From owner-freebsd-stable Sun Sep 7 11:30:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id LAA04734 for stable-outgoing; Sun, 7 Sep 1997 11:30:04 -0700 (PDT) Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id LAA04693 for ; Sun, 7 Sep 1997 11:29:55 -0700 (PDT) Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.8.5/8.7.3) id LAA15739; Sun, 7 Sep 1997 11:27:57 -0700 (PDT) From: "Rodney W. Grimes" Message-Id: <199709071827.LAA15739@GndRsh.aac.dev.com> Subject: Re: Don Croyle: make world failing at ppp install (again) In-Reply-To: <199709071250.NAA21742@awfulhak.demon.co.uk> from Brian Somers at "Sep 7, 97 01:50:28 pm" To: brian@awfulhak.org (Brian Somers) Date: Sun, 7 Sep 1997 11:27:57 -0700 (PDT) Cc: benedict@echonyc.com, brian@awfulhak.org, freebsd-stable@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > At about the same time as the group ownership change, I became unable to > > run PPP except as root. > > > > Even though the binary had the setuid bit set, was group executable, and > > belonged to root:network, and my user account belonged to group network, > > whenever I tried to run it it said it could only be used in client mode by > > uid 0. > > > > I've been working around this by su'ing before launching PPP, but I wonder > > if there's a better fix. > > This is a "feature" :-I > > If normal users are allowed to run ppp in client mode, they can alter > the routing tables and point things at a local machine where they can > then start "massaging" packets. Even being a member of a specific > group is somewhat bogus - only root is allowed to alter the routing > table, so only root should really be allowed to run ppp (running ppp > *requires* access to the routing table). Running ppp does _NOT_ *requires* write access to the routing table, this is much much much better handled by properly configuring a real routing daemon and running real routing protocols. Infact I have to go to great pains to _stop_ what ppp tries to do to the routing tables, gated handles it MUCH better! Infact if I don't stop what ppp tries to do gated just comes along and smacks right over the top of any routes it creates with the real and correct ones :-) -- Rod Grimes rgrimes@gndrsh.aac.dev.com Accurate Automation, Inc. Reliable computers for FreeBSD