From owner-cvs-usrsbin  Sun Oct 13 23:40:12 1996
Return-Path: owner-cvs-usrsbin
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id XAA02575
          for cvs-usrsbin-outgoing; Sun, 13 Oct 1996 23:40:12 -0700 (PDT)
Received: from specgw.spec.co.jp (specgw.spec.co.jp [202.32.13.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA02567;
          Sun, 13 Oct 1996 23:40:09 -0700 (PDT)
Received: from tama3.spec.co.jp ([202.32.13.219]) by specgw.spec.co.jp (8.7.5/3.3Wb-SPEC) with SMTP id PAA21647; Mon, 14 Oct 1996 15:35:02 +0900 (JST)
Message-Id: <9610140643.AA00552@tama3.spec.co.jp>
Date: Mon, 14 Oct 1996 15:43:12 +0900
From: Atsushi Murai <amurai@spec.co.jp>
To: sos@FreeBSD.org
Cc: ache@nagual.ru (=?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?=),
        joerg_wunsch@uriah.heep.sax.de, sos@freefall.freebsd.org,
        CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org,
        cvs-usrsbin@freefall.freebsd.org
Subject: Re: cvs commit:  src/usr.sbin/ppp command.c
In-Reply-To: <199610110958.LAA15010@ra.dkuug.dk>
MIME-Version: 1.0
X-Mailer: AL-Mail 1.22
Content-Type: text/plain; charset=us-ascii
Sender: owner-cvs-usrsbin@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

sos@FreeBSD.org wrote:
:> > Do you get a root shell now if you run ``ppp -auto'', connect to port
:> > 3000, and issue a `shell'?  I would consider this a very bad move!
:> > 
:> 
:> Yes, we just make security hole, it should be fixed.
:
:Oops... I guess it was too late in the night when I did that...
:
:Any good suggestions as how to make this work securely ??
:Maybe only allowing the program named in the ppp.xxx file, that
:way security is at the/etc/ppp level.

Fuum. I thought it's already in there...If my memory is still not out
of date (another word, as far as I've done without checking latest ppp
code ), the ppp just allows to execute shell and manipulate "ppp" with
all running mode if ;

 o You should type a correct password that hostname and password pair in 
   /etc/ppp.secret. if you don't write above pair, you may have warning
   messages..

Atsushi.

---
Atsushi Murai                                  Internet: amurai@spec.co.jp
System Planning and Engineering Co,.Ltd.       Voice   : +81-33833-5341
PGP Key fingerprint : 1C 27 22 77 11 43 64 90  9E 5E 68 CE 65 BD 68 06