Bug 492090 - passwords stored in world readable file
passwords stored in world readable file
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: pptp (Show other bugs)
10
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Paul Howarth
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-25 07:31 EDT by Tom Horsley
Modified: 2009-04-09 12:15 EDT (History)
1 user (show)

See Also:
Fixed In Version: 1.7.2-5.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-09 12:15:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom Horsley 2009-03-25 07:31:20 EDT
Description of problem:

The pppd prints a warning that the /etc/ppp/chap-secrets file is world
readable, and by golly it is right. Shouldn't it be root only (since
you have to be root to start the connection anyway)?

Version-Release number of selected component (if applicable):
pptp-1.7.2-3.fc10.x86_64

How reproducible:
every time

Steps to Reproduce:
1. yum install pptp
2. pptpsetup ... --password whatever
3. see plain text password in world readable /etc/ppp/chap-secrets file
  
Actual results:
see above

Expected results:
slightly more secure password storage

Additional info:
I'd actually prefer to have it prompt me for the password when I start
the connection, but I don't see anything in the docs that seems like
it would make that possible.
Comment 1 Paul Howarth 2009-03-25 08:39:59 EDT
This problem only occurs if you use "pptpsetup --delete ..."

The out of the box state for /etc/ppp/chap-secrets is that it's owned by root and mode 0600, which is fine (the file originates from the ppp package).

Running "pptpsetup --create ..." does not change this:

# ls -l /etc/ppp/chap-secrets
-rw------- 1 root root  278 2006-04-03 17:56 /etc/ppp/chap-secrets
# pptpsetup --create test --server 1.2.3.4 --username noddy --password bigears
# ls -l /etc/ppp/chap-secrets
-rw------- 1 root root 332 2009-03-25 12:25 /etc/ppp/chap-secrets

However, "pptpsetup --delete ..." replaces the file and uses the wrong permissions:

# pptpsetup --delete test
# ls -l /etc/ppp/chap-secrets
-rw-r--r-- 1 root root 278 2009-03-25 12:26 /etc/ppp/chap-secrets

So this is something I need to fix.

Regarding the best way to do things, I believe the upstream recommendation is to use NetworkManager-pptp rather than pptpsetup.
Comment 2 Tom Horsley 2009-03-25 09:08:03 EDT
Yep, I did use --delete when I was initially experimenting with the setup.
Comment 3 Fedora Update System 2009-03-25 12:28:13 EDT
pptp-1.7.2-5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/pptp-1.7.2-5.fc10
Comment 4 Fedora Update System 2009-03-26 10:55:57 EDT
pptp-1.7.2-5.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pptp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-3070
Comment 5 Paul Howarth 2009-03-26 11:06:38 EDT
Note that this update is designed to retain the existing permissions on /etc/ppp/chap-secrets so you'll need to restore the permissions to the standard 0600 before testing.

# chmod 0600 /etc/ppp/chap-secrets
Comment 6 Fedora Update System 2009-04-09 12:15:45 EDT
pptp-1.7.2-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.