From owner-freebsd-security  Wed Nov  3  5:45:51 1999
Delivered-To: freebsd-security@freebsd.org
Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20])
	by hub.freebsd.org (Postfix) with ESMTP id A8DEA14C99
	for <freebsd-security@FreeBSD.ORG>; Wed,  3 Nov 1999 05:45:39 -0800 (PST)
	(envelope-from spidey@anarcat.dyndns.org)
Received: by anarcat.dyndns.org (Postfix, from userid 1000)
	id ADC8F1A61; Tue,  2 Nov 1999 18:10:59 -0500 (EST)
From: Spidey <beaupran@jsp.umontreal.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14367.28547.4773.226921@anarcat.dyndns.org>
Date: Tue, 2 Nov 1999 23:10:58 +0000 (GMT)
To: cjclark@home.com
Cc: peter.jeremy@alcatel.com.au, freebsd-security@FreeBSD.ORG
Subject: Re: Examining FBSD set[ug]ids and their use
References: <14365.48408.87230.710344@anarcat.dyndns.org>
	<199911020449.XAA03496@cc942873-a.ewndsr1.nj.home.com>
X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2)
Reply-To: Spidey <beaupran@iro.umontreal.ca>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

--- Big Brother told Crist J. Clark to write, at 23:49 of November 1:
> Spidey wrote,
> > > ># Allow users to bind on a socket (which? where?)
> > > >	ping mode=4555
> > > Needed to allow ordinary mortals to sent raw IP (ICMP) packets.
> > 
> > I don't think this should be enable by default... on a shell box, this 
> > could cause some pretty dense headaches...
> 
> You don't think mortal users should be able to ping? IMHO, ping is a
> _very_ basic utility that generally should be turned on. I don't want
> to have to 'su' to root everytime I want to ping a host to see if it
> is awake. Same goes for traceroute(8).
> 
> If you want to turn off the setuid (in which case you might as well
> chmod to 700 as well), you can, but I really don't see it as the
> default setup.

I was more thinking of something like 4750 with a 'network' gid so
that only a still restricted group would be able to use ping. 

I don't know, in fact.. Maybe I'm being too paranoid.... :)

AnarCat

-- 
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir

Lofofora


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message