This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes
Bug 5371 - gaping wide security hole in kppp
gaping wide security hole in kppp
Status: CLOSED NOTABUG
Product: Red Hat Raw Hide
Classification: Retired
Component: pam (Show other bugs)
1.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Cristian Gafton
ftp://ftp.redhat.com/pub/rawhide/SRPM...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-09-26 00:01 EDT by Benjamin S. Scarlet
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-09-27 16:53:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Benjamin S. Scarlet 1999-09-26 00:01:15 EDT
This is about a bug in the kdenetwork package, which
is on your rawhide ftp site but not listed on your
rawhide bugzilla.  This discrepancy is also a bug, I
suppose.  I have chosen "pam" because it was the closest
package listed related to the bug.  My apologies to
any needlessly bothered pam developers.

  kppp is configured with pam to run as root.
+ kppp can run user specified programs on connect, etc.
------------------------------------------------------
  BAD -- tell it to run xterm on connect -> root shell

note: running kppp as root also causes it to run with root
kde configuration and colors, which is durn ugly if root
has different color preferences than the current user.
Consider running it as group uucp or some such.
Comment 1 Bill Nottingham 1999-09-26 12:18:59 EDT
The default setup for kppp is to use consolehelper to require
the root password. If you have that, the fact that you can run
xterm is not really relevant.

Note You need to log in before you can comment on or make changes to this bug.