Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 24 Jan 2000 13:59:17 -0700
From:      Warner Losh <imp@village.org>
To:        Kris Kennaway <kris@hub.freebsd.org>
Cc:        audit@FreeBSD.ORG
Subject:   Re: OPIE audit 
Message-ID:  <200001242059.NAA06248@harmony.village.org>
In-Reply-To: Your message of "Mon, 24 Jan 2000 11:15:11 PST." <Pine.BSF.4.21.0001241109250.70739-100000@hub.freebsd.org> 
References:  <Pine.BSF.4.21.0001241109250.70739-100000@hub.freebsd.org>  

next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.4.21.0001241109250.70739-100000@hub.freebsd.org> Kris Kennaway writes:
: We need to fix up the OPIE utilities so they don't rely on a
: world-readable /etc/opiekeys (bad for dictionary attacks, like the recent
: w00w00 advisory points out). There are at least two ways to do this:
: 
: 1) Audit the OPIE code for setuid rootness (this is the path which FreeBSD
: went with s/key a few years ago - dunno why opie wasn't done then too) -
: or setuid opieness (new uid).
: 2) Use a small setuid root helper app which does the authentication on
: behalf of the non-setuid program.
: 
: Thoughts?

I like the idea of doing (1), but realize that (2) might be faster to
produce.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001242059.NAA06248>