From owner-freebsd-security Fri Aug 6 4:53:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.128.198]) by hub.freebsd.org (Postfix) with ESMTP id ADC8F1555C for ; Fri, 6 Aug 1999 04:53:12 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from keep.lan.Awfulhak.org (localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id MAA33864; Fri, 6 Aug 1999 12:53:09 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from keep.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1]) by keep.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id MAA01988; Fri, 6 Aug 1999 12:54:38 +0100 (BST) (envelope-from brian@keep.lan.Awfulhak.org) Message-Id: <199908061154.MAA01988@keep.lan.Awfulhak.org> X-Mailer: exmh version 2.0.2 2/24/98 To: alk@pobox.com Cc: brian@FreeBSD.org.uk, freebsd-security@FreeBSD.ORG Subject: Re: group bits In-reply-to: Your message of "Fri, 06 Aug 1999 06:21:17 CDT." <14250.50016.61650.779505@avalon.east> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 06 Aug 1999 12:54:38 +0100 From: Brian Somers Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Quoth Brian Somers on Fri, 6 August: > : If you want to allow users to modify their own ppp configuration, you > : should do this by including the line > : > : !include ~/.ppp.conf > : > : in ppp.conf. This means that users can modify their own profiles > : without screwing around with other peoples. > > That's a very nice functionality which I had completely overlooked. > Thank you for pointing it out. But it does quite completely miss the > point of my interest, which is in the meaning of the group bits. > > : ppp.conf should always be owned by root and mode 600, 400 or 0. > > In what sense of "should"? I want those persons responsible for > administering ppp to be able to do so, although they may not have root > access. I can do this by saying !include /etc/ppp/ppp.conf.shared in > /etc/ppp/ppp.conf, and making /etc/ppp/ppp.conf.shared group writable > by group ppp, from your description. I have to ask, therefore, what > purpose does it serve to require that ppp.conf should not be group > writable? It seems to frustrate the purpose of that bit. I guess you're right. The check is really to ensure that somebody hasn't got the permissions screwed up. This is now far less likely now that a base ppp.conf is installed 600 by sysinstall. Feel free to raise the PR. A set of patches to check the ``other'' permissions on /etc, /etc/ppp & /etc/ppp/ppp.conf would be nice too :-) -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message