From owner-freebsd-security Tue Jun 25 11:44:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA27715 for security-outgoing; Tue, 25 Jun 1996 11:44:28 -0700 (PDT) Received: from husky.cslab.vt.edu (jaitken@husky.cslab.vt.edu [198.82.184.10]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA27708 for ; Tue, 25 Jun 1996 11:44:24 -0700 (PDT) Received: (jaitken@localhost) by husky.cslab.vt.edu (8.6.12/8.6.4) id OAA06978; Tue, 25 Jun 1996 14:44:06 -0400 From: Jeff Aitken Message-Id: <199606251844.OAA06978@husky.cslab.vt.edu> Subject: Re: The Vinnie Loophole To: softweyr@xmission.com (Barnacle Wes) Date: Tue, 25 Jun 1996 14:44:06 -0400 (EDT) Cc: security@freebsd.org In-Reply-To: <199606251748.LAA25282@xmission.xmission.com> from "Barnacle Wes" at Jun 25, 96 11:48:52 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > You obviously aren't very concerned about security. Not true at all. Perhaps I should clarify my objection: I'm aware of the potential security risk associated with having "." in root's path. If you want to make that impossible, so be it. I don't have it in root's path on machines I administer in any case. What I specifically did *not* want to see were what I consider "useless" messages filling up the system logs. Log digestion is difficult enough as it is, as I'm sure you (or any other good admin) are already aware. AFAIK, FreeBSD doesn't come standard with "." in root's path. So the only people who would suffer from this (potential) vulnerability are the ones who *deliberately* put "." in the path! I suppose that, by the same argument, I shouldn't care about it, since I won't ever see the message. :-) What I really wanted to point out is that filling up system logs with lots of (potentially) useless information is not a good idea (IMHO). I suppose we'll just have to agree to disagree on this point. -- Jeff Aitken jaitken@cs.vt.edu