On Wed, Oct 06, 2004 at 02:11:32PM +0200, Marco d'Itri wrote: > On Oct 06, Max Vozeler <[EMAIL PROTECTED]> wrote: > > > It would make it possible for /usr/sbin/pppoe to get rid of setuid root > > and still work for unprivileged users. Marco, how does this look to you? > > Would you consider including such an option in ppp? > > I think I'm missing something. What's wrong with pppoe being setuid?
Upstream says it wasn't designed for that (see the beginning of the thread on debian-security [1]) so there may well be other security bugs lurking. > Anyway, pppoe is deprecated and superseded by the kernel-space driver, > so I'm not much interested in hacking pppd for its benefit. I don't know much about that, but pppoe is still installed on a great many system (#390 in popcon). Having something like the pty-keep-privs option would bring a potentially big improvement for security of those systems. Cheers, Max [1] http://lists.debian.org/debian-security/2004/10/msg00004.html -- 308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
