Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 7 Sep 1997 11:27:57 -0700 (PDT)
From:      "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com>
To:        brian@awfulhak.org (Brian Somers)
Cc:        benedict@echonyc.com, brian@awfulhak.org, freebsd-stable@FreeBSD.ORG
Subject:   Re: Don Croyle: make world failing at ppp install (again)
Message-ID:  <199709071827.LAA15739@GndRsh.aac.dev.com>
In-Reply-To: <199709071250.NAA21742@awfulhak.demon.co.uk> from Brian Somers at "Sep 7, 97 01:50:28 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
> > At about the same time as the group ownership change, I became unable to
> > run PPP except as root.
> > 
> > Even though the binary had the setuid bit set, was group executable, and
> > belonged to root:network, and my user account belonged to group network,
> > whenever I tried to run it it said it could only be used in client mode by
> > uid 0.
> > 
> > I've been working around this by su'ing before launching PPP, but I wonder
> > if there's a better fix.
> 
> This is a "feature" :-I
> 
> If normal users are allowed to run ppp in client mode, they can alter 
> the routing tables and point things at a local machine where they can 
> then start "massaging" packets.  Even being a member of a specific 
> group is somewhat bogus - only root is allowed to alter the routing 
> table, so only root should really be allowed to run ppp (running ppp 
> *requires* access to the routing table).

Running ppp does _NOT_ *requires* write access to the routing table,
this is much much much better handled by properly configuring
a real routing daemon and running real routing protocols.  Infact
I have to go to great pains to _stop_ what ppp tries to do
to the routing tables, gated handles it MUCH better!  Infact if I
don't stop what ppp tries to do gated just comes along and smacks
right over the top of any routes it creates with the real and
correct ones :-)

-- 
Rod Grimes                                      rgrimes@gndrsh.aac.dev.com
Accurate Automation, Inc.                   Reliable computers for FreeBSD

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709071827.LAA15739>