Re: NetworkManager pptp

[Antony J Mee <A J Mee ncl ac uk>]

Dan Williams wrote:

> But in your case, the pppd-vpn-service daemon could just do whatever it
> does to start the connection, but provide a dbus service that when
> called, returns the password and username.  The pppd plugin would then
> call this dbus service and request the pass & user.
>
>  
That is precisely what I intend and started implementing it. 
I just wanted to fix the strange and 'intermittent' segfault before
adding anymore complexity.

I only hesitated when naming the dbus service.

> There are some things to think hard about here though, namely the
> security of it.  If you have a daemon providing a dbus service, unless
> you lock it down anyone can call its methods.  So you'd have to make
> sure that you lock down the dbus policy for the service-daemon pretty
> tight.  If you restrict it to just 'root'/uid 0, any root app could ask
> for the user and password.  But then again, any 'root' app can do
> horrible things to your system anyway.  So this might be an acceptable
> course of action.
>  
I imagined that root access would be sufficient in this case too.  I 
suppose
the only other way is for the vpn-daemon to pass some secret cookie to the
pppd on start up that the plugin then uses when asking for the user/pass 
later
but that too would open all kinds of security holes I suppose.

Anyway... A root process could overwrite the pppd plugin in /usr/lib with
something malicious so I can't see any possible gain.  Just as a root 
process could
overwrite the vpnc binary with a script which 'tee' s the standard input 
to a file :-)

> Ideally this could be solved upstream in pppd.  But at some point you
> simply do best-effort to hide the username & password from view, keep
> investigating how to do it better, and fix it a bit later.
>  
Exactly.  "Just works" not "Will at some future time just work" right :-)

tOnY