Reducing Privilege


Attacks on setuid programs or daemons are supposed to escalate privilege

Can we reduce the amount of privilege that privileged programs have?

Yes -- using Privilege Revocation ...

ping, ping6, portmap, rpc.rstatd, rpc.rusersd, pppoe
traceroute, traceroute6, rwalld, pppd, spamd, afsd
authpf, ftpd, tftpd, httpd, dhcpd, dhclient, mopd, rbootd

.. and Privilege Separation

sshd, syslogd, pflogd, isakmpd, bgpd, tcpdump, named
X server, xdm, dhclient

But first we need some new uid's and gid's ...