From owner-freebsd-bugs  Mon Apr 10 17:48:58 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from orion.ac.hmc.edu (Orion.AC.HMC.Edu [134.173.32.20])
	by hub.freebsd.org (Postfix) with ESMTP id AACC437B8C7
	for <bugs@freebsd.org>; Mon, 10 Apr 2000 17:48:51 -0700 (PDT)
	(envelope-from brdavis@orion.ac.hmc.edu)
Received: (from brdavis@localhost)
	by orion.ac.hmc.edu (8.8.8/8.8.8) id RAA10541;
	Mon, 10 Apr 2000 17:48:49 -0700 (PDT)
Date: Mon, 10 Apr 2000 17:48:43 -0700
From: Brooks Davis <brooks@one-eyed-alien.net>
To: Spidey <beaupran@iro.umontreal.ca>
Cc: bugs@freebsd.org
Subject: Re: bin/17910: Do not allow 'operators' to drop to single user via shutdown
Message-ID: <20000410174843.A6634@orion.ac.hmc.edu>
References: <20000410205113.4E0C219BC@anarcat.dyndns.org> <20000410142640.A16425@orion.ac.hmc.edu> <14578.29173.529447.273595@anarcat.dyndns.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre4i
In-Reply-To: <14578.29173.529447.273595@anarcat.dyndns.org>; from beaupran@iro.umontreal.ca on Mon, Apr 10, 2000 at 08:29:41PM -0400
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Apr 10, 2000 at 08:29:41PM -0400, Spidey wrote:
> Oh. The system asks the root password on single-user shutdown when the
> console is marked as insecure? That is great. I think it solves it all.

From /etc/ttys:

# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.

You do that by removing the secure flag.

If you're happy with this solution, please reply and ask that the PR be
closed (I can't do it.)

> I found it weird that this was all wide open like that. :))

Giving out operator perms is probalby not the best idea.  If nothing
else, a user in group operator can read any file on the system if they
are willing to take the time to do it.  Hopefully some of these problems
will be lessened by the capabilities code from the TrustedBSD project
(http://www.TrustedBSD.org/).  For now, if you need to give out operator
perms, you'll have to expect to close related holes yourself.

-- Brooks

-- 
Any statement of the form "X is the one, true Y" is FALSE.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message