20 years later we realized that we would not drop privileges when ping(8) is invoked as root. We would just “drop” from root to root.
I’ve been using OpenBSD on various network things since 1998. And I tend to think about things like this. Reading this sentence is the first time it occurred to me that without an extra step, privilege dropping is useless in that situation.
The key thing here is that users are the wrong abstraction because they come with ambient authority for a large and unaudited set of things. A tool like ping should have the same rights whoever runs it, no access to the filesystem. This is what Capsicum and Pledge were designed to address.
I’ve been using OpenBSD on various network things since 1998. And I tend to think about things like this. Reading this sentence is the first time it occurred to me that without an extra step, privilege dropping is useless in that situation.
The key thing here is that users are the wrong abstraction because they come with ambient authority for a large and unaudited set of things. A tool like ping should have the same rights whoever runs it, no access to the filesystem. This is what Capsicum and Pledge were designed to address.