Bug#126406: KPPP fixes, derived from #126406
On Wednesday 05 May 2004 19:59, Christopher Martin wrote:
> Hello,
>
> To deal with the problems users are having configuring KPPP, I've put
> together some small patches (based on the ideas, not my own, discussed in
> Bug #126406) that should resolve these issues. The patches are attached
> to the e-mail I sent to 126406@bugs.debian.org, which for some reason
> hasn't been CCed to debian-qt-kde.
Great! Thx Christopher. FWIW I had a look at the patches and
AFAICS it looks okay. Just one security note (sorry, no modem
access to test):
AFAIR you can use pppd with several call options.
pppd call x call y ...
This means everyone in dip group can now add noauth via
call kppp-options to pppd.
So in principle a bad member of the dip group could start
a listening pppd daemon that allows dialup access without
authorization (without noauth one needs edit
pap,chap-secrets or add noauth in options or peers/*
That can only be done by root. So it weakens security.
If this scenario is not too paranoid I would say
ship kppp-options with noauth commented out and document
in README how to enable it (or maybe even add a dialog
to kppp to warn about it). Grmbl, I really hope it's
not necessary ;)
Maybe one should ask/cc/fwd pppd maintainer before applying to
kdenetwork pkgs?
Achim
> There are two distinct problems. KPPP must be SUID root, in order for PAP
> and/or CHAP authentication to work, given the way KPPP operates. This is
> unavoidable (it creates and moves files around in /etc/ppp). I've set
> kppp to be 4754 root.dip (the same permissions as pppd), so membership in
> the dip group is still needed to execute kppp.
>
> Even when SUID, however, the custom pppd argument "noauth" doesn't
> actually seem to have an effect, for some odd reason, and setting
> "noauth" is necessary. Since having users edit /etc/ppp/options is bad
> and cumbersome, I've added a work-around, /etc/ppp/peers/kppp-options,
> which contains the string "noauth", and which is used by giving kppp the
> default custom pppd argument "call kppp-options". When done this way, the
> noauth option actually takes effect.
>
> Also, I've elevated ppp from a Recommends to a dependency, since many
> (most? all?) dial-up connections will need it, and this keeps things easy
> and simple for users. Finally, I've removed the segment of documentation
> which instructed users to modify /etc/ppp/options.
>
> With these changes, KPPP should "just work" without any mucking around
> whatsoever, except for configuration of the modem itself (symlinks, dev
> node creation if necessary, etc.).
>
> Christopher Martin
--
To me vi is Zen. To use vi is to practice zen. Every command is
a koan. Profound to the user, unintelligible to the uninitiated.
You discover truth everytime you use it.
-- reddy@lion.austin.ibm.com
Reply to: