[417] in linux-security and linux-alert archive
Re: PPP security hole?
daemon@ATHENA.MIT.EDU (Marc A. Tamsky)
Sat Oct 14 11:02:16 1995
Date: Thu, 12 Oct 95 19:17 PDT
From: tamsky@as.ucsb.edu (Marc A. Tamsky)
To: nickkral@parker.EECS.Berkeley.EDU
CC: linux-security@tarsier.cv.nrao.edu
In-reply-to: <Pine.HPP.3.91.951011160548.11730C-100000@parker.EECS.Berkeley.EDU> (message from Nick Kralevich on Wed, 11 Oct 1995 16:14:44 -0700 (PDT))
Reply-to: "Marc A. Tamsky" <tamsky@as.ucsb.edu>
While we're all sharing our favorite ways to do this...
The way I disable this, but keep it a usable service is:
# chmod o-x /usr/lib/ppp/pppd
If you're really paranoid, and only want root to use it:
# chmod go-rwx /usr/lib/ppp/pppd
As a service, I've created a ppp group, and made the pppd binary
group-executable. PPP login accounts have their group=ppp, and login
shell set to a shell script which dynamically assigns IP based on
incoming tty. This, by no random chance, happens to be compatable
with the sliplogin way of doing tty->ip mapping.
--- /usr/local/bin/ppplogin:
#!/bin/bash
IFS=' '
TTY=`/usr/bin/tty`
LINE=`/usr/bin/grep $TTY /etc/slip.tty`
IP=`/bin/echo $LINE | /bin/cut -d\ -f2`
/usr/bin/mesg n
exec /usr/lib/ppp/pppd xxx.xxx.xxx.xxx:$IP
--
| Marc Tamsky tamsky@as.ucsb.edu Linux is good.
>>>>> On Wed, 11 Oct 1995 16:14:44 -0700 (PDT), Nick Kralevich <nickkral@parker.EECS.Berkeley.EDU> said:
} Summary: The current pppd, as installed by slackware and other
} distributions, could allow a user to become another computer on the network.
} By default, slackware installs pppd as setuid root.
} -rws--x--x 1 root bin 66564 Feb 16 1995 /usr/lib/ppp/pppd*
[snip]
} allows the user to open a PPP connection as the address specified. The
} solution seems to be to disable PPP support in the kernel, remove the
} setuid flag from the pppd executable, or modify/create default pppd
} configuration files which will prevent this type of thing.
