Re: pppd / pon problem
John P. writes:
> Maybe things have changed since I installed PPP, but on my home system
> /etc/ppp is owned root:root and has permissions 700. Users who are in
> the dip group can use PPP, because pppd is owned root:dip and has
> permissions 4754 (suid root, executable by group).
With /etc/ppp root.root and 700 users can't get to the provider files in
/etc/ppp/peers. This means pon won't work for them.
> Having /etc/ppp owned by root:dip and group readable is, in my opinion,
> bad. Setting it up that way allows any user that you trust to use *any*
> PPP account to read stuff in /etc/ppp, which may include stuff you don't
> want them to see (like pap-secrets).
Those files are root.root and have 600 permissions. The users can't read
them.
> On a single-user machine it's not so bad, but unless things have changed
> since 2.2.5-3...
Things have changed quite a bit, actually.
> ...it is unnecessary and potentially dangerous.
Here are the special permissions for the ppp package. Please point out any
security bugs.
chgrp dip debian/{tmp,ppp-pam}/usr/sbin/pppd
chmod 4754 debian/{tmp,ppp-pam}/usr/sbin/pppd
chmod 750 debian/tmp/etc/ppp
chmod 755 debian/tmp/etc/ppp/ip-up debian/tmp/etc/ppp/ip-down
chmod 600 debian/tmp/etc/ppp/pap-secrets
chmod 600 debian/tmp/etc/ppp/chap-secrets
chmod 640 debian/tmp/etc/ppp/peers/provider debian/tmp/etc/chatscripts/provider
chgrp dip debian/tmp/etc/ppp/peers/provider debian/tmp/etc/chatscripts/provider
chgrp dip debian/tmp/etc/ppp/peers debian/tmp/etc/chatscripts
chmod 2750 debian/tmp/etc/ppp/peers debian/tmp/etc/chatscripts
--
John Hasler
john@dhh.gt.org (John Hasler)
Dancing Horse Hill
Elmwood, WI
Reply to: