From owner-freebsd-current@FreeBSD.ORG  Tue Feb 24 01:35:29 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8CA7E16A4CF
	for <freebsd-current@freebsd.org>;
	Tue, 24 Feb 2004 01:35:29 -0800 (PST)
Received: from mail023.syd.optusnet.com.au (mail023.syd.optusnet.com.au
	[211.29.132.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 60A0643D3F
	for <freebsd-current@freebsd.org>;
	Tue, 24 Feb 2004 01:35:28 -0800 (PST)
	(envelope-from peterjeremy@optushome.com.au)
Received: from server.vk2pj.dyndns.org
	(c211-30-75-229.belrs2.nsw.optusnet.com.au [211.30.75.229])
	i1O9ZLk31795;	Tue, 24 Feb 2004 20:35:22 +1100
Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org
	[127.0.0.1])i1O9ZLi6093373;	Tue, 24 Feb 2004 20:35:21 +1100 (EST)
	(envelope-from peter@server.vk2pj.dyndns.org)
Received: (from peter@localhost)
	by server.vk2pj.dyndns.org (8.12.10/8.12.10/Submit) id i1O9ZKDB093372;
	Tue, 24 Feb 2004 20:35:20 +1100 (EST)
	(envelope-from peter)
Date: Tue, 24 Feb 2004 20:35:20 +1100
From: Peter Jeremy <peterjeremy@optushome.com.au>
To: Colin Percival <colin.percival@wadham.ox.ac.uk>
Message-ID: <20040224093520.GA93117@server.vk2pj.dyndns.org>
References: <6.0.1.1.1.20040223171828.03de8b30@imap.sfu.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <6.0.1.1.1.20040223171828.03de8b30@imap.sfu.ca>
User-Agent: Mutt/1.4.2.1i
cc: freebsd-current@freebsd.org
Subject: Re: What to do about nologin(8)?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Feb 2004 09:35:29 -0000

On Mon, Feb 23, 2004 at 05:45:07PM +0000, Colin Percival wrote:
>  I can see a number of possible options; I'd like to hear
>opinions on which would be the best.
...
8) Make nologin setgid to a suitably unprivileged group
   and rely on rtld(1) to ignore LD_LIBRARY path & friends.
   (setgid is less unsafe than setuid)
   Pro: nologin remains dynamically linked in /sbin (avoiding
        POLA breakage)
   Con: Introduces an "unnecessary" setgid program

Peter