Also, this seems like something that, depending on where the destination servers are, could be handled easily with PF by itself, or with the help of relayd, with a lot less hassle.
On Tue, Jun 6, 2017 at 11:23 AM, Maximilian Pichler <[email protected] > wrote: > On Tue, Jun 6, 2017 at 11:06 AM, Marko Cupać <[email protected]> wrote: > > On Tue, 06 Jun 2017 08:18:15 -0600 > > "Theo de Raadt" <[email protected]> wrote: > >> Never reuse a user intended for another purpose. > >> > >> Take a glance at the ptrace manual page. > > > I have read ptrace manual. But I guess I need to read much MUCH more if > > I want to comprehend it :) > > I'm guessing the point here is that ptrace can be used to eavesdrop on > processes of the same user id. So if the proxy user got compromised, > an attacker could not just kill the nc processes, but also read the > data they are forwarding. > >
