From owner-cvs-usrsbin  Fri Oct 11 07:12:05 1996
Return-Path: owner-cvs-usrsbin
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA17367
          for cvs-usrsbin-outgoing; Fri, 11 Oct 1996 07:12:05 -0700 (PDT)
Received: from sovcom.kiae.su (sovcom.kiae.su [193.125.152.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA17198;
          Fri, 11 Oct 1996 07:09:15 -0700 (PDT)
Received: by sovcom.kiae.su id AA20000
  (5.65.kiae-1 ); Fri, 11 Oct 1996 16:59:48 +0300
Received: by sovcom.KIAE.su (UUMAIL/2.0); Fri, 11 Oct 96 16:59:47 +0300
Received: (from ache@localhost) by nagual.ru (8.7.6/8.7.3) id RAA01030; Fri, 11 Oct 1996 17:53:56 +0400 (MSD)
Message-Id: <199610111353.RAA01030@nagual.ru>
Subject: Re: cvs commit:  src/usr.sbin/ppp command.c
In-Reply-To: <199610110958.LAA15010@ra.dkuug.dk> from "sos@FreeBSD.org" at "Oct 11, 96 11:58:46 am"
To: sos@FreeBSD.org
Date: Fri, 11 Oct 1996 17:53:55 +0400 (MSD)
Cc: joerg_wunsch@uriah.heep.sax.de, sos@freefall.freebsd.org,
        CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org,
        cvs-usrsbin@freefall.freebsd.org
From: "=?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?=" (Andrey A. Chernov) <ache@nagual.ru>
Organization: self
X-Class: Fast
X-Mailer: ELM [version 2.4ME+ PL28 (25)]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-usrsbin@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

> In reply to =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= who wrote:
> > 
> > > As Soren Schmidt wrote:
> > > > sos         96/10/10 04:27:38
> > > > 
> > > >   Modified:    usr.sbin/ppp  command.c
> > > >   Log:
> > > >   Allow shell commands in all modes.
> > > 
> > > Do you get a root shell now if you run ``ppp -auto'', connect to port
> > > 3000, and issue a `shell'?  I would consider this a very bad move!
> > > 
> > 
> > Yes, we just make security hole, it should be fixed.
> 
> Oops... I guess it was too late in the night when I did that...
> 
> Any good suggestions as how to make this work securely ??
> Maybe only allowing the program named in the ppp.xxx file, that
> way security is at the/etc/ppp level.

Not so complex, just disable 'shell' command in telnet mode.
As I remember ppp have some flag indicating it running with -auto,
and/or some flag indicating telnet mode, shell command must check
those flags and refuse execution.

-- 
Andrey A. Chernov
<ache@nagual.ru>
http://www.nagual.ru/~ache/