
Reducing Privilege


Attacks on setuid programs or daemons are supposed to
escalate privilege

Can we reduce the privileges that privileged programs have...
    ... by making modifications to the programs themselves?

Yes -- using Privilege Revocation ...

ping, ping6, portmap, rpc.rstatd, rpc.rusersd, pppoe
traceroute, traceroute6, rwalld, pppd, spamd, afsd
authpf, ftpd, tftpd, httpd, dhcpd, mopd, rbootd

.. and Privilege Separation

sshd, syslogd, pflogd, isakmpd, bgpd, ntpd, tcpdump,
named, X server, xdm, dhclient

For setuid programs or daemons

