From owner-cvs-all  Fri Aug  3  9:18:33 2001
Delivered-To: cvs-all@freebsd.org
Received: from arb.arb.za.net (arb.arb.za.net [196.7.148.4])
	by hub.freebsd.org (Postfix) with ESMTP
	id D8BBB37B40B; Fri,  3 Aug 2001 09:18:11 -0700 (PDT)
	(envelope-from mark@grondar.za)
Received: (from uucp@localhost)
	by arb.arb.za.net (8.11.3/8.11.3) with UUCP id f73GFDB73643;
	Fri, 3 Aug 2001 18:15:13 +0200 (SAST)
	(envelope-from mark@grondar.za)
Received: from grondar.za (mark@localhost [127.0.0.1])
	by grimreaper.grondar.za (8.11.4/8.11.4) with ESMTP id f73EiFr06031;
	Fri, 3 Aug 2001 15:44:16 +0100 (BST)
	(envelope-from mark@grondar.za)
Message-Id: <200108031444.f73EiFr06031@grimreaper.grondar.za>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libopie Makefile 
References: <20010803002200.C3285@nagual.pp.ru> 
In-Reply-To: <20010803002200.C3285@nagual.pp.ru> ; from "Andrey A. Chernov" <ache@nagual.pp.ru>  "Fri, 03 Aug 2001 00:22:01 +0400."
Date: Fri, 03 Aug 2001 15:44:14 +0100
From: Mark Murray <mark@grondar.za>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

> On Thu, Aug 02, 2001 at 11:58:52 -0700, Mark Murray wrote:
> > markm       2001/08/02 11:58:52 PDT
> > 
> >   Modified files:
> >     lib/libopie          Makefile 
> >   Log:
> >   Add opieaccess(5) functionality under the INSECURE_OPIE .ifdef.
> 
> Umm, it is not what I ask exactly. 

Yes, I know. :-)

> Maintaining /etc/opieaccess NOT belongs to INSECURE in OPIE meaning.

Do a "man opieaccess" and you will see that it _is_ insecure, and is
meant as a temporary feature for migration purposes only, and is NOT
meant for permanent installation.

>                                                                      By
> INSECURE OPIE means connection that could be potentially spyed, but
> /etc/opieaccess modification belongs to root and completely outside OPIE
> scope because not use OPIE anyhow, just system resources, so it must be
> always enabled. I.e. this sysadmin action not envolve insecure connection
> in OPIE meaning.

Read the man page.

> Now about /etc/opieaccess _contents_ (which possible could lead to
> insecure connection): lets sysadmin deside, what is secure for him and
> what is not. We should not restrict by default his right to have
> /etc/opieaccess if he wants.

That is what INSECURE_OPIE is for.

> BTW, if we plan to keep SKEY compatibility, the same /etc/skey.access was
> _always_ enabled too.

And it was insecure, too.

M
-- 
Mark Murray
Warning: this .sig is umop ap!sdn

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message