From owner-freebsd-hackers Mon Nov 3 17:14:54 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA20255 for hackers-outgoing; Mon, 3 Nov 1997 17:14:54 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from awfulhak.demon.co.uk (awfulhak.demon.co.uk [158.152.17.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA20249 for ; Mon, 3 Nov 1997 17:14:49 -0800 (PST) (envelope-from brian@awfulhak.org) Received: from gate.lan.awfulhak.org (localhost [127.0.0.1]) by awfulhak.demon.co.uk (8.8.7/8.8.5) with ESMTP id WAA06861 for ; Mon, 3 Nov 1997 22:41:59 GMT Message-Id: <199711032241.WAA06861@awfulhak.demon.co.uk> X-Mailer: exmh version 2.0zeta 7/24/97 To: freebsd-hackers@FreeBSD.org Subject: ppp & pppctl Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 03 Nov 1997 22:41:59 +0000 From: Brian Somers Sender: owner-freebsd-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Hi, Recently, I made some rather gratuitous changes to security in user-ppp. Some were "for" the changes, and some were "against". Lots was said - which I suspect means that it's something that should really be more configurable. At the moment it works like this: 1. Only uid 0 can run ppp without the -direct flag. 2. Only uid 0 or group ``network'' can run ppp with the -direct flag, but some uid 0 things are allowed (ppp has perms 4550). 3. A socket is created on AF_INET:3000 by default with the following ``properties'': 1. You *must* set a password in /etc/ppp/ppp.secrets 2. You *may* set an empty password (not documented), but even if it's empty, you must still type ``passwd'' at the ppp prompt after connecting. 3. You may disable the socket or make it an AF_UNIX socket. 4. You can *always* -USR1 ppp to re-open the socket on AF_INET:3000+tunno. 4. Pppctl can send commands to ppp from the command line and has a -p option to specify the password. I suggest the following model: 1. The command "set users user-list" is introduced where user-list is a list of user names. The default is empty. If users are included in this list (or if your uid is 0), they may run ppp without the -direct flag. The check is done *after* the ppp section is loaded (and may be part of the default label). 2. The command "set modes mode-list" is introduced where mode-list is a list of allowable modes from "auto", "background", "ddial", "direct", "interactive" and "all". This command augments ``1.'' as the super-user may set up profiles that may not be altered. The default is "all modes". 3. Permissions stay the same. You've gotta be group network to have a chance of running ppp at all. This means that the default is root only 'cos of file system permissions. 4. No socket is created by default. 1. You *must* set a password in /etc/ppp/ppp.secrets or on the "set server" command line: set server|socket TcpPort|LocalName|none [passwd] [mask] 2. If you specify an empty password, you don't need to use the ``passwd'' command. 3. You can *always* -USR1 ppp to re-open the socket on AF_INET:3000+tunno. 5. Pppctl can already handle the ppp prompt when it doesn't want a password (ppp doesn't prompt or require the -p option). 6. Pppctl will have an ``interactive'' mode, taking away ``telnet''s attraction. 7. $HOME/.ppp.* are removed. The "!include" command is added instead, which understands ``~'' and environment variables. Any thoughts or suggestions ? -- Brian , , Don't _EVER_ lose your sense of humour....