From owner-freebsd-current  Sun Feb 16  3:21:48 2003
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 08E2C37B401
	for <current@FreeBSD.ORG>; Sun, 16 Feb 2003 03:21:47 -0800 (PST)
Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DC01643FAF
	for <current@FreeBSD.ORG>; Sun, 16 Feb 2003 03:21:45 -0800 (PST)
	(envelope-from ache@pobrecita.freebsd.ru)
Received: from pobrecita.freebsd.ru (ache@localhost [127.0.0.1])
	by nagual.pp.ru (8.12.7/8.12.7) with ESMTP id h1GBLfEJ000170;
	Sun, 16 Feb 2003 14:21:41 +0300 (MSK)
	(envelope-from ache@pobrecita.freebsd.ru)
Received: (from ache@localhost)
	by pobrecita.freebsd.ru (8.12.7/8.12.6/Submit) id h1GBLf8n000169;
	Sun, 16 Feb 2003 14:21:41 +0300 (MSK)
	(envelope-from ache)
Date: Sun, 16 Feb 2003 14:21:41 +0300
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: current@FreeBSD.ORG
Subject: Re: OPIE breakage: backout & patch for review
Message-ID: <20030216112141.GB99812@nagual.pp.ru>
References: <20030216014158.GA73950@nagual.pp.ru> <xzp4r74h7co.fsf@flood.ping.uio.no> <20030216102738.GA99367@nagual.pp.ru> <20030216105605.GA99732@nagual.pp.ru> <xzpk7g0fps3.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <xzpk7g0fps3.fsf@flood.ping.uio.no>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

On Sun, Feb 16, 2003 at 12:06:36 +0100, Dag-Erling Smorgrav wrote:
> "Andrey A. Chernov" <ache@nagual.pp.ru> writes:
> > Admins with no /etc/opieaccess AFFECTED!
> 
> Admins with no /etc/opieaccess IDIOTS for not running mergemaster!

First of all, there are many years of existen OPIE administration practice
which every OPIE admin know, and this practice says that this file is not
needed in many setups. In hypotetical case that FreeBSD deside to break
this rule for some unknown reason, it must be well documented in both
manpages and release notes.

But, currently documented exact oppisite variant. Please read this quote
from opieaccess(5), where OPIE authors explicetely state that this file
can leads to security hole and always should be treated as optional.

"In any environment, it should be considered a transition tool and not a
permanent fixture.  When it is not being used as a transition tool, a
version of OPIE that has been built without support for the opieaccess
file should be built to prevent the possibility of an attacker using this
file as a means to circumvent the OPIE software."

Even some new admins read manpages and delete this file after reading 
that.

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message