Re: Bug#4673: ppp insecure

To: Ian Jackson <ijackson@chiark.greenend.org.uk>, 4673-done@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#4673: ppp insecure
From: Christoph Lameter <clameter@waterf.org>
Date: Thu, 24 Oct 1996 10:46:00 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.95.961024103039.32547A-100000@waterf.org>
In-reply-to: <[🔎] m0vGT16-0004OwC@chiark.greenend.org.uk>

On Thu, 24 Oct 1996, Ian Jackson wrote:

ijackson >The problem is that with the configuration as shipped any unprivileged
ijackson >user can run pppd (I have verified this) and quite likely interfere
ijackson >with the system's sensible operation.

This has been extensively discussed on the ppp mailing lists and a number
of fixes have been made so that the system administrator can limit the
access a user has. There is still a problem with inbound/outbound
operation as setup by default by the pppd for Debian. There is the
potential of a user establishing a ppp connection with some undesired
system out there with the current default setup if the pap-secrets and
chap-secrets and /etc/ppp/options are not customized.

It is intended that any unpriviledged user can run pppd so that that user
can establish a pppd connection from the commandline.

You can simply put the connect
string in /etc/ppp/options and thereby disable any other usage except
connecting to a specific system. That of course will make it impossible to
accept any incoming connections since the chatscript will be run all the
time (You cannot override options in /etc/ppp/options by commandline
options!).

ijackson >Furthermore, I have doubts as to whether pppd was designed to be
ijackson >installed setuid.  Are there any facilities for limiting which options
ijackson >can be set by unprivileged users, and if not why are they not
ijackson >documented ?

They are documented in the manpage. Here is the relevant part:

     pppd provides system administrators with sufficient access
       control that PPP access to a server machine  can  be  pro
       vided to legitimate users without fear of compromising the
       security of the server or the network it's  on.   In  part
       this  is  provided by the /etc/ppp/options file, where the
       administrator can place options to require  authentication
       whenever  pppd  is  run,  and  in part by the PAP and CHAP
       secrets files, where the administrator  can  restrict  the
       set of IP addresses which individual users may use.

ijackson >It seems likely to me that pppd wasn't designed for setuid use and
ijackson >that installing it setuid will allow any user to get root by for
ijackson >example having pppd write logs to unusual places or whatever.

pppd is customarily used setuid on all systems that I have encountered.

You might want to get on the mailing lists for ppp or talk with Al
Longyear <longyear@netcom.com> <longyear@sii.com> the maintainer of the 
pppd for Linux for further details. I have contributed to the standard ppp
distribution so Al should know me but I certainly have not all the reasons
for designing pppd the way it is in my mind.

{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}
{}  Consulting available for Networking / Unix / Crossplatform integration    {}
{}  Snail Mail:   FTS Box 466, 135 N.Oakland Ave, Pasadena, CA 91182          {}
{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}{}
PGP Public Key  =  FB 9B 31 21 04 1E 3A 33  C7 62 2F C0 CD 81 CA B5 

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

References:
- Bug#4673: ppp insecure
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Python 1.4 ships tomorrow
Next by Date: Bug#4934: chatscript should abort on no dialtone
Previous by thread: Bug#4673: ppp insecure
Next by thread: Bug#4673: ppp insecure
Index(es):
- Date
- Thread