Bug#126406: KPPP fixes, derived from #126406
Hello,
Well, no response from Marco yet. I've incorporated your suggestion,
however, and made "noauth" in /etc/ppp/peers/kppp-options commented out
by default. I've also documented this change.
While kppp will require root intervention to get "noauth", this is still
an improvement, in terms of security, over simply instructing users to
set "noauth" in /etc/ppp/options, since "auth" will still be the default;
only malicious users could exploit "noauth".
I've attached the two updated patches. But I'm still hoping someone can
come up with a clever solution that won't require any editing of files at
all.
Cheers,
Christopher Martin
--- kdenetwork-3.2.2/debian/rules 2004-04-28 16:39:18.000000000 -0400
+++ kdenetwork-3.2.2/debian/rules 2004-05-06 16:03:56.000000000 -0400
@@ -160,10 +160,16 @@
cd $(objdir) && \
$(MAKE) install DESTDIR=$(CURDIR)/debian/tmp
+ # Create special ppp config file for kppp
+ mkdir -p debian/tmp/etc/ppp/peers
+ echo "#noauth" > debian/tmp/etc/ppp/peers/kppp-options
+
# kppp permissions
chown root:dip debian/tmp/usr/bin/kppp*
- chmod 2754 debian/tmp/usr/bin/kppp
+ chown root:dip debian/tmp/etc/ppp/peers/kppp-options
+ chmod 4754 debian/tmp/usr/bin/kppp
chmod 0754 debian/tmp/usr/bin/kppplogview
+ chmod 0640 debian/tmp/etc/ppp/peers/kppp-options
#chmod 4755 debian/tmp/usr/sbin/reslisa
@@ -205,7 +211,7 @@
dh_link
dh_strip
dh_compress -X.bz2 -X.css -X.dcl -X.docbook -X-license -X.tag
- dh_fixperms -Xusr/bin/kppp -Xusr/bin/kppplogview
+ dh_fixperms -Xusr/bin/kppp -Xusr/bin/kppplogview -Xetc/ppp/peers/kppp-options
dh_perl
# dh_python
dh_makeshlibs -V
--- ../../orig/kdenetwork-3.2.2/debian/kppp.README.Debian 2004-04-28 16:39:18.000000000 -0400
+++ kppp.README.Debian 2004-05-06 16:12:47.000000000 -0400
@@ -2,20 +2,13 @@
==========================
In order to actually use kppp you must first be a part of the "dip" group.
-This is the same for using PPP in general on Debian. If you are not a part
-of this group you will not be able to actually run pppd or setup proper
-connections.
+This is the standard for using ppp in general with Debian. If you are not a
+member of this group, you will not be able to run pppd or setup connections.
-
-kppp and immediate disconnects
-==============================
-
-In order for kppp to properly work you must set "noauth" in /etc/ppp/options.
-Keep in mind that you main have /etc/ppp/options.ttyS0 (For example) so make
-sure you change it in the proper (all?) file.
-
-The default is "auth" so if you don't change this most likely you'll connect
-and end up just getting a disconnect shortly after.
-
-
-- Ivan E. Moore II <rkrusty@debian.org>
+Furthermore, kppp requires that the ppp daemon be run with the "noauth"
+option. However, pppd's default setting is "auth", and for security reasons
+it should remain so. To work around this problem, uncomment "noauth" in
+/etc/ppp/peers/kppp-options. You should then be able to connect. Note that
+making this change opens the possibility that other malicious members of the
+"dip" group could now potentially abuse the ppp daemon with the "noauth"
+option.
Reply to: