Bug 492090 - passwords stored in world readable file
Summary: passwords stored in world readable file
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: pptp
Version: 10
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-25 11:31 UTC by Tom Horsley
Modified: 2009-04-09 16:15 UTC (History)
1 user (show)

Fixed In Version: 1.7.2-5.fc10
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-09 16:15:50 UTC


Attachments (Terms of Use)

Description Tom Horsley 2009-03-25 11:31:20 UTC
Description of problem:

The pppd prints a warning that the /etc/ppp/chap-secrets file is world
readable, and by golly it is right. Shouldn't it be root only (since
you have to be root to start the connection anyway)?

Version-Release number of selected component (if applicable):
pptp-1.7.2-3.fc10.x86_64

How reproducible:
every time

Steps to Reproduce:
1. yum install pptp
2. pptpsetup ... --password whatever
3. see plain text password in world readable /etc/ppp/chap-secrets file
  
Actual results:
see above

Expected results:
slightly more secure password storage

Additional info:
I'd actually prefer to have it prompt me for the password when I start
the connection, but I don't see anything in the docs that seems like
it would make that possible.

Comment 1 Paul Howarth 2009-03-25 12:39:59 UTC
This problem only occurs if you use "pptpsetup --delete ..."

The out of the box state for /etc/ppp/chap-secrets is that it's owned by root and mode 0600, which is fine (the file originates from the ppp package).

Running "pptpsetup --create ..." does not change this:

# ls -l /etc/ppp/chap-secrets
-rw------- 1 root root  278 2006-04-03 17:56 /etc/ppp/chap-secrets
# pptpsetup --create test --server 1.2.3.4 --username noddy --password bigears
# ls -l /etc/ppp/chap-secrets
-rw------- 1 root root 332 2009-03-25 12:25 /etc/ppp/chap-secrets

However, "pptpsetup --delete ..." replaces the file and uses the wrong permissions:

# pptpsetup --delete test
# ls -l /etc/ppp/chap-secrets
-rw-r--r-- 1 root root 278 2009-03-25 12:26 /etc/ppp/chap-secrets

So this is something I need to fix.

Regarding the best way to do things, I believe the upstream recommendation is to use NetworkManager-pptp rather than pptpsetup.

Comment 2 Tom Horsley 2009-03-25 13:08:03 UTC
Yep, I did use --delete when I was initially experimenting with the setup.

Comment 3 Fedora Update System 2009-03-25 16:28:13 UTC
pptp-1.7.2-5.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/pptp-1.7.2-5.fc10

Comment 4 Fedora Update System 2009-03-26 14:55:57 UTC
pptp-1.7.2-5.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update pptp'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-3070

Comment 5 Paul Howarth 2009-03-26 15:06:38 UTC
Note that this update is designed to retain the existing permissions on /etc/ppp/chap-secrets so you'll need to restore the permissions to the standard 0600 before testing.

# chmod 0600 /etc/ppp/chap-secrets

Comment 6 Fedora Update System 2009-04-09 16:15:45 UTC
pptp-1.7.2-5.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.