From owner-freebsd-hackers  Fri Aug 16 09:18:55 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA26042
          for hackers-outgoing; Fri, 16 Aug 1996 09:18:55 -0700 (PDT)
Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA26035
          for <hackers@freefall.freebsd.org>; Fri, 16 Aug 1996 09:18:49 -0700 (PDT)
Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id KAA06691; Fri, 16 Aug 1996 10:18:42 -0600 (MDT)
Date: Fri, 16 Aug 1996 10:18:42 -0600 (MDT)
Message-Id: <199608161618.KAA06691@rocky.mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
To: Mike Newell <mnewell@kaizen.net>
Cc: Nate Williams <nate@mt.sri.com>, hackers@freefall.freebsd.org
Subject: Re: Routed supports variable-length netmasks?
In-Reply-To: <Pine.SGI.3.95.960816113405.11933C-100000@dada.kaizen.net>
References: <199608161532.JAA06486@rocky.mt.sri.com>
	<Pine.SGI.3.95.960816113405.11933C-100000@dada.kaizen.net>
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Mike Newell writes:
> On Fri, 16 Aug 1996, Nate Williams wrote:
> 
> > /etc/ppp/ip-up and /etc/ppp/ip-down are run as root, no matter who the
> > login user is.  This also means you must be careful what you put in
> > there, but since the environment is safeguarded pretty well it would be
> > hard to break into a system via them.
> 
> Well, in my case they didn't work.  So I added lines of the form:
> 
>    route add ...... >> /var/log/ip-up.log 2>&1
> 
> and found routed was complaining that routes can only be changed by root.
> Reading the man page for pppd is specifically says:
> 
>        /etc/ppp/ip-up
> 
> 		... snip ...
> 
>               This program or script is executed  with  the  same
>               real  and  effective  user-ID  as pppd, that is, at
>               least the effective user-ID and possibly  the  real
>               user-ID  will  be  root.  This is so that it can be
>               used to manipulate routes, run  privileged  daemons
>               (e.g.   sendmail),  etc.   Be careful that the con-
>               tents of the  /etc/ppp/ip-up  and  /etc/ppp/ip-down
>               scripts do not compromise your system's security.
> 
> 
> I'm not clear on how to interpret this, but apparently the _real_ UID is
> root, but the _effective_ UID is that of the account used to invoke pppd. 
> Route appears to check the effective UID, so it refuses to do its thing.
> Setting the script SUID has no effect.  Neither does adding the ppp login
> account to the "wheel" group.  :-(

Hmm, pppd on my box is as follows, which may be a security problem.

ns:/usr/src/sbin/ipfw # ls -al /usr/sbin/pppd
-r-sr-xr-x  1 root  bin  69632 Jun 27 18:45 /usr/sbin/pppd*

This is the same as I was doing in 2.1.




Nate