/etc/ppp/pap-secrets is read/writable only by root

To: debian-devel@lists.debian.org
Cc: phil@hands.com
Subject: /etc/ppp/pap-secrets is read/writable only by root
From: Avery Pennarun <apenwarr@worldvisions.ca>
Date: Sat, 7 Feb 1998 20:33:25 -0500 (EST)
Message-id: <[🔎] Pine.LNX.3.96.980207201033.30740F-100000@discovery.worldvisions.ca>

Dave Coombs and I are attempting to update our wvdial intelligent internet
dialer package (http://www.worldvisions.ca/wvdial/) to work with the 'new'
pppd 2.3, so that wvdial can be included in hamm.

The problem is that pppd 2.3 no longer provides the "+ua" option, and so
/etc/ppp/pap-secrets and /etc/ppp/chap-secrets must be modified by wvdial in
order for it to work.

However, the ppp package provides /etc/ppp/{pap,chap}-secrets as mode 0600,
owned by root.  Thus, wvdial, which otherwise could run as a normal user
(and call a setuid pppd when necessary) must now run as root.

There are several solutions:

1) Bring back +ua.  We might restrict access to the option using a config
   file somewhere, but there should be some way to allow a normal user (who
   is a member of the 'dip' and 'dialout' groups) to provide his own
   authentication information.  This is a reasonable thing to allow, at
   least in many installations.
   	(#1 is my favourite solution)

2) Downgrade the Debian ppp package to 2.2.0f.  This version worked fine,
   while the new one is likely to disrupt many people's ppp configurations.
   (I used +ua myself long before writing wvdial, so I assume others do as
   well.)

3) Make /etc/ppp/{pap,chap}-secrets read/writable by group 'dip'.  I don't
   like this much at all, but wvdial would work in that case.  If #1 and #2
   cannot be implemented, this is what I will be recommending to users who
   have only one or two trusted users in group 'dip' and who want to dial as
   non-root.

4) Add all pap-secrets/chap-secrets ahead of time (as root), and wvdial
   won't have to do this by itself.  This reduces wvdial's usability and is
   IMHO an overly anal security requirement, so I'm not going to do it.

5) Run wvdial only as root.  WvDial-0.30 will be available shortly with the
   ability to modify /etc/ppp/{pap,chap}-secrets whenever it has permission.

Any suggestions?

Avery


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: /etc/ppp/pap-secrets is read/writable only by root
  - From: Carey Evans <c.evans@clear.net.nz>
- Re: /etc/ppp/pap-secrets is read/writable only by root
  - From: john@dhh.gt.org
- Re: /etc/ppp/pap-secrets is read/writable only by root
  - From: Philip Hands <phil@hands.com>
- Re: /etc/ppp/pap-secrets is read/writable only by root
  - From: Stig Sandbeck Mathisen <ssm@rlyeh.net>

Prev by Date: Re: Processed: More non-free packages
Next by Date: StarOffice4.0 installer?
Previous by thread: Re: Processed: More non-free packages
Next by thread: Re: /etc/ppp/pap-secrets is read/writable only by root
Index(es):
- Date
- Thread