Hi David, On Mon, Oct 04, 2004 at 10:27:28AM -0400, David F. Skoll wrote: > On Mon, 4 Oct 2004, Martin Schulze wrote: > > > There are reasons users install it setuid / setgid, and these installations > > are vulnerable. > > I disagree. There is absolutely *no* reason to install rp-pppoe > setuid-root. It is normally invoked by pppd, and pppd must be either > invoked by root or setuid-root itself. Could you name a scenario in > which a setuid-root rp-pppoe is needed?
The pppd in Debian appears to change privileges back to those of the invoking user before calling the program specified in the pty option, preventing normal users from controlling PPPOE connections like other normal PPP connections. Eg: | I have a user which is a member of the dip group. This should | allow him to use "pon dsl-provider" to dial in. However, a | permission problem prevents this: pppd drops too many provileges | before it starts pppoe! (from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=172376) Then again since you recommend against giving it setuid root, there may be other unforseen effects in the Debian package besides the file creation/ overwriting that I noticed. Cheers, Max -- 308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
