Mike Civil writes:
> Anybody got anything better?
I'm thinking of maybe some command-line option to PPP that allows
entry of a password, but that closes whatever security hole +ua had.
There are two possibilities I can think of for what that hole might
have been. (I don't know what it was for sure, so please correct me if
I'm wrong.)
1) Capturing a password by "ps" or similar;
2) Unprivileged users bypassing the *-secrets file if pppd is suid
root.
If so, then how about the following?
1) Put in a "+uae" command line option, which allows passing of an
extra _encrypted_ *-secrets file line.
2) Require that the parent process of pppd be owned by root if +uae is
used.
Does this sound OK?
Thanks,
- Steve.
-
To unsubscribe from this list: send the line "unsubscribe linux-ppp" in
the body of a message to [EMAIL PROTECTED]
