Re: chroot useful?

[Wolfgang Ley <ley () cert dfn de>]

-----BEGIN PGP SIGNED MESSAGE-----

Marcus J. Ranum wrote:
> On the topic of reducing privilege, one thing I've always wanted
> to do (but never had time for!) is what I'd call "syscall wrappers"
> for lack of a better term.

You might want to check the "janus" project from Berkeley which does
something similar (although the implementation idea is different).
You start a binary which is traced by the control program. The control
program ctaches all syscalls and compare then against a list of allowed
and denied actions. The example implementation runs on Solaris 2.x and
does allow several criterias like restricting access to files, network
connections etc.

For more information see http://www.cs.berkeley.edu/~daw/janus/
The project was also presented on Usenix Sec. 96 (and got the best paper
award by the way).

Bye,
  Wolfgang.
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley () cert dfn de   Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley () ftp cert dfn de any key-server or via
WWW from http://www.cert.dfn.de/~ley/               ...have a nice day

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBNG9FywQmfXmOCknRAQG+MQP/Rjos1A7t+cF6fo7608Xs2TsNEy/0rak6
1iUnNACwcloDLMgJCjKJifco4Fr7D7EhrqgiAdQ0i0/tI4/vpj2JT/AN6uTsJ1rV
Mto8qij87S/5JRtQCrCzWLvTZ/IdGY/MsZ7TTIvqH4HwlXS3F6agSu/YGlBt3zVO
be2Be40W8q8=
=5XTW
-----END PGP SIGNATURE-----