Bug 5371 - gaping wide security hole in kppp
Summary: gaping wide security hole in kppp
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: pam
Version: 1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Cristian Gafton
QA Contact:
URL: ftp://ftp.redhat.com/pub/rawhide/SRPM...
Depends On:
TreeView+ depends on / blocked
Reported: 1999-09-26 04:01 UTC by Benjamin S. Scarlet
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 1999-09-27 20:53:08 UTC

Attachments (Terms of Use)

Description Benjamin S. Scarlet 1999-09-26 04:01:15 UTC
This is about a bug in the kdenetwork package, which
is on your rawhide ftp site but not listed on your
rawhide bugzilla.  This discrepancy is also a bug, I
suppose.  I have chosen "pam" because it was the closest
package listed related to the bug.  My apologies to
any needlessly bothered pam developers.

  kppp is configured with pam to run as root.
+ kppp can run user specified programs on connect, etc.
  BAD -- tell it to run xterm on connect -> root shell

note: running kppp as root also causes it to run with root
kde configuration and colors, which is durn ugly if root
has different color preferences than the current user.
Consider running it as group uucp or some such.

Comment 1 Bill Nottingham 1999-09-26 16:18:59 UTC
The default setup for kppp is to use consolehelper to require
the root password. If you have that, the fact that you can run
xterm is not really relevant.

Note You need to log in before you can comment on or make changes to this bug.