Date: Sun, 07 Sep 1997 21:26:12 +0100 From: Brian Somers <brian@awfulhak.org> To: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com> Cc: brian@awfulhak.org (Brian Somers), benedict@echonyc.com, freebsd-stable@FreeBSD.ORG Subject: Re: Don Croyle: make world failing at ppp install (again) Message-ID: <199709072026.VAA25463@awfulhak.demon.co.uk> In-Reply-To: Your message of "Sun, 07 Sep 1997 11:27:57 PDT." <199709071827.LAA15739@GndRsh.aac.dev.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > At about the same time as the group ownership change, I became unable to
> > > run PPP except as root.
> > >
> > > Even though the binary had the setuid bit set, was group executable, and
> > > belonged to root:network, and my user account belonged to group network,
> > > whenever I tried to run it it said it could only be used in client mode by
> > > uid 0.
> > >
> > > I've been working around this by su'ing before launching PPP, but I wonder
> > > if there's a better fix.
> >
> > This is a "feature" :-I
> >
> > If normal users are allowed to run ppp in client mode, they can alter
> > the routing tables and point things at a local machine where they can
> > then start "massaging" packets. Even being a member of a specific
> > group is somewhat bogus - only root is allowed to alter the routing
> > table, so only root should really be allowed to run ppp (running ppp
> > *requires* access to the routing table).
>
> Running ppp does _NOT_ *requires* write access to the routing table,
> this is much much much better handled by properly configuring
> a real routing daemon and running real routing protocols.
And how do these *real* routing daemons know when ppp has negotiated
an IP address with a peer ?
> Infact
> I have to go to great pains to _stop_ what ppp tries to do
> to the routing tables, gated handles it MUCH better!
The only thing ppp does automatically is an ioctl(,SIOCAIFADDR,) -
this is what I was considering to be the mandatory routing table
update. What are your "great pains" ?
> Infact if I
> don't stop what ppp tries to do gated just comes along and smacks
> right over the top of any routes it creates with the real and
> correct ones :-)
Right, so gated deletes the route created by the SIOCAIFADDR ? And
you say ppp is in the wrong ? Hmmm. I haven't used gated, but I'm
under the impression it's smarter than that.
You probably mean that ppp shouldn't be allowed to update the routing
table directly (with it's add .... syntax). Although you're probably
right from a purists point of view, it's far more practical to be able
to add routes based on the negotiated IP addresses. Most machines
that run ppp have rather straight forward routing tables that don't
warrant a routing daemon or protocol.
Besides, aren't routing daemons supposed to leave static routes as
they are ?
> --
> Rod Grimes rgrimes@gndrsh.aac.dev.com
> Accurate Automation, Inc. Reliable computers for FreeBSD
So I take it, from your stance, that you're in agreement about
restricting the use of ppp. Nice to know someone's on my side :-)
To be honest, I'm not sure if you're taking a dig....
--
Brian <brian@awfulhak.org>, <brian@freebsd.org>
<http://www.awfulhak.org>;
Don't _EVER_ lose your sense of humour....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709072026.VAA25463>