Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Problem? solution?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Problem? solution?
Authored by: el bid on May 10, '02 11:36:06AM

I'm not convinced this really is a problem, because if someone who shouldn't be there is in your system as root (as they'd need to be to see this) you are already in deep trouble.

Generically (which is a nice way of saying I'm not sure how this might work on the Mac) the solution to the particular problem of showing that info as command line params to pppd is not to put the info there in the first place.

Ie, instead of calling pppd with the explicit details on the command line, put the details into a peers script (/etc/ppp/peers/MyISP, say) and call this from the command line with "pppd call MyISP". If you do this, all that ps will show up will be just that line.

I haven't investigated to what extent the Aqua interface to pppd allows you to do this. But if it's too restrictive to allow you to make these changes, to hell with it. The ideal solution is to stop doing pppd from your Mac; do it from a Coyote Linux router (http://www.coyotelinux.com) instead. This is essentially the cheapest old 486 PC you can find ($50 tops) with a working floppy, a serial port, an Ethernet card, 16 MB of RAM and no hard drive, plus the free (freely downloadable, and Stallmanishly free) Coyote router software, which fits on a floppy.

The huge advantage of this, I've found, isn't just that you can network multiple machines to the same pppd connection; it's that every machine you connect, whether it's a Mac, a Linux box, a wireless access point or (heaven forfend) a Windows nuisance, only need know the address of the Coyote router and the DNS resolver addresses of your ISP to make the connection.

--
el bid



[ Reply to This | # ]
Problem? solution?
Authored by: wngdn on May 10, '02 11:49:03AM
I'm not convinced this really is a problem, because if someone who shouldn't be there is in your system as root (as they'd need to be to see this) you are already in deep trouble.

They don't need to be root to see it; they just need to be logged in as any user. (I tested this just now.)

If a remote hole is discovered which gives an attacker access as any user, then once in they can see your PPP username, password, and dialup phone number. Yeah, it's not your credit card number and it's not root access, but it's still bad.

Cheers,

Wangden

[ Reply to This | # ]
definately a problem
Authored by: see on May 10, '02 01:47:24PM

any user on an osx system legal or not can access this information, you don't need any kind of administrative-privileges:
---------
see@immortelle:/var> ls -alF
total 24
drwxr-xr-x 20 root wheel 636 Jan 3 1970 ./
drwxr-xr-x 15 root wheel 466 Jan 3 1970 db/
---------
see@immortelle:/var/db/SystemConfiguration> ls -alF
total 80
drwxr-xr-x 4 root wheel 264 Jan 3 1970 ./
-rw-r--r-- 1 root wheel 34707 May 4 18:45 preferences.xml
---------
so it's definitely a problem on any setting where you have several users.



[ Reply to This | # ]
Problem? solution?
Authored by: capmikee on Aug 08, '04 12:17:58PM

On my 10.2.8 system with all the security patches, my password is encrypted in the preferences.xml file, and in the command line it shows up as ******. So I guess this problem has been fixed.

I managed to use the advice in this topic to connect from the command line, but I had to make my options file readable only by root, which means I have to connect as root. Is it possible to connect as any user and still keep the password hidden? I'm interested in the peers script idea, but I don't know how to write one.



[ Reply to This | # ]