pptpsetup preserves mode on /etc/ppp/chap-secrets, but uses root umask 0022 on /etc/ppp/peers/$TUNNEL, and group dip because of setgid bit on /etc/ppp/peers.
My perl is rusty. As far as I can see, it would be a call to chmod after open, or a call to umask before open. Latter seems easy, but overrides user choice. Patch attached, will be upstreamed after review. Test method; # umask 0022 && \ pptpsetup --create tunnel --server s --username u --password p && \ ls -l /etc/ppp/peers/tunnel && \ pptpsetup --delete tunnel -rw-r----- 1 root dip 131 Aug 4 18:03 /etc/ppp/peers/tunnel -- James Cameron http://quozl.netrek.org/
>From d33e18ddfd7d6c78c0a7166bde147b6811b4c351 Mon Sep 17 00:00:00 2001 From: James Cameron <qu...@laptop.org> Date: Fri, 4 Aug 2017 18:05:19 +1000 Subject: [PATCH] Fix for world-readable peers file pptpsetup preserves mode on /etc/ppp/chap-secrets, but uses root umask 0022 on /etc/ppp/peers/$TUNNEL, and group dip because of setgid bit on /etc/ppp/peers. Debian default umask is 0022, so override umask to 0027 and prevent world-readable file. Fixes Debian #646880. --- pptpsetup | 1 + 1 file changed, 1 insertion(+) diff --git a/pptpsetup b/pptpsetup index fdfd00a..52d279a 100644 --- a/pptpsetup +++ b/pptpsetup @@ -64,6 +64,7 @@ sub create { # create or add lines to the /etc/ppp/chap-secrets file, # which holds usernames and passwords my $chap_secrets_file = '/etc/ppp/chap-secrets'; + umask( 0027 ); open( FILE, ">>$chap_secrets_file" ) or die "$0: can't write to '$chap_secrets_file': $!\n"; -- 2.7.4