Date: Fri, 16 Aug 1996 11:43:53 -0400 (EDT) From: Mike Newell <mnewell@kaizen.net> To: Nate Williams <nate@mt.sri.com> Cc: Joe Greco <jgreco@brasil.moneng.mei.com>, hackers@freefall.freebsd.org Subject: Re: Routed supports variable-length netmasks? Message-ID: <Pine.SGI.3.95.960816113405.11933C-100000@dada.kaizen.net> In-Reply-To: <199608161532.JAA06486@rocky.mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 16 Aug 1996, Nate Williams wrote:
> /etc/ppp/ip-up and /etc/ppp/ip-down are run as root, no matter who the
> login user is. This also means you must be careful what you put in
> there, but since the environment is safeguarded pretty well it would be
> hard to break into a system via them.
Well, in my case they didn't work. So I added lines of the form:
route add ...... >> /var/log/ip-up.log 2>&1
and found routed was complaining that routes can only be changed by root.
Reading the man page for pppd is specifically says:
/etc/ppp/ip-up
... snip ...
This program or script is executed with the same
real and effective user-ID as pppd, that is, at
least the effective user-ID and possibly the real
user-ID will be root. This is so that it can be
used to manipulate routes, run privileged daemons
(e.g. sendmail), etc. Be careful that the con-
tents of the /etc/ppp/ip-up and /etc/ppp/ip-down
scripts do not compromise your system's security.
I'm not clear on how to interpret this, but apparently the _real_ UID is
root, but the _effective_ UID is that of the account used to invoke pppd.
Route appears to check the effective UID, so it refuses to do its thing.
Setting the script SUID has no effect. Neither does adding the ppp login
account to the "wheel" group. :-(
As a workaround I log into our box as root [ugh!] to invoke pppd, but
clearly that's not the answer. I'm running 2.1-RELEASE; maybe things
changed in 2.1.5?
Thanks!
Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SGI.3.95.960816113405.11933C-100000>