pptpsetup preserves mode on /etc/ppp/chap-secrets, but uses root
umask 0022 on /etc/ppp/peers/$TUNNEL, and group dip because of
setgid bit on /etc/ppp/peers.
My perl is rusty. As far as I can see, it would be a call to chmod
after open, or a call to umask before open. Latter seems easy, but
overrides user choice.
Patch attached, will be upstreamed after review.
Test method;
# umask 0022 && \
pptpsetup --create tunnel --server s --username u --password p && \
ls -l /etc/ppp/peers/tunnel && \
pptpsetup --delete tunnel
-rw-r----- 1 root dip 131 Aug 4 18:03 /etc/ppp/peers/tunnel
--
James Cameron
http://quozl.netrek.org/
>From d33e18ddfd7d6c78c0a7166bde147b6811b4c351 Mon Sep 17 00:00:00 2001
From: James Cameron <qu...@laptop.org>
Date: Fri, 4 Aug 2017 18:05:19 +1000
Subject: [PATCH] Fix for world-readable peers file
pptpsetup preserves mode on /etc/ppp/chap-secrets, but uses root
umask 0022 on /etc/ppp/peers/$TUNNEL, and group dip because of
setgid bit on /etc/ppp/peers.
Debian default umask is 0022, so override umask to 0027 and prevent
world-readable file.
Fixes Debian #646880.
---
pptpsetup | 1 +
1 file changed, 1 insertion(+)
diff --git a/pptpsetup b/pptpsetup
index fdfd00a..52d279a 100644
--- a/pptpsetup
+++ b/pptpsetup
@@ -64,6 +64,7 @@ sub create {
# create or add lines to the /etc/ppp/chap-secrets file,
# which holds usernames and passwords
my $chap_secrets_file = '/etc/ppp/chap-secrets';
+ umask( 0027 );
open( FILE, ">>$chap_secrets_file" )
or die "$0: can't write to '$chap_secrets_file': $!\n";
--
2.7.4
