From owner-freebsd-bugs Thu Sep 14 10:36: 2 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 3AF1937B423; Thu, 14 Sep 2000 10:35:58 -0700 (PDT) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id LAA70788; Thu, 14 Sep 2000 11:35:55 -0600 (MDT) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id LAA97348; Thu, 14 Sep 2000 11:35:22 -0600 (MDT) Message-Id: <200009141735.LAA97348@harmony.village.org> To: wollman@FreeBSD.org Subject: Re: bin/21268: user set no nobody is not good Cc: freebsd-bugs@FreeBSD.org, security-officer@FreeBSD.org In-reply-to: Your message of "Thu, 14 Sep 2000 10:24:17 PDT." <200009141724.KAA66988@freefall.freebsd.org> References: <200009141724.KAA66988@freefall.freebsd.org> Date: Thu, 14 Sep 2000 11:35:22 -0600 From: Warner Losh Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200009141724.KAA66988@freefall.freebsd.org> wollman@FreeBSD.org writes: : Synopsis: user set no nobody is not good : Experiment to see if this will work as a way to request security reviews. Short answer: Looks Good. Man page wording needs work. Long Answer: This fix appears to have no security implications. It doesn't change the default behavior and gives administrators of tftp servers additional flexibility. There is a potential for abuse, but that abuse is easy to cure. It exposes no new external user controllable parameters to the system, so doesn't introduce a new vector of attack. Improperly setup systems may be impacted, but that's no worse than before. A tftpd user might not be a bad idea, and maybe the man page should suggest this, but this level of need doesn't rise to the level of requiring it on all systems. The man page wording is awkward. Sadly, I don't have a suggestion for a better wording. Now, what the heck do I do? Reassign it back to wollman so he can be responsible for committing the changes? Wait for others on the SO team to look at this? For now I'll do nothing. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message