Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 5371

Summary: gaping wide security hole in kppp
Product: [Retired] Red Hat Raw Hide Reporter: Benjamin S. Scarlet <scarlet>
Component: pamAssignee: Cristian Gafton <gafton>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: ftp://ftp.redhat.com/pub/rawhide/SRPMS/SRPMS/kdenetwork-1.1.2-3.src.rpm
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-09-27 20:53:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Benjamin S. Scarlet 1999-09-26 04:01:15 UTC
This is about a bug in the kdenetwork package, which
is on your rawhide ftp site but not listed on your
rawhide bugzilla.  This discrepancy is also a bug, I
suppose.  I have chosen "pam" because it was the closest
package listed related to the bug.  My apologies to
any needlessly bothered pam developers.

  kppp is configured with pam to run as root.
+ kppp can run user specified programs on connect, etc.
------------------------------------------------------
  BAD -- tell it to run xterm on connect -> root shell

note: running kppp as root also causes it to run with root
kde configuration and colors, which is durn ugly if root
has different color preferences than the current user.
Consider running it as group uucp or some such.

Comment 1 Bill Nottingham 1999-09-26 16:18:59 UTC
The default setup for kppp is to use consolehelper to require
the root password. If you have that, the fact that you can run
xterm is not really relevant.