Re: DSA 557-1 and CAN-2004-0564

To: Marco d'Itri <md@Linux.IT>, Christian Hudon <chrish@pianocktail.org>, Martin Schulze <joey@infodrom.org>, debian-security@lists.debian.org
Subject: Re: DSA 557-1 and CAN-2004-0564
From: Max Vozeler <max@hinterhof.net>
Date: Wed, 6 Oct 2004 15:34:47 +0200
Message-id: <[🔎] 20041006133447.GA26073@nautile.roam.hinterhof.net>
Mail-followup-to: Marco d'Itri <md@Linux.IT>, Christian Hudon <chrish@pianocktail.org>, Martin Schulze <joey@infodrom.org>, debian-security@lists.debian.org
In-reply-to: <[🔎] 20041006121132.GA6680@wonderland.linux.it>
References: <[🔎] Pine.LNX.4.58.0410040952350.21496@shishi.roaringpenguin.com> <[🔎] 20041004141404.GY15510@finlandia.infodrom.north.de> <[🔎] Pine.LNX.4.58.0410041025410.21496@shishi.roaringpenguin.com> <[🔎] 20041004160022.GA23690@nautile.roam.hinterhof.net> <[🔎] 41617700.2020807@pianocktail.org> <[🔎] 20041006120906.GA25162@nautile.roam.hinterhof.net> <[🔎] 20041006121132.GA6680@wonderland.linux.it>

On Wed, Oct 06, 2004 at 02:11:32PM +0200, Marco d'Itri wrote:
> On Oct 06, Max Vozeler <max@hinterhof.net> wrote:
> 
> > It would make it possible for /usr/sbin/pppoe to get rid of setuid root
> > and still work for unprivileged users. Marco, how does this look to you?
> > Would you consider including such an option in ppp?
>
> I think I'm missing something. What's wrong with pppoe being setuid?

Upstream says it wasn't designed for that (see the beginning of the
thread on debian-security [1]) so there may well be other security bugs
lurking.

> Anyway, pppoe is deprecated and superseded by the kernel-space driver,
> so I'm not much interested in hacking pppd for its benefit.

I don't know much about that, but pppoe is still installed on a great
many system (#390 in popcon). Having something like the pty-keep-privs
option would bring a potentially big improvement for security of those
systems.

Cheers,
Max

[1] http://lists.debian.org/debian-security/2004/10/msg00004.html

-- 
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC

Reply to:

References:
- Re: DSA 557-1 and CAN-2004-0564
  - From: "David F. Skoll" <dfs@roaringpenguin.com>
- Re: DSA 557-1 and CAN-2004-0564
  - From: Martin Schulze <joey@infodrom.org>
- Re: DSA 557-1 and CAN-2004-0564
  - From: "David F. Skoll" <dfs@roaringpenguin.com>
- Re: DSA 557-1 and CAN-2004-0564
  - From: Max Vozeler <max@hinterhof.net>
- Re: DSA 557-1 and CAN-2004-0564
  - From: Christian Hudon <chrish@pianocktail.org>
- Re: DSA 557-1 and CAN-2004-0564
  - From: Max Vozeler <max@hinterhof.net>
- Re: DSA 557-1 and CAN-2004-0564
  - From: Marco d'Itri <md@Linux.IT>

Prev by Date: Re: [SECURITY] [DSA 559-1] New net-acct packages fix insecure temporary file creation
Next by Date: A tripwire annoyance
Previous by thread: Re: DSA 557-1 and CAN-2004-0564
Next by thread: Strange X11 Assersion
Index(es):
- Date
- Thread