# $Id: TODO,v 1.4 2011/10/10 20:14:22 ksb Exp $

I think we can do better than the raw idea.

1) Two versions need to be built: one for the "global enable" that	[?]
   only traces root (uid 0) exec's, and one that forces the preload
   on all descendant processes to trace mortal escalated processes.
	/usr/local/lib/snoopy.so		(trace root)
	/usr/local/lib/snoopall.so		(trace anyone)

2) Oh, dlsym(3) should be dlfunc(3) where supported, autoconf it?	[?]

3) There are a few known ways to breach snoopy:
	a) run a statically linked shell
	b) use chmod to preserve a setuid/setgid bit and exit the shell
	c) find a way to unset LD_PRELOAD that is more clever
	d) one I'll keep to myself :-)


--
KS Braunsdorf, Oct 2011,  ksb at no-spam dot npcguild.org