Date: Sun, 16 Feb 2003 14:21:41 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Dag-Erling Smorgrav <des@ofug.org> Cc: current@FreeBSD.ORG Subject: Re: OPIE breakage: backout & patch for review Message-ID: <20030216112141.GB99812@nagual.pp.ru> In-Reply-To: <xzpk7g0fps3.fsf@flood.ping.uio.no> References: <20030216014158.GA73950@nagual.pp.ru> <xzp4r74h7co.fsf@flood.ping.uio.no> <20030216102738.GA99367@nagual.pp.ru> <20030216105605.GA99732@nagual.pp.ru> <xzpk7g0fps3.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 16, 2003 at 12:06:36 +0100, Dag-Erling Smorgrav wrote: > "Andrey A. Chernov" <ache@nagual.pp.ru> writes: > > Admins with no /etc/opieaccess AFFECTED! > > Admins with no /etc/opieaccess IDIOTS for not running mergemaster! First of all, there are many years of existen OPIE administration practice which every OPIE admin know, and this practice says that this file is not needed in many setups. In hypotetical case that FreeBSD deside to break this rule for some unknown reason, it must be well documented in both manpages and release notes. But, currently documented exact oppisite variant. Please read this quote from opieaccess(5), where OPIE authors explicetely state that this file can leads to security hole and always should be treated as optional. "In any environment, it should be considered a transition tool and not a permanent fixture. When it is not being used as a transition tool, a version of OPIE that has been built without support for the opieaccess file should be built to prevent the possibility of an attacker using this file as a means to circumvent the OPIE software." Even some new admins read manpages and delete this file after reading that. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030216112141.GB99812>