Date: Tue, 19 Feb 2002 11:45:55 -0500 From: Ken Stailey <kstailey@surfbest.net> To: Alan Eldridge <alane@geeksrus.net> Cc: klh@panix.com, FreeBSD ports list <ports@freebsd.org> Subject: Re: klh10 and its port submissions Message-ID: <3C728143.4010409@surfbest.net> References: <3C6FC9EF.9040900@surfbest.net> <3C703170.5040502@surfbest.net> <200202180001.g1I01Og20036@wwweasel.geeksrus.net> <3C726171.8050603@surfbest.net> <20020219152538.GB17665@wwweasel.geeksrus.net> <3C727732.10003@surfbest.net> <20020219161105.GA19555@wwweasel.geeksrus.net> <3C727B55.10801@surfbest.net> <20020219162924.GB19764@wwweasel.geeksrus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Alan Eldridge wrote: >On Tue, Feb 19, 2002 at 11:20:37AM -0500, Ken Stailey wrote: > >>Alan Eldridge wrote: >> >>>On Tue, Feb 19, 2002 at 11:02:58AM -0500, Ken Stailey wrote: >>> >>>>Alan Eldridge wrote: >>>> >>>I guess I'm looking at it from the perspective of a *user* running it. >>>Network is a daemon account. >>> >>We are not talking about the network account but the network group. It >>makes a big difference. >> >>>Wheel is the group you have to be in to su >>>to root. And since it's a potentially dangerous program, it seemed logical >>>to me to need to be in the "trusted" group to be able to run it. >>> >>ppp uses ID0 wrappers around system calls to limit its use of root >>privledges. We can't go there now because klh-10 uses popen(3). I >>expect to fix that someday. >> > >Which is the right solution. :) In the meantime, that's just my $.02 on >the group issue. I can see your point, too ... network group does give >much more limited privs than wheel. :) So whatever ... > At this point I think wheel is the way to go because you want to give KLH-10 networking privs to the fewest, most trusted users until ID0 makes it safer for others to use. The other thing that KLH-10 would need is restrictions on what IP addresses can be used. ppp(8) uses /etc/ppp/ppp.conf file: kstailey@hermes$ ls -l /etc/ppp/ppp.conf -rw------- 1 root wheel 1575 Feb 15 19:08 /etc/ppp/ppp.conf ppp(8) will only use addresses in that file and it is assumed that you can only access ppp.conf by proxy via ppp(8)'s setuid and that ID0 helps inforce that. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C728143.4010409>