From owner-freebsd-security  Fri Aug  6  1:33: 9 1999
Delivered-To: freebsd-security@freebsd.org
Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.128.198])
	by hub.freebsd.org (Postfix) with ESMTP id 0B6A315005
	for <freebsd-security@FreeBSD.ORG>; Fri,  6 Aug 1999 01:33:05 -0700 (PDT)
	(envelope-from brian@Awfulhak.org)
Received: from keep.lan.Awfulhak.org (localhost [127.0.0.1])
	by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id JAA32477;
	Fri, 6 Aug 1999 09:32:56 +0100 (BST)
	(envelope-from brian@Awfulhak.org)
Received: from keep.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1])
	by keep.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id JAA00845;
	Fri, 6 Aug 1999 09:03:05 +0100 (BST)
	(envelope-from brian@keep.lan.Awfulhak.org)
Message-Id: <199908060803.JAA00845@keep.lan.Awfulhak.org>
X-Mailer: exmh version 2.0.2 2/24/98
To: alk@pobox.com
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: group bits 
In-reply-to: Your message of "Thu, 05 Aug 1999 16:34:05 CDT."
             <14249.52685.50332.808817@avalon.east> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 06 Aug 1999 09:03:05 +0100
From: Brian Somers <brian@FreeBSD.org.uk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> 
> I'd like to obtain a consensus guideline on an an issue which is
> treated inconsistently in FreeBSD's user space: Is it true, as I
> believe, that group rwx bits are the principal correct and appropriate
> mechanism to allow a specific group of users to control aspects of
> system administration which are protected from control by the body of
> users at large?
> 
> My specific motivation is that everytime I cvsup, I have to patch
> sendmail and ppp to suppress their group-writable-config
> errors/warnings.  If a clear consensus existed that these
> errors/warnings were spurious, then a PR might have a snowball's
> chance of remedying the situation.  If not, then at least I could give
> up one wasted quixotic hope.

If you want to allow users to modify their own ppp configuration, you 
should do this by including the line

  !include ~/.ppp.conf

in ppp.conf.  This means that users can modify their own profiles 
without screwing around with other peoples.

ppp.conf should always be owned by root and mode 600, 400 or 0.

-- 
Brian <brian@Awfulhak.org>                        <brian@FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@OpenBSD.org>
Don't _EVER_ lose your sense of humour !          <brian@FreeBSD.org.uk>




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message