Date: Mon, 14 Oct 1996 15:43:12 +0900 From: Atsushi Murai <amurai@spec.co.jp> To: sos@FreeBSD.org Cc: ache@nagual.ru (=?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?=), joerg_wunsch@uriah.heep.sax.de, sos@freefall.freebsd.org, CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-usrsbin@freefall.freebsd.org Subject: Re: cvs commit: src/usr.sbin/ppp command.c Message-ID: <9610140643.AA00552@tama3.spec.co.jp> In-Reply-To: <199610110958.LAA15010@ra.dkuug.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
sos@FreeBSD.org wrote: :> > Do you get a root shell now if you run ``ppp -auto'', connect to port :> > 3000, and issue a `shell'? I would consider this a very bad move! :> > :> :> Yes, we just make security hole, it should be fixed. : :Oops... I guess it was too late in the night when I did that... : :Any good suggestions as how to make this work securely ?? :Maybe only allowing the program named in the ppp.xxx file, that :way security is at the/etc/ppp level. Fuum. I thought it's already in there...If my memory is still not out of date (another word, as far as I've done without checking latest ppp code ), the ppp just allows to execute shell and manipulate "ppp" with all running mode if ; o You should type a correct password that hostname and password pair in /etc/ppp.secret. if you don't write above pair, you may have warning messages.. Atsushi. --- Atsushi Murai Internet: amurai@spec.co.jp System Planning and Engineering Co,.Ltd. Voice : +81-33833-5341 PGP Key fingerprint : 1C 27 22 77 11 43 64 90 9E 5E 68 CE 65 BD 68 06
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9610140643.AA00552>