[905] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] dip

daemon@ATHENA.MIT.EDU (Uri Blumenthal)
Sat Jul 13 21:37:52 1996

From: Uri Blumenthal <uri@watson.ibm.com>
To: cjwoods@paladin.com (Chris Woods)
Date: Fri, 12 Jul 1996 18:01:13 -0400 (EDT)
Cc: johnb@aztec.co.za, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199607111411.KAA03166@wire.paladin.com> from "Chris Woods" at Jul 11, 96 10:11:38 am
Reply-To: uri@watson.ibm.com

Chris Woods says:
>  > but, why would you want non-root users to make network connections and
>  > make changes to routing tables?
> 
> Remember that many, many linux boxes are single-user machines, being
> used as desktop PC's in offices or homes. We don't want to encourage
> end-users to keep a root shell open, or to do something as root that
> they really don't need to do.

A perfectly valid reason. Also, some multiuser machines do allow
*some* users to dial out, and possibly dial-out to establish IP
link to the outside.

In both cases, DIP has to be set-uid root. Of course, it makes sense
to have it also either set-gid whatever *group* is allowed to execute
it, with no permissions whatsoever for the others, like:

-rwsr-s---   1 root     dip         89101 Jun 11 00:01 /usr/sbin/dip

Or make some kind of wrapper, which controls group-wide access, but
still does not eliminate the need for DIP itself to be set-uid root.

>  > Do you _really_ want any 'ol luser on your system to dial out
>  > and do funny things with your modem?
> 
> I believe dip provides a means by which you can specify which users
> are allowed to use the service. I don't recall, honestly... it's been
> a long, long time since I've used dip.

Partially. DIP allows to verify whether a dial-in user is permitted to
establish an IP connection, but that's about it (oh, plus some auth
stuff done)... More work is needed to incirporate better auth
methods...
-- 
Regards,
Uri		uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>

home help back first fref pref prev next nref lref last post