Re: DSA 557-1 and CAN-2004-0564

To: "David F. Skoll" <dfs@roaringpenguin.com>
Cc: Martin Schulze <joey@infodrom.org>, debian-security@lists.debian.org, cve@mitre.org, pppoe@packages.debian.org
Subject: Re: DSA 557-1 and CAN-2004-0564
From: Max Vozeler <max@hinterhof.net>
Date: Mon, 4 Oct 2004 18:00:23 +0200
Message-id: <[🔎] 20041004160022.GA23690@nautile.roam.hinterhof.net>
Mail-followup-to: "David F. Skoll" <dfs@roaringpenguin.com>, Martin Schulze <joey@infodrom.org>, debian-security@lists.debian.org, cve@mitre.org, pppoe@packages.debian.org
In-reply-to: <[🔎] Pine.LNX.4.58.0410041025410.21496@shishi.roaringpenguin.com>
References: <[🔎] Pine.LNX.4.58.0410040952350.21496@shishi.roaringpenguin.com> <[🔎] 20041004141404.GY15510@finlandia.infodrom.north.de> <[🔎] Pine.LNX.4.58.0410041025410.21496@shishi.roaringpenguin.com>

Hi David,

On Mon, Oct 04, 2004 at 10:27:28AM -0400, David F. Skoll wrote:
> On Mon, 4 Oct 2004, Martin Schulze wrote:
> 
> > There are reasons users install it setuid / setgid, and these installations
> > are vulnerable.
> 
> I disagree.  There is absolutely *no* reason to install rp-pppoe
> setuid-root.  It is normally invoked by pppd, and pppd must be either
> invoked by root or setuid-root itself.  Could you name a scenario in
> which a setuid-root rp-pppoe is needed?

The pppd in Debian appears to change privileges back to those of the
invoking user before calling the program specified in the pty option,
preventing normal users from controlling PPPOE connections like other
normal PPP connections.

Eg:

| I have a user which is a member of the dip group. This should
| allow him to use "pon dsl-provider" to dial in. However, a 
| permission problem prevents this: pppd drops too many provileges
| before it starts pppoe!

(from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172376)

Then again since you recommend against giving it setuid root, there
may be other unforseen effects in the Debian package besides the file
creation/ overwriting that I noticed.

Cheers,
Max

-- 
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC

Reply to:

Follow-Ups:
- Re: DSA 557-1 and CAN-2004-0564
  - From: Christian Hudon <chrish@pianocktail.org>

References:
- Re: DSA 557-1 and CAN-2004-0564
  - From: "David F. Skoll" <dfs@roaringpenguin.com>
- Re: DSA 557-1 and CAN-2004-0564
  - From: Martin Schulze <joey@infodrom.org>
- Re: DSA 557-1 and CAN-2004-0564
  - From: "David F. Skoll" <dfs@roaringpenguin.com>

Prev by Date: Re: DSA 557-1 and CAN-2004-0564
Next by Date: Re: DSA 557-1 and CAN-2004-0564
Previous by thread: Re: DSA 557-1 and CAN-2004-0564
Next by thread: Re: DSA 557-1 and CAN-2004-0564
Index(es):
- Date
- Thread