Date: Fri, 16 Aug 1996 11:25:21 -0500 (CDT) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: mnewell@kaizen.net (Mike Newell) Cc: nate@mt.sri.com, jgreco@brasil.moneng.mei.com, hackers@freefall.freebsd.org Subject: Re: Routed supports variable-length netmasks? Message-ID: <199608161625.LAA15564@brasil.moneng.mei.com> In-Reply-To: <Pine.SGI.3.95.960816113405.11933C-100000@dada.kaizen.net> from "Mike Newell" at Aug 16, 96 11:43:53 am
next in thread | previous in thread | raw e-mail | index | archive | help
> On Fri, 16 Aug 1996, Nate Williams wrote: > > > /etc/ppp/ip-up and /etc/ppp/ip-down are run as root, no matter who the > > login user is. This also means you must be careful what you put in > > there, but since the environment is safeguarded pretty well it would be > > hard to break into a system via them. > > Well, in my case they didn't work. So I added lines of the form: > > route add ...... >> /var/log/ip-up.log 2>&1 > > and found routed was complaining that routes can only be changed by root. > Reading the man page for pppd is specifically says: > > /etc/ppp/ip-up > > ... snip ... > > This program or script is executed with the same > real and effective user-ID as pppd, that is, at > least the effective user-ID and possibly the real > user-ID will be root. This is so that it can be > used to manipulate routes, run privileged daemons > (e.g. sendmail), etc. Be careful that the con- > tents of the /etc/ppp/ip-up and /etc/ppp/ip-down > scripts do not compromise your system's security. > > > I'm not clear on how to interpret this, but apparently the _real_ UID is > root, but the _effective_ UID is that of the account used to invoke pppd. > Route appears to check the effective UID, so it refuses to do its thing. > Setting the script SUID has no effect. Neither does adding the ppp login > account to the "wheel" group. :-( > > As a workaround I log into our box as root [ugh!] to invoke pppd, but > clearly that's not the answer. I'm running 2.1-RELEASE; maybe things > changed in 2.1.5? Yeah yeah that's the ticket. Verrrry familiar problem. I believe I hacked a copy of route to fix this problem and installed it as /etc/ppp/route... ... JG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608161625.LAA15564>