From owner-freebsd-audit Thu Jan 4 11:30:10 2001 From owner-freebsd-audit@FreeBSD.ORG Thu Jan 4 11:30:07 2001 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from mx1.colltech.com (ausproxy.colltech.com [208.229.236.19]) by hub.freebsd.org (Postfix) with ESMTP id 9335537B400; Thu, 4 Jan 2001 11:30:06 -0800 (PST) Received: from mail2.colltech.com (mail2.colltech.com [208.229.236.41]) by mx1.colltech.com (8.9.3/8.9.3/not) with ESMTP id NAA16037; Thu, 4 Jan 2001 13:30:05 -0600 Received: from colltech.com (dhcp5212.wdc.colltech.com [10.20.5.212]) by mail2.colltech.com (8.9.3/8.9.3/not) with ESMTP id NAA23159; Thu, 4 Jan 2001 13:30:05 -0600 Message-ID: <3A54CF3C.98CA7BF@colltech.com> Date: Thu, 04 Jan 2001 14:30:04 -0500 From: Daniel Hagan X-Mailer: Mozilla 4.72 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Guy Helmer , freebsd-security@freebsd.org, freebsd-audit@freebsd.org Subject: Re: ftpd and anonymous setup (modified ftpd) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Guy Helmer wrote: > Does this do what I think it does -- it appears if I login as a "ro" user, > then login again as a different (not "ro") user, the session will still be > "ro"? Granted, this doesn't happen often, but it seems to violate POLA... Yes, this is the way it works given this patch (it's also explicitly mentioned in the patch to the man page). If you reset the read-only setting here, you need to make a different flag for login.conf read-only caps and the -r read-only setting (since -r is daemon wide and should never be modified at run-time). If people think the POLA effect will be significant enough, I suppose I can rewrite the patch to do that instead. Daniel To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message