From owner-freebsd-stable  Sun Sep  7 18:05:03 1997
Return-Path: <owner-freebsd-stable>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id SAA23204
          for stable-outgoing; Sun, 7 Sep 1997 18:05:03 -0700 (PDT)
Received: from GndRsh.aac.dev.com (GndRsh.aac.dev.com [198.145.92.241])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA23178
          for <stable@FreeBSD.ORG>; Sun, 7 Sep 1997 18:04:53 -0700 (PDT)
Received: (from rgrimes@localhost) by GndRsh.aac.dev.com (8.8.5/8.7.3) id SAA15997; Sun, 7 Sep 1997 18:03:55 -0700 (PDT)
From: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com>
Message-Id: <199709080103.SAA15997@GndRsh.aac.dev.com>
Subject: Re: Don Croyle: make world failing at ppp install (again)
In-Reply-To: <199709072350.RAA20657@obie.softweyr.ml.org> from Wes Peters at "Sep 7, 97 05:50:22 pm"
To: softweyr@xmission.com (Wes Peters)
Date: Sun, 7 Sep 1997 18:03:55 -0700 (PDT)
Cc: stable@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL25 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> Rodney W. Grimes writes:
>  > Running ppp does _NOT_ *requires* write access to the routing table,
>  > this is much much much better handled by properly configuring
>  > a real routing daemon and running real routing protocols.
> 
> Requiring every user who wants to use FreeBSD PPP as a simple
> single-user workstation with a dial-up ISP account, or even as a simple
> router, to understand routing protocols and gated will guarantee that
> many will just go elsewhere.
> 
> While I don't disagree with you about the capability of gated, losing
> the simple routing capabilities of ppp would be a stupid move.

A person using FreeBSD as a simple single user workstation has root
access, and does not have the problem that is attempted to being
fixed.  Duplicating the equiv of /sbin/route in ppp IMHO,
is just silly, adds yet another place that has to be mucked with
when the kernel/user land routing interface changes, etc.

What I am more concerned about is server side ppp and the security
whole that has just been bandaided over via group network instead
of totally eliminated by removal of route calls.
 
There is no how no way I want _any_ user other than root in _any_ group 
munging around with routing tables on a ppp server!


-- 
Rod Grimes                                      rgrimes@gndrsh.aac.dev.com
Accurate Automation, Inc.                   Reliable computers for FreeBSD