Re: permissions of /etc/ppp
At Sat, 16 Nov 2002 18:18:37 -0500,
Joey Hess wrote:
>
> [1 <text/plain; us-ascii (quoted-printable)>]
> John Hasler wrote:
> > Alexander Kotelnikov writes:
> > > Strange, I have it 755 root:root on my two Debian woody systems, and I am
> > > almost sure, that I have not changed this myself.
> >
> > It's 750 in the ppp package. As Joey noted some package that put a file
> > there (e.g., pppconfig) may have changed it on your system.
> >
> > I think it's an historical artifact. I can't think of any reason it needs
> > to be 750.
>
> Hmm, since ppp's current maintainer hasn't spoken up yet, maybe Phil Hands
> knows..
I take it that the question is "Why is /etc/ppp only readable by
root.dip?"
The answer is that there is sensitive information under that directory
(pap & chap passwords etc). OK, so you might argue that only the
password files need to be restricted, but IIRC there is some
information that can be gleaned by having search access to the
directory --- the fact of the existence of {p,ch}ap-secrets perhaps,
but I seem to remember it was more serious than that.
Presumably all those bug reports are lost in the mists of time?
Anyway, why are the permissions a problem? Given that anyone that
needs to do ppp dialing should be in the dip group, they will be able
to read that directory, no?
If you're wondering why the ability to launch ppp should be
restricted to dip group members, it's because the ability to bring up
ppp often implies the ability to run up phone bills, but also means
that you can work round various network security measures that the
sysadmin might have put in place.
Cheers, Phil.
P.S. I'm on holiday at present, and am only reading mail while my
Dad's Apple updates it's OS X version, so don't expect rapid replies
for about a week.
Reply to: