Date: Fri, 06 Aug 1999 12:54:38 +0100 From: Brian Somers <brian@FreeBSD.org.uk> To: alk@pobox.com Cc: brian@FreeBSD.org.uk, freebsd-security@FreeBSD.ORG Subject: Re: group bits Message-ID: <199908061154.MAA01988@keep.lan.Awfulhak.org> In-Reply-To: Your message of "Fri, 06 Aug 1999 06:21:17 CDT." <14250.50016.61650.779505@avalon.east>
next in thread | previous in thread | raw e-mail | index | archive | help
> Quoth Brian Somers on Fri, 6 August:
> : If you want to allow users to modify their own ppp configuration, you
> : should do this by including the line
> :
> : !include ~/.ppp.conf
> :
> : in ppp.conf. This means that users can modify their own profiles
> : without screwing around with other peoples.
>
> That's a very nice functionality which I had completely overlooked.
> Thank you for pointing it out. But it does quite completely miss the
> point of my interest, which is in the meaning of the group bits.
>
> : ppp.conf should always be owned by root and mode 600, 400 or 0.
>
> In what sense of "should"? I want those persons responsible for
> administering ppp to be able to do so, although they may not have root
> access. I can do this by saying !include /etc/ppp/ppp.conf.shared in
> /etc/ppp/ppp.conf, and making /etc/ppp/ppp.conf.shared group writable
> by group ppp, from your description. I have to ask, therefore, what
> purpose does it serve to require that ppp.conf should not be group
> writable? It seems to frustrate the purpose of that bit.
I guess you're right. The check is really to ensure that somebody
hasn't got the permissions screwed up. This is now far less likely
now that a base ppp.conf is installed 600 by sysinstall.
Feel free to raise the PR. A set of patches to check the ``other''
permissions on /etc, /etc/ppp & /etc/ppp/ppp.conf would be nice too
:-)
--
Brian <brian@Awfulhak.org> <brian@FreeBSD.org>
<http://www.Awfulhak.org>; <brian@OpenBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@FreeBSD.org.uk>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199908061154.MAA01988>