From 087094cf06373c17e47011c82b2868040035fd7a Mon Sep 17 00:00:00 2001 From: Florian Obser Date: Sun, 19 Feb 2023 11:21:02 +0100 Subject: [PATCH] Make it clear that ping writes to stdout and stderr. It does not care that it's the terminal. From otto. --- privsep.org | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/privsep.org b/privsep.org index df2135d..8151163 100644 --- a/privsep.org +++ b/privsep.org @@ -146,12 +146,13 @@ parsing]][fn::I do not want to heckle FreeBSD, it is just that it is a good illustration for what we are currently discussing. FreeBSD's ping(8) is using capsicum, so it is well locked away, too. And it is not like I am not making any [[https://ftp.openbsd.org/pub/OpenBSD/patches/7.0/common/017_slaacd.patch.sig][mistakes]]...], a malicious ping target, or -even host in the middle, could still read and exfiltrate ssh -private keys. ping(8) runs as my user-id. It can read all files my -user can read, it can open network connections to any host on the -internet, it can execute arbitrary programs, heck it can talk to my -GPU. That is a lot of power that it does not need. It only needs to -write to the terminal and send and receive ICMP packets. +even host in the middle, could still read and exfiltrate ssh private +keys. ping(8) runs as my user-id. It can read all files my user can +read, it can open network connections to any host on the internet, it +can execute arbitrary programs, heck it can talk to my GPU. That is a +lot of power that it does not need. It only needs to write to =stdout= +and =stderr=[fn::Which is usually the terminal.], and send and receive +ICMP packets. We could lock ping(8) away using chroot(2), that at least takes away file-system access. But what can we do about programs that need