Date: Wed, 11 Dec 1996 23:33:21 -0700 From: Warner Losh <imp@village.org> To: batie@agora.rdrop.com (Alan Batie) Cc: pete@sms.fi, taob@io.org, freebsd-security@freebsd.org Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) Message-ID: <E0vY4ht-0005F8-00@rover.village.org> In-Reply-To: Your message of "Wed, 11 Dec 1996 22:15:12 PST." <m0vY4QK-0008uxC@agora.rdrop.com> References: <m0vY4QK-0008uxC@agora.rdrop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <m0vY4QK-0008uxC@agora.rdrop.com> Alan Batie writes: : > : functionality, like dhcpd, you need to have them. : > : > FWIW, rarpd also needs to have bpf enabled as well : : neither of these need to run on the system with shell accounts, and one : could argue they're better off being on an isolated, secured, system. One could argue that, but one would be missing the point. If I want to allow machines to boot off of a machine, I must necessarily make it a vector for further attack, should it somehow be compromized. That is not an acceptible answer, even if it should be well secured and isolated. Even if it were well secured and isolated, there have been instances in the past of bugs giving people root access on a remote machine, and the machine can't be too isolated if it is providing this service. Just because Brian was talking about a shell server, doesn't mean that *I* have a shell server, or that *I* want to be forced to have additional weaknesses in my system just because I have one or more machines that get their IP address via RARP. I have devices that get their IP addresses via RARP, get their boot file via TFTP and then don't interact with my machine again. They are X terminals w/o working NVRAM. And yes, that does mean I'd have passwords in the clear on my net for them, which is why I don't want it to be easy for people to sniff my net should they break into one of my machines. It is one of the things that bugs me about my current setup is that I'm forced to have a less secure system than I would otherwise have... Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0vY4ht-0005F8-00>