From owner-freebsd-hackers@FreeBSD.ORG  Thu Jul 21 07:34:49 2005
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: hackers@freebsd.org
Delivered-To: freebsd-hackers@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A400716A41F
	for <hackers@freebsd.org>; Thu, 21 Jul 2005 07:34:49 +0000 (GMT)
	(envelope-from PeterJeremy@optushome.com.au)
Received: from mail25.syd.optusnet.com.au (mail25.syd.optusnet.com.au
	[211.29.133.166])
	by mx1.FreeBSD.org (Postfix) with ESMTP id E9EA743D4C
	for <hackers@freebsd.org>; Thu, 21 Jul 2005 07:34:47 +0000 (GMT)
	(envelope-from PeterJeremy@optushome.com.au)
Received: from cirb503493.alcatel.com.au
	(c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236])
	by mail25.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id
	j6L7Yf0b031796
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Thu, 21 Jul 2005 17:34:44 +1000
Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])
	by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id
	j6L7YfTu004464; Thu, 21 Jul 2005 17:34:41 +1000 (EST)
	(envelope-from pjeremy@cirb503493.alcatel.com.au)
Received: (from pjeremy@localhost)
	by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id j6L7Yeir004463; 
	Thu, 21 Jul 2005 17:34:40 +1000 (EST) (envelope-from pjeremy)
Date: Thu, 21 Jul 2005 17:34:40 +1000
From: Peter Jeremy <PeterJeremy@optushome.com.au>
To: "Eygene A. Ryabinkin" <freebsd@rea.mbslab.kiae.ru>
Message-ID: <20050721073440.GA324@cirb503493.alcatel.com.au>
References: <20050714101442.GI16608@rea.mbslab.kiae.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050714101442.GI16608@rea.mbslab.kiae.ru>
User-Agent: Mutt/1.4.2i
Cc: hackers@freebsd.org
Subject: Re: /etc/opiekeys permissions?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2005 07:34:49 -0000

On Thu, 2005-Jul-14 14:14:42 +0400, Eygene A. Ryabinkin wrote:
> Playing with OPIE I've noticed that the /etc/opiekeys have mode 644.
...
> But now it seems to be vulnurable again. Are there any programs that are
>run in non-root mode and they do want to use OPIE? If there is no such
>programs, why the permissions are so strange?

Since an OPIE password can only be used once, any program that uses OPIE
needs to be able to read and write /etc/opiekeys.  There is no valid reason
for a program to just want to read the file.

-- 
Peter Jeremy