Bug#126406: KPPP fixes, derived from #126406

[Christopher Martin <christopher.martin@utoronto.ca>]

Hello,

Well, no response from Marco yet. I've incorporated your suggestion, 
however, and made "noauth" in /etc/ppp/peers/kppp-options commented out 
by default. I've also documented this change.

While kppp will require root intervention to get "noauth", this is still 
an improvement, in terms of security, over simply instructing users to 
set "noauth" in /etc/ppp/options, since "auth" will still be the default; 
only malicious users could exploit "noauth".

I've attached the two updated patches. But I'm still hoping someone can 
come up with a clever solution that won't require any editing of files at 
all.

Cheers,
Christopher Martin

--- kdenetwork-3.2.2/debian/rules	2004-04-28 16:39:18.000000000 -0400
+++ kdenetwork-3.2.2/debian/rules	2004-05-06 16:03:56.000000000 -0400
@@ -160,10 +160,16 @@
 	cd $(objdir) && \
 	$(MAKE) install DESTDIR=$(CURDIR)/debian/tmp
 
+	# Create special ppp config file for kppp
+	mkdir -p debian/tmp/etc/ppp/peers
+	echo "#noauth" > debian/tmp/etc/ppp/peers/kppp-options
+
 	# kppp permissions
 	chown root:dip debian/tmp/usr/bin/kppp*
-	chmod 2754 debian/tmp/usr/bin/kppp
+	chown root:dip debian/tmp/etc/ppp/peers/kppp-options
+	chmod 4754 debian/tmp/usr/bin/kppp
 	chmod 0754 debian/tmp/usr/bin/kppplogview
+	chmod 0640 debian/tmp/etc/ppp/peers/kppp-options 
 
 	#chmod 4755 debian/tmp/usr/sbin/reslisa
 
@@ -205,7 +211,7 @@
 	dh_link
 	dh_strip
 	dh_compress -X.bz2 -X.css -X.dcl -X.docbook -X-license -X.tag
-	dh_fixperms -Xusr/bin/kppp -Xusr/bin/kppplogview
+	dh_fixperms -Xusr/bin/kppp -Xusr/bin/kppplogview -Xetc/ppp/peers/kppp-options
 	dh_perl
 #	dh_python
 	dh_makeshlibs -V

--- ../../orig/kdenetwork-3.2.2/debian/kppp.README.Debian	2004-04-28 16:39:18.000000000 -0400
+++ kppp.README.Debian	2004-05-06 16:12:47.000000000 -0400
@@ -2,20 +2,13 @@
 ==========================
 
 In order to actually use kppp you must first be a part of the "dip" group.
-This is the same for using PPP in general on Debian.  If you are not a part
-of this group you will not be able to actually run pppd or setup proper
-connections.
+This is the standard for using ppp in general with Debian.  If you are not a
+member of this group, you will not be able to run pppd or setup connections.
 
-
-kppp and immediate disconnects
-==============================
-
-In order for kppp to properly work you must set "noauth" in /etc/ppp/options.
-Keep in mind that you main have /etc/ppp/options.ttyS0 (For example) so make
-sure you change it in the proper (all?) file.
-
-The default is "auth" so if you don't change this most likely you'll connect
-and end up just getting a disconnect shortly after.
-
-
-- Ivan E. Moore II <rkrusty@debian.org>
+Furthermore, kppp requires that the ppp daemon be run with the "noauth"
+option.  However, pppd's default setting is "auth", and for security reasons
+it should remain so.  To work around this problem, uncomment "noauth" in
+/etc/ppp/peers/kppp-options.  You should then be able to connect.  Note that
+making this change opens the possibility that other malicious members of the
+"dip" group could now potentially abuse the ppp daemon with the "noauth"
+option.