Date: Thu, 14 Sep 2000 11:35:22 -0600 From: Warner Losh <imp@village.org> To: wollman@FreeBSD.org Cc: freebsd-bugs@FreeBSD.org, security-officer@FreeBSD.org Subject: Re: bin/21268: user set no nobody is not good Message-ID: <200009141735.LAA97348@harmony.village.org> In-Reply-To: Your message of "Thu, 14 Sep 2000 10:24:17 PDT." <200009141724.KAA66988@freefall.freebsd.org> References: <200009141724.KAA66988@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <200009141724.KAA66988@freefall.freebsd.org> wollman@FreeBSD.org writes: : Synopsis: user set no nobody is not good : Experiment to see if this will work as a way to request security reviews. Short answer: Looks Good. Man page wording needs work. Long Answer: This fix appears to have no security implications. It doesn't change the default behavior and gives administrators of tftp servers additional flexibility. There is a potential for abuse, but that abuse is easy to cure. It exposes no new external user controllable parameters to the system, so doesn't introduce a new vector of attack. Improperly setup systems may be impacted, but that's no worse than before. A tftpd user might not be a bad idea, and maybe the man page should suggest this, but this level of need doesn't rise to the level of requiring it on all systems. The man page wording is awkward. Sadly, I don't have a suggestion for a better wording. Now, what the heck do I do? Reassign it back to wollman so he can be responsible for committing the changes? Wait for others on the SO team to look at this? For now I'll do nothing. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009141735.LAA97348>