[j-nsp] Re: Running a code on router

[Richard A Steenbergen]

On Thu, Jan 12, 2006 at 09:43:37PM +0000, Michael Shields wrote:
> 
> Unfortunately, those likely to use weak passwords and leave their  
> routers ssh-accessible are also those who are least likely to notice  
> a reload or config change.  So if there is going to be a knob to  
> enable running unsigned code, it ought to be really hard to turn,  
> maybe requiring physical access to the router.  Otherwise the first  
> person to crack a password will just turn off the signature checking,  
> and then Juniper might as well not have implemented it at all.

I suppose you could make everyone happy by adding a sysctl which can only 
be set while in single user mode, if you could tie it in to whatever 
persistant storage Juniper uses for things like machdep.bootdevs without 
requiring a bios upgrade.

It doesn't even have to be offical, if you can't figure out how to set a 
sysctl in single user mode on your own, you probably don't deserve the 
title of power user anyways. You could probably solve the obvious 
"upgrading to 7.5" problem with a flag passed through the existing 
pkg/installer system, telling it not to activate the exec security while 
upgrading.

Pffft who am I kidding, that'll never happen. Easier just to turn off 
unsigned binary execution and tell the power users to suffer. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)