From owner-freebsd-stable  Sun Sep  7 22:03:33 1997
Return-Path: <owner-freebsd-stable>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id WAA05950
          for stable-outgoing; Sun, 7 Sep 1997 22:03:33 -0700 (PDT)
Received: from obie.softweyr.ml.org ([199.104.124.49])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA05944
          for <stable@freebsd.org>; Sun, 7 Sep 1997 22:03:26 -0700 (PDT)
Received: (from wes@localhost) by obie.softweyr.ml.org (8.7.5/8.6.12) id WAA21139; Sun, 7 Sep 1997 22:59:53 -0600 (MDT)
Date: Sun, 7 Sep 1997 22:59:53 -0600 (MDT)
Message-Id: <199709080459.WAA21139@obie.softweyr.ml.org>
From: Wes Peters <softweyr@xmission.com>
To: "Rodney W. Grimes" <rgrimes@GndRsh.aac.dev.com>
CC: stable@freebsd.org, brian@awfulhak.org
Subject: Re: Don Croyle: make world failing at ppp install (again)
In-Reply-To: <199709080103.SAA15997@GndRsh.aac.dev.com>
References: <199709072350.RAA20657@obie.softweyr.ml.org>
	<199709080103.SAA15997@GndRsh.aac.dev.com>
Sender: owner-freebsd-stable@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I recently said:
 % Requiring every user who wants to use FreeBSD PPP as a simple
 % single-user workstation with a dial-up ISP account, or even as a simple
 % router, to understand routing protocols and gated will guarantee that
 % many will just go elsewhere.

Rodney W. Grimes writes:
 > A person using FreeBSD as a simple single user workstation has root
 > access, and does not have the problem that is attempted to being
 > fixed.  Duplicating the equiv of /sbin/route in ppp IMHO,
 > is just silly, adds yet another place that has to be mucked with
 > when the kernel/user land routing interface changes, etc.
 > 
 > What I am more concerned about is server side ppp and the security
 > whole that has just been bandaided over via group network instead
 > of totally eliminated by removal of route calls.
 >  
 > There is no how no way I want _any_ user other than root in _any_ group 
 > munging around with routing tables on a ppp server!

Obviously you are not the target user Brian had in mind when developing
this feature.  We see once again the beauty of FreeBSD: you have the
source, you can modify ppp at will to do as you please.  I suspect,
however, that no amount of pleading, cursing, or other public bandiage
will change the fact that Brian is developing ppp towards an "average"
user that is very different from you.

You have the option of creating patches that will disallow the routing
interface, making ppp somewhat more secure for ISPs and other remote
access servers, and contributing it to the project.  You could either
just contribute the diffs to make this happen, or diffs to make this a
compile-time option.  Brian seems to be very interested in developing
and upgrading ppp, and may want to add this feature into his next
release.

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com