Date: Sun, 31 Aug 1997 14:05:01 +0100 From: Brian Somers <brian@awfulhak.org> To: Eivind Eklund <perhaps@yes.no> Cc: Brian Somers <brian@awfulhak.org>, guido@gvr.org, brian@FreeBSD.ORG, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-lib@FreeBSD.ORG Subject: Re: cvs commit: src/lib/libutil login_progok.3 login_progok.c Makefile libutil.h login.conf.5 Message-ID: <199708311305.OAA03515@awfulhak.demon.co.uk> In-Reply-To: Your message of "Sun, 31 Aug 1997 13:09:19 %2B0200." <199708311109.NAA14292@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Hmm, making a ppp group would address the problem..... I don't really
> > have an excuse for not doing it that way (temporary insanity?).
> >
> > Perhaps I should take this stuff back out. Does anyone see any
> > reasons why it should stay ? If someone wants to restrict use of a
> > program they can:
> >
> > $ ls -l /usr/sbin/ppp
> > -r-sr-x--- 1 root ppp 118784 Aug 28 01:03 /usr/sbin/ppp
> >
> > So if you're not in the ``ppp'' group, you don't get to run it ;-)
>
> Set this as the default, please. Having PPP available to "joe user"
> break some security paradigms - there is a lot of havoc you can do by
> being able to modify the routing table...
Agreed. I'll bet we get hammered with questions from everyone that
upgrades and doesn't have a ``ppp'' group though !
Are there any rules about what gid to pick ? Would 69 be appropriate
- being next to ``dialer'' ? I'll use that given no objections.
I also think that this should go into 2.2. Anyone with a shell can
pretty much bring the machine to its knees at the least. At worst,
they can be smart in routing everything from an important machine to
their own by adjusting the default route. After that..... gulp !
> Eivind.
--
Brian <brian@awfulhak.org>, <brian@freebsd.org>
<http://www.awfulhak.org>;
Don't _EVER_ lose your sense of humour....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708311305.OAA03515>