[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /etc/ppp/pap-secrets is read/writable only by root

On 7 Feb 1998 john@dhh.gt.org wrote:

> > However, the ppp package provides /etc/ppp/{pap,chap}-secrets as mode
> > 0600, owned by root.  Thus, wvdial, which otherwise could run as a normal
> > user (and call a setuid pppd when necessary) must now run as root.
> A suid program to edit /etc/ppp/{pap,chap}-secrets.  As I am about finished
> with my pppconfig program and my package 'dunc'suffers from the same
> problem, I will start work on this ASAP.  This will initially be a C
> wrapper around an ed script, and do nothing but add or remove the string
> given on the command line.

When I first read this, I thought:  "Hey, why didn't I think of that?"

However, while it sounds like a clever solution, I think it's the wrong one. 
You'll probably set it setuid root, gid dip, executable only by users in the
'dip' group.

Problem is, that's exactly equivalent to providing the "+ua" option right in
pppd, except that it's a hack.  The point of removing +ua was presumably to
prevent normal users from providing their own authentication information
(though I fully agree that in many cases, this _is_ desirable).

I would politely suggest that, rather than producing Yet Another Setuid
Program, you simply modify pppd to include +ua again.  I doubt it would be
any more difficult.  I wish the upstream pppd authors would answer my
e-mail, though.

Thanks for your input though,


TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: