492090 – passwords stored in world readable file

Bug 492090 - passwords stored in world readable file

Summary: passwords stored in world readable file

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	pptp
Sub Component:
Version:	10
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Paul Howarth
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-03-25 11:31 UTC by Tom Horsley
Modified:	2009-04-09 16:15 UTC (History)
CC List:	1 user (show)
Fixed In Version:	1.7.2-5.fc10
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-04-09 16:15:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tom Horsley 2009-03-25 11:31:20 UTC

Description of problem:

The pppd prints a warning that the /etc/ppp/chap-secrets file is world
readable, and by golly it is right. Shouldn't it be root only (since
you have to be root to start the connection anyway)?

Version-Release number of selected component (if applicable):
pptp-1.7.2-3.fc10.x86_64

How reproducible:
every time

Steps to Reproduce:
1. yum install pptp
2. pptpsetup ... --password whatever
3. see plain text password in world readable /etc/ppp/chap-secrets file
  
Actual results:
see above

Expected results:
slightly more secure password storage

Additional info:
I'd actually prefer to have it prompt me for the password when I start
the connection, but I don't see anything in the docs that seems like
it would make that possible.

Comment 1 Paul Howarth 2009-03-25 12:39:59 UTC

This problem only occurs if you use "pptpsetup --delete ..."

The out of the box state for /etc/ppp/chap-secrets is that it's owned by root and mode 0600, which is fine (the file originates from the ppp package).

Running "pptpsetup --create ..." does not change this:

# ls -l /etc/ppp/chap-secrets
-rw------- 1 root root  278 2006-04-03 17:56 /etc/ppp/chap-secrets
# pptpsetup --create test --server 1.2.3.4 --username noddy --password bigears
# ls -l /etc/ppp/chap-secrets
-rw------- 1 root root 332 2009-03-25 12:25 /etc/ppp/chap-secrets

However, "pptpsetup --delete ..." replaces the file and uses the wrong permissions:

# pptpsetup --delete test
# ls -l /etc/ppp/chap-secrets
-rw-r--r-- 1 root root 278 2009-03-25 12:26 /etc/ppp/chap-secrets

So this is something I need to fix.

Regarding the best way to do things, I believe the upstream recommendation is to use NetworkManager-pptp rather than pptpsetup.

Comment 2 Tom Horsley 2009-03-25 13:08:03 UTC

Yep, I did use --delete when I was initially experimenting with the setup.

Comment 3 Fedora Update System 2009-03-25 16:28:13 UTC

pptp-1.7.2-5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/pptp-1.7.2-5.fc10

Comment 4 Fedora Update System 2009-03-26 14:55:57 UTC

pptp-1.7.2-5.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pptp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-3070

Comment 5 Paul Howarth 2009-03-26 15:06:38 UTC

Note that this update is designed to retain the existing permissions on /etc/ppp/chap-secrets so you'll need to restore the permissions to the standard 0600 before testing.

# chmod 0600 /etc/ppp/chap-secrets

Comment 6 Fedora Update System 2009-04-09 16:15:45 UTC

pptp-1.7.2-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.