FYI --- Clifford Kite Not a guru. (tm) ---------- Forwarded message ---------- Date: Thu, 21 Oct 1999 10:19:36 -0400 (EDT) From: "Richard B. Johnson" <[EMAIL PROTECTED]> To: Clifford Kite <[EMAIL PROTECTED]> Subject: Re: New pppd 2.3.10 security <feature> On Thu, 21 Oct 1999, Clifford Kite wrote: [SNIPPED] What has been happening is that pppd has been seg-faulting and hanging up. "allow-ip *" just kept it from seg-faulting. However, it turned on things that should not have been turned on. The root cause has been found as: /etc/ppp/options proxyarp crtscts noauth \n\n\n\n\n\n\n\n\n \n\n\n\n\n\n\n\n\n ^^^^^^^ a few thousand blank lines in the file. The initial file came from some RedHat distribution long ago. A cursory look at the source does not reveal how extra lines could cause a seg-fault. However, if the lines contained 0xff, which buffered I/O can interpret as EOF, there is a path through the code where there are uinitialized variables, but as far as I can see, they should be harmless. > > There's one minor thing that makes me wonder whether somehow we have > differing sources. Here the lines you must have commented out begin at > line 1401 in ipcp.c, not line 1400. I wouldn't bother mentioning that > except for the other differences between your experience and mine. > vi/vim may not count that accurately. > I'll add that I don't care for the new pppd's assumption that a default > route means that you want to authenticate the peer using a secrets file. > The auth option should either be the default in all cases or noauth should > be. Auth or noauth should not depend on the host routing. > If I didn't have to add/change something, just installed the new software on a previously-working system, there are two schools of thought: (1) We would never have discovered a bug. (2) The system would work, in spite of an undiscovered bug. For most, maybe all, administrators, (2) is the best option. Software developers tend to believe that (1) is the correct one. I do software development myself. However, when remote sites are 100 miles apart and phone calls cost $0.70 per minute, I tend to put on my administrator's hat. Software that provides new functionality should never require a new configuration to continue to provide the old functionality (Johnson's Rule). You reconfigure (if necessary) to provide the new functions, never to continue with the old. I see this problem time-and-time-again; sendmail, named, ftpd, init, getty, etc. Cheers, Dick Johnson Penguin : Linux version 2.3.13 on an i686 machine (400.59 BogoMips). Warning : It's hard to remain at the trailing edge of technology. - To unsubscribe from this list: send the line "unsubscribe linux-ppp" in the body of a message to [EMAIL PROTECTED]
