Date: Sun, 21 Sep 1997 01:51:18 +0100 From: Brian Somers <brian@awfulhak.org> To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.pp.ru> Cc: Eivind Eklund <perhaps@yes.no>, hackers@FreeBSD.ORG, brian@awfulhak.org, brian@FreeBSD.ORG Subject: Re: ppp restrictions Message-ID: <199709210051.BAA21105@awfulhak.demon.co.uk> In-Reply-To: Your message of "Sun, 21 Sep 1997 03:08:39 %2B0400." <Pine.BSF.3.96.970921030542.613A-100000@lsd.relcom.eu.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sat, 20 Sep 1997, Eivind Eklund wrote: > > > I like the present model. It allow you to be as strict (or not) as > > you want, but default to a secure value. "Principle of least > > It is not allows to run ppp from "network" group, only from root, so it > not does what I want. There are three different levels of access here. 1. The "normal" user who shouldn't be allowed to use ppp at all (I think we all agree on this). ppp is root.network/4550 to prevent normal user access. 2. The "server" user where ppp is run in -direct mode and the user does not have control over the super-user aspects of ppp. ppp allows any user to run in -direct mode (subject to the permissions above) 3. The "client" user who can alter routing tables at will. ppp insists that client users have a real uid of 0. I think it's important to distinguish between 2 & 3. There is still an outstanding issue. If a member of group network also has access to a normal shell, it's possible that they sabotage the system by creating a ~/.ppp.conf file that fondles routes, and then run "ppp -direct mylabel". I think under the current circumstances, the removal of the ~/.ppp.* file searching would be reasonable. Perhaps I should add a compile-time option to relax ppp's behaviour. It would allow client-mode ppp by members of group network and would read the ~/.ppp.* files (if found). > -- > Andrey A. Chernov > <ache@null.net> > http://www.nagual.pp.ru/~ache/ > -- Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <bri@OpenBSD.org> <http://www.Awfulhak.org>; Don't _EVER_ lose your sense of humour....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709210051.BAA21105>