From owner-freebsd-ports Tue Feb 19 8:47:27 2002 Delivered-To: freebsd-ports@freebsd.org Received: from server11.safepages.com (server11.safepages.com [216.127.146.25]) by hub.freebsd.org (Postfix) with ESMTP id 55FD537B400 for ; Tue, 19 Feb 2002 08:47:23 -0800 (PST) Received: from hermes.surfbest.net (reston-gnap-ip-216007-212.dynamic.ziplink.net [216.8.7.212]) by server11.safepages.com (Postfix) with ESMTP id 049ED14F403; Tue, 19 Feb 2002 16:47:21 +0000 (GMT) Received: from surfbest.net (localhost.surfbest.net [127.0.0.1]) by hermes.surfbest.net (8.11.6/8.11.6) with ESMTP id g1JGjtv27436; Tue, 19 Feb 2002 11:45:56 -0500 (EST) (envelope-from kstailey@surfbest.net) Message-ID: <3C728143.4010409@surfbest.net> Date: Tue, 19 Feb 2002 11:45:55 -0500 From: Ken Stailey User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20011222 X-Accept-Language: en-us MIME-Version: 1.0 To: Alan Eldridge Cc: klh@panix.com, FreeBSD ports list Subject: Re: klh10 and its port submissions References: <3C6FC9EF.9040900@surfbest.net> <3C703170.5040502@surfbest.net> <200202180001.g1I01Og20036@wwweasel.geeksrus.net> <3C726171.8050603@surfbest.net> <20020219152538.GB17665@wwweasel.geeksrus.net> <3C727732.10003@surfbest.net> <20020219161105.GA19555@wwweasel.geeksrus.net> <3C727B55.10801@surfbest.net> <20020219162924.GB19764@wwweasel.geeksrus.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alan Eldridge wrote: >On Tue, Feb 19, 2002 at 11:20:37AM -0500, Ken Stailey wrote: > >>Alan Eldridge wrote: >> >>>On Tue, Feb 19, 2002 at 11:02:58AM -0500, Ken Stailey wrote: >>> >>>>Alan Eldridge wrote: >>>> >>>I guess I'm looking at it from the perspective of a *user* running it. >>>Network is a daemon account. >>> >>We are not talking about the network account but the network group. It >>makes a big difference. >> >>>Wheel is the group you have to be in to su >>>to root. And since it's a potentially dangerous program, it seemed logical >>>to me to need to be in the "trusted" group to be able to run it. >>> >>ppp uses ID0 wrappers around system calls to limit its use of root >>privledges. We can't go there now because klh-10 uses popen(3). I >>expect to fix that someday. >> > >Which is the right solution. :) In the meantime, that's just my $.02 on >the group issue. I can see your point, too ... network group does give >much more limited privs than wheel. :) So whatever ... > At this point I think wheel is the way to go because you want to give KLH-10 networking privs to the fewest, most trusted users until ID0 makes it safer for others to use. The other thing that KLH-10 would need is restrictions on what IP addresses can be used. ppp(8) uses /etc/ppp/ppp.conf file: kstailey@hermes$ ls -l /etc/ppp/ppp.conf -rw------- 1 root wheel 1575 Feb 15 19:08 /etc/ppp/ppp.conf ppp(8) will only use addresses in that file and it is assumed that you can only access ppp.conf by proxy via ppp(8)'s setuid and that ID0 helps inforce that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message