From owner-cvs-all  Wed Dec  2 15:37:42 1998
Return-Path: <owner-cvs-all@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA20643
          for cvs-all-outgoing; Wed, 2 Dec 1998 15:37:42 -0800 (PST)
          (envelope-from owner-cvs-all@FreeBSD.ORG)
Received: from nagual.pp.ru (lsd.relcom.eu.net [193.125.27.73])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA20637;
          Wed, 2 Dec 1998 15:37:39 -0800 (PST)
          (envelope-from ache@nagual.pp.ru)
Received: (from ache@localhost)
	by nagual.pp.ru (8.9.1/8.9.1) id CAA89002;
	Thu, 3 Dec 1998 02:37:19 +0300 (MSK)
	(envelope-from ache)
Message-ID: <19981203023719.A87604@nagual.pp.ru>
Date: Thu, 3 Dec 1998 02:37:19 +0300
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: dima@best.net
Cc: guido@gvr.org, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject: Re: cvs commit: src/etc master.passwd
Mail-Followup-To: dima@best.net, guido@gvr.org, cvs-committers@FreeBSD.ORG,
	cvs-all@FreeBSD.ORG
References: <19981203014511.A72032@nagual.pp.ru> <199812022329.PAA86705@burka.rdy.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199812022329.PAA86705@burka.rdy.com>; from dima@best.net on Wed, Dec 02, 1998 at 03:29:00PM -0800
Organization: Biomechanoid
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk

On Wed, Dec 02, 1998 at 03:29:00PM -0800, Dima Ruban wrote:
> I don't exactly see what's wrong with not having this directory created by
> mtree.
> If hacker on a given machine can create /usr/guest/operator or whatever is
> the default, that it means that this dude has root access.
> At this point you screwed either way.

Yes, but _after_ having root access once (suppose you close the hole
quickly) he can use your machine forever under operator account (without
root access) which is hardly detected because passwd unchanged. 

> Yeah, you didn't touch my password file, but you forced everybody else 
> who potentially can use this feature to deal with your changes.  

Everybody else which use operator as valid user must change its directory
to reflect real existing one _even_in_old_variant_, so changes are
neccessary in any case. 

-- 
Andrey A. Chernov
http://www.nagual.pp.ru/~ache/
MTH/SH/HE S-- W-- N+ PEC>+ D A a++ C G>+ QH+(++) 666+>++ Y

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message