Privilege Recovation


Setuid programs or daemons

Open some object that requires privilege
read-only fd of utmp, reserved port, SOCK_RAW, special open of /dev/pf

chroot if possible
Revoke uid and gid

Includes:
ping, ping6, traceroute, traceroute6
write
rwalld
pppd
spamd
authpf
portmap, rpc.rusersd, rpc.rstatd
ftpd (improved)
named (improved)
httpd

All these programs "jail themselves"