From owner-freebsd-security  Wed Dec 11 22:33:53 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id WAA23111
          for security-outgoing; Wed, 11 Dec 1996 22:33:53 -0800 (PST)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by freefall.freebsd.org (8.8.4/8.8.4) with SMTP id WAA23102
          for <freebsd-security@freebsd.org>; Wed, 11 Dec 1996 22:33:50 -0800 (PST)
Received: from rover.village.org [127.0.0.1] 
	by rover.village.org with esmtp (Exim 0.56 #1)
	id E0vY4ht-0005F8-00; Wed, 11 Dec 1996 23:33:21 -0700
To: batie@agora.rdrop.com (Alan Batie)
Subject: Re: Risk of having bpf0? (was URGENT: Packet sniffer found on my system) 
Cc: pete@sms.fi, taob@io.org, freebsd-security@freebsd.org
In-reply-to: Your message of "Wed, 11 Dec 1996 22:15:12 PST."
		<m0vY4QK-0008uxC@agora.rdrop.com> 
References: <m0vY4QK-0008uxC@agora.rdrop.com>  
Date: Wed, 11 Dec 1996 23:33:21 -0700
From: Warner Losh <imp@village.org>
Message-Id: <E0vY4ht-0005F8-00@rover.village.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <m0vY4QK-0008uxC@agora.rdrop.com> Alan Batie writes:
: > : functionality, like dhcpd, you need to have them.
: > 
: > FWIW, rarpd also needs to have bpf enabled as well
: 
: neither of these need to run on the system with shell accounts, and one
: could argue they're better off being on an isolated, secured, system.

One could argue that, but one would be missing the point.  If I want
to allow machines to boot off of a machine, I must necessarily make it
a vector for further attack, should it somehow be compromized.  That
is not an acceptible answer, even if it should be well secured and
isolated.  Even if it were well secured and isolated, there have been
instances in the past of bugs giving people root access on a remote
machine, and the machine can't be too isolated if it is providing this
service.

Just because Brian was talking about a shell server, doesn't mean that
*I* have a shell server, or that *I* want to be forced to have
additional weaknesses in my system just because I have one or more
machines that get their IP address via RARP.  I have devices that get
their IP addresses via RARP, get their boot file via TFTP and then
don't interact with my machine again.  They are X terminals w/o
working NVRAM.  And yes, that does mean I'd have passwords in the
clear on my net for them, which is why I don't want it to be easy for
people to sniff my net should they break into one of my machines.

It is one of the things that bugs me about my current setup is that
I'm forced to have a less secure system than I would otherwise
have...

Warner