Date: Sat, 20 Sep 1997 23:16:50 -0700 (PDT) From: "Jamil J. Weatherbee" <jamil@counterintelligence.ml.org> To: Eivind Eklund <perhaps@yes.no> Cc: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.pp.ru>, hackers@FreeBSD.ORG, brian@awfulhak.org, brian@FreeBSD.ORG Subject: Re: ppp restrictions Message-ID: <Pine.BSF.3.96.970920231430.201A-100000@counterintelligence.ml.org> In-Reply-To: <199709202102.XAA18140@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I was reading the man page on pppd while setting up a ppp server and when I saw the whole defaultroute thing I was astonised that any user could go in and basically change the default route so I put a -defaultroute in the /etc/ppp/options file (this should be default with the distribution). Also, does anyone out there in hacker land have the "login" option working when the server that is being logged into is running nis? On Sat, 20 Sep 1997, Eivind Eklund wrote: > > > > On Fri, 19 Sep 1997, Brian Somers wrote: > > > I think the best place to discuss this is on -hackers. Some people > > > think that ppp should not be suid at all, others like it the way it > > > was.... > > The way it was is IMHO unacceptable. It is a huge security hole, > similar to sticking the root password in a world readable file in a > slightly hidden location - acceptable in many situations, but not a > way we can live with shipping systems. > > > Too many things works only from root, it is not flexible. Lets consider > > suid abilities with and without suid requirements. If we have suid > > abilities without suid requirement, we need yet one level of restriction > > to separate them from normal user, it is "network" group currently. If we > > have suid requirements, we don't need "network" group and return to old > > model where all things are done from root. > > I like the present model. It allow you to be as strict (or not) as > you want, but default to a secure value. "Principle of least > surprise" indicate that users shouldn't be able to change routes; them > doing that is more surprising than not being able to run PPP (which is > easy enough to fix) > > Eivind. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.970920231430.201A-100000>