Ubuntu
kppp package

kppp doesn't need to run suid

Bug #1265301 reported by Cybjit
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kppp
Fix Released
Unknown
kppp (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Debian has removed the setuid bit, is there still a need to set this in Kubuntu?
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=709972

Bug Watch Updater (bug-watch-updater)
Changed in kppp:
status: Unknown → Fix Released
Revision history for this message
Harald Sitter (apachelogger) wrote :

Well, the debian change doesn't really fix the problem as it were. kppp still needs to be able to launch pppd which it can't unless the user manually gets added to the 'dip' group or the application is su'd. That being said, perhaps the more appropriate approach would be to mandate kdesudo, which in turn means the user needs to be in the admin/sudo group (or the admin needs to twiddle sudoers accordingly), however since that is the case for the default user it ought to give a somewhat better default experience than simply not doing anything and a somewhat (not really) more secure approach than suiding.

At the end of the day we get a shitty experience no matter what -.-

Revision history for this message
Harald Sitter (apachelogger) wrote :

Ohm, for some reason what debian implemented is what we already had. I am confused now ...

Revision history for this message
Harald Sitter (apachelogger) wrote :

ah, nevermind

debian/rules:
     chown root:dialout debian/kppp/usr/bin/kppp && \
     chmod 4754 debian/kppp/usr/bin/kppp; \

Revision history for this message
Harald Sitter (apachelogger) wrote :

Perhaps the best option actually would be to manually craft a group management system.

e.g. main.cpp:
- check if user is in dialout/dip
- if not present dialog allowing the user to added themself to dialout/dip
- polkit helper adds user to dialout/dip
- restart to apply group change

while that is a rather excessive approach it gives the best solution, you do not need to sudo/suid kppp at all, the user gets informed that stuff won't work and gets an option to fix this

Revision history for this message
Harald Sitter (apachelogger) wrote :

on my previous comment... perhaps that magic handling is something that should be done upstream to begin with... allowing all distros to use the magic

Revision history for this message
Harald Sitter (apachelogger) wrote :

More random nonesense... upstream intended suid to be set.

CMakeLists.txt
MESSAGE(STATUS "Warning: kppp use setuid")
install(TARGETS kppp PERMISSIONS SETUID OWNER_EXECUTE OWNER_WRITE OWNER_READ GROUP_EXECUTE GROUP_READ WORLD_EXECUTE WORLD_READ DESTINATION ${BIN_INSTALL_DIR} )

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kppp - 4:4.12.0-0ubuntu2

---------------
kppp (4:4.12.0-0ubuntu2) trusty; urgency=low

  * Add back kdenetwork changelog entries for book keeping purposes.
  * Drop suid bit on kppp and change chown'ed group to dip rather than
    dialout. This realigns the binary permissions with Debian, if it
    turns out to be broken, Debian may be blamed as there appears to be
    no one who actually can test whether this is working as intended.
    LP: #1265301
 -- Harald Sitter <email address hidden> Thu, 02 Jan 2014 13:37:52 +0100

Changed in kppp (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.