From kkadow at gmail.com  Tue Feb  8 22:09:34 2005
From: kkadow at gmail.com (Kevin)
Date: Wed Feb  9 08:28:39 2005
Subject: [Systrace] How can a process check if it is running under systrace?
Message-ID: <dc718edc0502081909217a0707@mail.gmail.com>

I have a lot of programs that check the output of getuid() or
geteuid() to determine if they are running as root, and will not even
try to chroot() or do other privileged operations.

Is there any standard means (under OpenBSD) for a process to determine
whether it is running under systrace, short of just trying to do
operations (such as chroot) normally restricted only to root?


Thanks,

Kevin Kadow
From provos at monkey.org  Wed Feb  9 13:14:42 2005
From: provos at monkey.org (Niels Provos)
Date: Wed Feb  9 13:14:46 2005
Subject: [Systrace] Re: systrace post from kkadow@gmail.com requires approval
In-Reply-To: <mailman.267.1107967066.4667.systrace@systrace.org>
References: <mailman.267.1107967066.4667.systrace@systrace.org>
Message-ID: <Pine.BSO.4.58.0502091314200.18209@naughty.monkey.org>

On Wed, 9 Feb 2005 systrace-owner@systrace.org wrote:


> As list administrator, your authorization is requested for the
> following mailing list posting:
>
>     List:    systrace@systrace.org
>     From:    kkadow@gmail.com
>     Subject: Re: [Systrace] Basic usage of systrace
>     Reason:  Post to moderated list
>
> At your convenience, visit:
>
>     https://monkeymail.org/mailman/admindb/systrace
>
> to approve or deny the request.
>
From kkadow at gmail.com  Wed Feb  9 11:37:40 2005
From: kkadow at gmail.com (Kevin)
Date: Wed Feb  9 13:16:56 2005
Subject: [Systrace] Basic usage of systrace
In-Reply-To: <e05f3929050131071593a0610@mail.gmail.com>
References: <e05f3929050131071593a0610@mail.gmail.com>
Message-ID: <dc718edc050209083710326ff0@mail.gmail.com>

On Mon, 31 Jan 2005 17:15:47 +0200, Kim Onnel <karim.adel@gmail.com> wrote:
> i intend to restrict users to only be able to telnet (it would be
> great if i can restrict them to my network subnet range as well)

You'll want to look at Jose Nazario's stsh (systrace shell).

If you really want to get fancy, you could limit what the user can do
on the network via a complex 'pf' policy limiting outbound
connections based on the UID opening the socket.

As to generating systrace policy, the easy way is to use systrace 
with '-A', and just run all of the commands and connections you
want to permit, then go back over the generated policy and find places
where it makes sense to replace 'eq' lines with 'match' lines.  
Lather, rinse, repeat.


> no need for anything else, ls or basic bash commands,

Have you thought about setting as the user's shell a program
(compiled or perl or tcl or your favorite scripting language) which
takes user input, validates it, then if it matches an allowed action,
exec() telnet or ssh or hangman or the like?

You'd still want to wrap this in systrace...


Kevin Kadow


(P.S. You'll probably want to let your users ssh to hosts on your
network, telnet, even on a private network, is deprecated. )

(P.P.S Many months ago I found (and then lost again)
an article on how to use a bastion host to enable ssh to internal 
destinations without requiring the user to type the login password
of the final destination such that it could be intercepted at the
bastion host...)
From johnw.mail at gmail.com  Wed Feb 16 09:14:16 2005
From: johnw.mail at gmail.com (John Wong)
Date: Sun Mar  6 13:39:06 2005
Subject: [Systrace] function request
Message-ID: <d702dc4a0502160614ef0ab54@mail.gmail.com>

two function request:

1. like "filter_inpath", but is use "strncmp(line, logic->filterdata,
strlen(logic->filterdata))" to compare, and no need "c != '/' && c !=
'\0'"

2. like "filter_stringmatch", but is use "strcmp" to compare, not strcasecmp

i use openbsd ... thanks!!
From karim.adel at gmail.com  Mon Feb 28 03:57:11 2005
From: karim.adel at gmail.com (Kim Onnel)
Date: Sun Mar  6 13:39:19 2005
Subject: [Systrace] telnet policy generation
Message-ID: <e05f392905022800574dc2e8ee@mail.gmail.com>

Hello,

I am trying to generate a policy rule for telnet, i did the following
and got some error, kindly find below a log of it all.


-bash-3.00# systrace -A /usr/bin/telnet
telnet> open
(to) 172.31.1.1
Trying 172.31.1.1...
Connected to 172.31.1.1.
Escape character is '^]'.

User Access Verification

Username: test
Password:

RPMI>q
Connection closed by foreign host.

-bash-3.00# ls /root/.systrace/
tmp             usr_bin_telnet

-bash-3.00# cp /root/.systrace/ /etc/systrace/

-bash-3.00# cp /root/.systrace/usr_bin_telnet /etc/systrace/
-bash-3.00# ls -alh /etc/systrace/usr_bin_telnet
-rw-------  1 root  wheel   1.8K Feb 28 10:41 /etc/systrace/usr_bin_telnet
-bash-3.00# chown root.bin /etc/systrace/usr_bin_telnet

-bash-3.00# chmod +x /etc/systrace/usr_bin_telnet
-bash-3.00# ls -alh /etc/systrace/usr_bin_telnet
-rwxrwxrwx  1 root  bin   1.8K Feb 28 10:41 /etc/systrace/usr_bin_telnet


and when i try to test :

$ telnet 172.31.1.1
telnet: krb5_cc_get_principal: 1
$

on the console:
-bash-3.00# Feb 28 10:49:03 bastion2 systrace: deny user: test, prog:
/usr/bin/telnet, pid: 5245(2)[11212], policy: /usr/bin/telnet,
filters: 42, syscall: native-fsread(5), filename: /tmp/krb5cc_1001

Any ideas ?

Regards