tpe_adm - Trusted Path Execution management utility

SYNOPSIS

       tpe_adm [ -l [ e | d | s ] ] [ -a uid ] [ -d uid ] [ -s ]

DESCRIPTION

       tpe_adm  is  used  to  manage the kernel's list of trusted
       users, and to  toggle  the  status  of  ld.so  environment
       stripping.  Untrusted users will not be able to see system
       information other than their own processes. They  will not
       be  able  to  execute  programs  that  do  not reside in a
       trusted path. This is defined as a directory owned by root
       which is not group or other writeable.

OPTIONS

       tpe_adm takes the following options.

       -le    Enable ld.so enviroment checking. When an untrusted
              user runs  a  program  that  has  been  dynamically
              linked,  the  environment  variables LD_PRELOAD and
              LD_LIBRARY_PATH will be stripped before linking, if
              either have been set.

       -ld    Disable ld.so environment checking.

       -ls    Show  the current state of ld environment checking,
              it will report either enabled or disabled.

       -a uid Add the given uid to the kernel's list  of  trusted
              users.  The  user represented by uid will no longer
              be subject to the  trusted  path,  ld  and  privacy
              restrictions.

       -d uid Delete  the  given  uid  from  the kernel's list of
              trusted users. The user represented  by  the  given
              uid will be subject to the trusted path and privacy
              restrictions, as well as the ld environment  strip-
              ping if it has been enabled.

       -s     Show the current list of trusted users

BUGS

       The  uid argument to the -a and -d options can be given as
       a username and tpe_adm will  try  to  convert  that  to  a
       numeric  uid.  If the supplied username starts with a num-
       ber [0-9] tpe_adm will interpret that as a numerical  user
       id  and  take  all  the  leading numerical characters as a
       userid and add that to the trusted list. (eg  'tpe_adm  -a
       31337one'  will  add  uid 31337 to the trusted list). It's
       reccomended you use uid's for arguments to options 'a' and
       'd' for usernames starting with numerals.

AUTHORS

       route  <route@infonexus.com>  and  Mike D. Schiffman wrote
       the original tpe patches for OpenBSD 2.4, which were  pub-
       lished     in     Phrack     Magazine     (p54-06)     see
       http://www.phrack.com.

       doe <doe@fuxya.org> is the current maintainer of
       the  tpe  patches,  all bug reports and feedback should be
       directed to him.