On Sun, Feb 16, 2003 at 12:06:36 +0100, Dag-Erling Smorgrav wrote: > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > Admins with no /etc/opieaccess AFFECTED! > > Admins with no /etc/opieaccess IDIOTS for not running mergemaster!
First of all, there are many years of existen OPIE administration practice which every OPIE admin know, and this practice says that this file is not needed in many setups. In hypotetical case that FreeBSD deside to break this rule for some unknown reason, it must be well documented in both manpages and release notes. But, currently documented exact oppisite variant. Please read this quote from opieaccess(5), where OPIE authors explicetely state that this file can leads to security hole and always should be treated as optional. "In any environment, it should be considered a transition tool and not a permanent fixture. When it is not being used as a transition tool, a version of OPIE that has been built without support for the opieaccess file should be built to prevent the possibility of an attacker using this file as a means to circumvent the OPIE software." Even some new admins read manpages and delete this file after reading that. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message