policy
>
> You should try "true then permit as root"
yes, that's it.
have forgotten the true :)
thanks
Regards
Julien
On Saturday 02 September 2006 12:14, Julien TOUCHE wrote:
[cut]
>
> i don't get it ???
>
> "native-getuid: permit as root" doesn't work in a systrace policy
You should try "true then permit as root"
> $ sudo /bin/systrace -a -c 556:556 /usr/loc
you want "as root", but for geteuid or whatever
> the right syscall is.
>
i don't get it ???
"native-getuid: permit as root" doesn't work in a systrace policy
$ sudo /bin/systrace -a -c 556:556 /usr/local/sbin/fping localhost
syntax error
/etc/systrace/usr_lo
On 9/1/06, Julien TOUCHE <[EMAIL PROTECTED]> wrote:
> tried setting the policy to have getuid return an error of 0?
>
>
isn't it limited to a deny (returning an errorcode) ? so how ?
native-getuid: permit
native-getuid: permit[0] => error
native-getuid: permit as root => error
yeah, actually
Ted Unangst wrote on 01/09/2006 21:21:
>> seems fping runs a root check which cannot be overcome by a switch (at
>> least in man)
>> even if the policy of fping is with "as root" for everything it can't
>> run ...
>> anything beyond editing the code ?
>
> tried setting the policy to have getuid re
On 9/1/06, Julien TOUCHE <[EMAIL PROTECTED]> wrote:
i want to use fping with with nrpe/nagios. as security doc of OpenBSD
state, i want to use systrace privilege elevation but ...
$ sudo /bin/systrace -a -c 556:556 /usr/local/sbin/fping localhost
This program can only be run by root, or i
i want to use fping with with nrpe/nagios. as security doc of OpenBSD
state, i want to use systrace privilege elevation but ...
$ sudo /bin/systrace -a -c 556:556 /usr/local/sbin/fping localhost
This program can only be run by root, or it must be setuid root.
$ sudo /bin/systrace -a /usr/local
1 - 100 of 121 matches
Mail list logo
