Re: NetworkManager pptp
- From: Antony J Mee <A J Mee ncl ac uk>
- To: Dan Williams <dcbw redhat com>
- Cc: networkmanager list <networkmanager-list gnome org>
- Subject: Re: NetworkManager pptp
- Date: Tue, 13 Dec 2005 18:12:35 +0000
Dan Williams wrote:
But in your case, the pppd-vpn-service daemon could just do whatever it
does to start the connection, but provide a dbus service that when
called, returns the password and username. The pppd plugin would then
call this dbus service and request the pass & user.
That is precisely what I intend and started implementing it.
I just wanted to fix the strange and 'intermittent' segfault before
adding anymore complexity.
I only hesitated when naming the dbus service.
There are some things to think hard about here though, namely the
security of it. If you have a daemon providing a dbus service, unless
you lock it down anyone can call its methods. So you'd have to make
sure that you lock down the dbus policy for the service-daemon pretty
tight. If you restrict it to just 'root'/uid 0, any root app could ask
for the user and password. But then again, any 'root' app can do
horrible things to your system anyway. So this might be an acceptable
course of action.
I imagined that root access would be sufficient in this case too. I
suppose
the only other way is for the vpn-daemon to pass some secret cookie to the
pppd on start up that the plugin then uses when asking for the user/pass
later
but that too would open all kinds of security holes I suppose.
Anyway... A root process could overwrite the pppd plugin in /usr/lib with
something malicious so I can't see any possible gain. Just as a root
process could
overwrite the vpnc binary with a script which 'tee' s the standard input
to a file :-)
Ideally this could be solved upstream in pppd. But at some point you
simply do best-effort to hide the username & password from view, keep
investigating how to do it better, and fix it a bit later.
Exactly. "Just works" not "Will at some future time just work" right :-)
tOnY
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]