diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 2002-05-19 09:40:24 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 2002-05-19 09:40:24 +0000 |
commit | d5855292a281a5afcb1d197de43f5db9b769de69 (patch) | |
tree | 7be65582f861d259478b52f3142da2cc69d70c34 | |
parent | 822e00f5b106ae7a133cdd5bbc53af886f232093 (diff) |
move to setgid network, and doc why
-rw-r--r-- | usr.sbin/sliplogin/Makefile | 5 | ||||
-rw-r--r-- | usr.sbin/sliplogin/sliplogin.8 | 21 |
2 files changed, 11 insertions, 15 deletions
diff --git a/usr.sbin/sliplogin/Makefile b/usr.sbin/sliplogin/Makefile index effe3253e8c..794e5ea7489 100644 --- a/usr.sbin/sliplogin/Makefile +++ b/usr.sbin/sliplogin/Makefile @@ -1,10 +1,11 @@ -# $OpenBSD: Makefile,v 1.4 1997/09/21 11:44:24 deraadt Exp $ +# $OpenBSD: Makefile,v 1.5 2002/05/19 09:40:23 deraadt Exp $ PROG= sliplogin MAN= sliplogin.8 FILES= slip.hosts slip.login BINOWN= root -BINMODE=4555 +BINGRP= network +BINMODE=4554 .include <bsd.prog.mk> diff --git a/usr.sbin/sliplogin/sliplogin.8 b/usr.sbin/sliplogin/sliplogin.8 index 64f2d7025c3..01694f4a627 100644 --- a/usr.sbin/sliplogin/sliplogin.8 +++ b/usr.sbin/sliplogin/sliplogin.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sliplogin.8,v 1.6 2000/12/15 14:31:18 aaron Exp $ +.\" $OpenBSD: sliplogin.8,v 1.7 2002/05/19 09:40:23 deraadt Exp $ .\" .\" Copyright (c) 1990, 1991 The Regents of the University of California. .\" All rights reserved. @@ -32,7 +32,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)sliplogin.8 5.4 (Berkeley) 8/5/91 -.\" $Id: sliplogin.8,v 1.6 2000/12/15 14:31:18 aaron Exp $ +.\" $Id: sliplogin.8,v 1.7 2002/05/19 09:40:23 deraadt Exp $ .\" .Dd August 5, 1991 .Dt SLIPLOGIN 8 @@ -164,18 +164,13 @@ is the local host IP netmask. .Pp Note that .Nm -must be setuid to root and, while not a security hole, moral defectives -can use it to place terminal lines in an unusable state and/or deny +must be setuid to root and is only executable by users in group +.Va network . +To permit use, place a user into that group. Users in that group +are of course also able to use +.Nm +to place terminal lines in an unusable state and/or deny access to legitimate users of a remote slip line. -To prevent this a site can create a group, say -.Em slip , -that only the slip login accounts are put in then make sure that -.Pa /usr/sbin/sliplogin -is in group -.Em slip -and mode 4550 (setuid root, only group -.Em slip -can execute binary). .Sh DIAGNOSTICS .Nm logs various information to the system log daemon, |