/etc/ppp/pap-secrets is read/writable only by root
Dave Coombs and I are attempting to update our wvdial intelligent internet
dialer package (http://www.worldvisions.ca/wvdial/) to work with the 'new'
pppd 2.3, so that wvdial can be included in hamm.
The problem is that pppd 2.3 no longer provides the "+ua" option, and so
/etc/ppp/pap-secrets and /etc/ppp/chap-secrets must be modified by wvdial in
order for it to work.
However, the ppp package provides /etc/ppp/{pap,chap}-secrets as mode 0600,
owned by root. Thus, wvdial, which otherwise could run as a normal user
(and call a setuid pppd when necessary) must now run as root.
There are several solutions:
1) Bring back +ua. We might restrict access to the option using a config
file somewhere, but there should be some way to allow a normal user (who
is a member of the 'dip' and 'dialout' groups) to provide his own
authentication information. This is a reasonable thing to allow, at
least in many installations.
(#1 is my favourite solution)
2) Downgrade the Debian ppp package to 2.2.0f. This version worked fine,
while the new one is likely to disrupt many people's ppp configurations.
(I used +ua myself long before writing wvdial, so I assume others do as
well.)
3) Make /etc/ppp/{pap,chap}-secrets read/writable by group 'dip'. I don't
like this much at all, but wvdial would work in that case. If #1 and #2
cannot be implemented, this is what I will be recommending to users who
have only one or two trusted users in group 'dip' and who want to dial as
non-root.
4) Add all pap-secrets/chap-secrets ahead of time (as root), and wvdial
won't have to do this by itself. This reduces wvdial's usability and is
IMHO an overly anal security requirement, so I'm not going to do it.
5) Run wvdial only as root. WvDial-0.30 will be available shortly with the
ability to modify /etc/ppp/{pap,chap}-secrets whenever it has permission.
Any suggestions?
Avery
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: