Date: Mon, 24 Jan 2000 11:15:11 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: audit@freebsd.org Subject: OPIE audit Message-ID: <Pine.BSF.4.21.0001241109250.70739-100000@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
Hi guys, We need to fix up the OPIE utilities so they don't rely on a world-readable /etc/opiekeys (bad for dictionary attacks, like the recent w00w00 advisory points out). There are at least two ways to do this: 1) Audit the OPIE code for setuid rootness (this is the path which FreeBSD went with s/key a few years ago - dunno why opie wasn't done then too) - or setuid opieness (new uid). 2) Use a small setuid root helper app which does the authentication on behalf of the non-setuid program. Thoughts? Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0001241109250.70739-100000>