This change brings in autoconf/automake scripts to configure the ppp project. Current change doesn't eliminate the previous build system, but the new script autogen.sh will overwrite configure, and generate the basic Makefile.in and Makefile files.
Features can now be enabled by command line:
* Microsoft Extensions,
- MSCHAP
- MPPE
- MS LAN Manager support
* IPXCP protocol
* CBCP protocol
* PAM support
* EAP-TLS support
* EAP-SRP support
* Max session lifetime by byte count
* Plugins
* Packet activity filter support
* Multilink
* IPv6 support
Control linkage with
* OpenSSL (-lssl -lcrypto)
* systemd (-lsystemd)
* libatm (-latm)
* libsrp (-lsrp)
* pam (-lpam)
Also, the configure script is made sensitive to features of OpenSSL. Like the presence or absence of DES, SHA, MD4 and MD5 crypto support. In the cases where either of these are missing, the support will be directly compiled into pppd and plugins.
In addition, package maintainers can now control the installation paths with standard --prefix=, or --localstatedir=, or --sysconfdir= to configure. On top of that, they can now control the following directories:
* runtime directory w/--with-runtime-dir
* logfile directory w/--with-logfile-dir
* plugin directory w/--with-plugin-dir
In the case where automake isn't the right solution, namely: SunOS kernel module build, the original Makefile infrastructure is preserved and reused.
Care was taken to only cosmetically touchup the source files in this change. This means:
* Insert HAVE_CONFIG_H and include config.h in all .c files.
* Change HAS_SHADOW to HAVE_SHADOW_H
* Change HAVE_LOGWTMP to HAVE_UTMP_H
* Introduce HAVE_CRYPT_H into the source code where appropriate
* Added ifdef MPPE where appropriate
* USE_SRP required a few changes as it didn't compile
* Touchup some compile warning in pppstats directory on SunOS
Introduced a new pppdconf.h file that exports the appropriate defines to a module that wants to provide a module that pppd can dynamically load. This will define/undef features like MPPE, CHAPMS such that the project doesn't have to guess what features pppd is compiled with.
Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
From https://bugs.debian.org/51880
“
This would make it much easier for me, and cleaner too, to handle
multiple, mutually exclusive, dialout internet service providers.
”
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Co-authored-by: Marco d'Itri <md@linux.it>
This gets rid of the __P and __V macros that were used so that the
code was in theory compilable by a K&R C compiler, and converts the
function definitions to ANSI C style. In fact there were already
quite a few function definitions in the ANSI C style, so it would not
have been compilable by a K&R C compiler in fact.
The Solaris and BSD kernel code modules have had __P removed but the
function definitions have not been converted.
There are some other minor changes here to remove warnings.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
After processing the argument to the 'password' option, this
overwrites the original argument on the stack with '?' characters,
and for good measure makes the argument pointer point to a constant
string "********" so as not to reveal the length of the password.
This is so that tools such as ps don't show the actual password
when displaying the process arguments. Nevertheless, it is still
better to get the password from a file, since there is inevitably
still a window of time when the password would be visible.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
If a word read from an options file was longer than MAXWORDLEN,
we could pass it to option_error() without null termination,
which could have lead to an out-of-bounds access in vslprintf.
Make sure word[] is null terminated in all cases.
Reported-by: Florian Kohnhäuser <florian@kohnhaeuser.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Evidently this means to check for arg pointing to an empty string,
not arg being NULL, since the ensuing error talks about the variable
name being missing.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
print_option() was in this case passing p/opt->addr2 as the format string
instead of the string to be printed (as a quoted string). That could lead
to a nasty crash.
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
This adds an up_sdnotify option so that systemd services of
Type=notify can have pppd send the READY=1 signal to systemd
once a network protocol (typically IP) is up.
To use up_sdnotify, pppd must be compiled with SYSTEMD=y.
up_sdnotify is safe as a non-priveleged option because systemd will
ignore any notifications that it is not expecting. If systemd starts
pppd in a unit-file that is Type=notify, then (and only then) will it
handle the READY=1 signal. If systemd didn't start the process, it
ignroes any notifications unless the signaling process was started by a
service that systemd is monitoring (directly or indirectly, such as a
grandchild process in the same cgroup as a process that systemd started)
AND that service is Type=notify, AND that service is explicitly
configured to allow other processes to send a notification on behalf of
that service by setting NotifyAccess=all.
Also, the socket used is defined in an environment variable provided and
deleted by systemd, allowing system and user services to use a different
socket. I really don't think there's any way to use that socket (even via
the sd_notify api of their library) to gain elevated privileges.
Another reason that up_sdnotify is a non-priveleged option is for cases
where ppp should be started as a system service under a non-priveleged
account. There may be other issues with running ppp under other
accounts, but systemd does not require root--or other privileged--access
in order to use the notification feature. Instead the security for this
feature is provided at the process level in that systemd knows which
processes it did and did not start, and which processes those processes
started (ie other processes in the systemd unit's cgroup), as explained
above.
Signed-off-by: Jacob Floyd <cognifloyd@gmail.com>
This is a modified version of a patch from openSUSE that enables PPP interfaces
to be called arbitrary names, rather than simply pppX where X is the unit
number.
The modifications from the stock openSUSE patch are:
- refresh patch on top of 018_ip-up_option.diff
- fix a printf format-string vulnerability in pppd/main.c:set_ifunit()
- clarify the pppd.8 manpage additions
- patch pppstats/pppstats.c to query renamed interfaces without complaint
Origin: SUSE
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458646
Forwarded: no
Reviewed-by: Chris Boot <bootc@debian.org>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
This allows user to specify the 'metric' (or 'prio') for the default
route set by pppd. This is useful in multi-ISP setups where there
might be more than one default gateway.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
This eliminates the memory leak which occurs when a user gives the
same string option multiple times. Although the leak is trivial under
normal conditions, the fact that it can be triggered by the user
means that it may be of interest to attackers, so let's plug the leak.
This also means that any o_string option without OPT_STATIC set needs
to have opt->addr pointing to a pointer which starts out NULL. That
is the case for all current uses of o_string.
Signed-off-by: Paul Mackerras <paulus@samba.org>
When we are reading in a word from an options file, we maintain a count
of the length we have seen so far in 'len', which is an int. When len
exceeds MAXWORDLEN - 1 (i.e. 1023) we cease storing characters in the
buffer but we continue to increment len. Since len is an int, it will
wrap around to -2147483648 after it reaches 2147483647. At that point
our test of (len < MAXWORDLEN-1) will succeed and we will start writing
characters to memory again.
This may enable an attacker to overwrite the heap and thereby corrupt
security-relevant variables. For this reason it has been assigned a
CVE identifier, CVE-2014-3158.
This fixes the bug by ceasing to increment len once it reaches MAXWORDLEN.
Reported-by: Lee Campbell <leecam@google.com>
Signed-off-by: Paul Mackerras <paulus@samba.org>
This adds a new option, master_detach, to allow pppd to detach from
the controlling terminal when it is the multilink bundle master but
its own link has terminated, even if the nodetach option has been
given.
Requested-by: Stephen Marron <sfm@boxfusion.net>
Signed-off-by: Paul Mackerras <paulus@samba.org>
The specific case that confused a user was:
ROUTES="216.220.192.0/20 10.0.100.0/24"
which was interpreted as two separate words, merely because the first quote
mark was in the middle of a word.
Patch from Jon Dubovsky.
Previously pppd would use its default strategies for working out a
username and password/secret to use if the user gave the empty string
to the user and/or password options. Now we set a flag when an
explicit username is given, and don't do the default username
calculation if the flag is set. Similarly for the password.
When dropping and regaining privileges during option processing,
the seteuid to regain privileges is now the original EUID rather
than a constant zero. This means that `pppd --version' run without
root privilege prints the version number and exits rather than
giving an "unable to regain privileges" error.
having with leaking fds and with fatal errors occurring when the link
goes down.
Updated patchlevel.h to 2.4.2b2.
Moved open of /dev/ppp to generic_establish_ppp; we now close the
ppp_dev_fd in generic_disestablish_ppp rather than trying to use
PPPIOCDETACH.
*_send_config and *_recv_config now return 0 for success or -1 for
error, rather than calling fatal() when an error occurs.
Added a notifier for when we fork so plugins can close their fds in
the child.
Added a safe_fork() which does a fork and then closes stuff in the
child; the parent waits until the child has done that.
On detach, the parent rewrites the pid files rather than the child,
and the child waits for the parent to die.
Fixed some potential FILE * leaks.
Also moved auth_number() check into auth_check_options.
explicitly allows modifications. I have an acknowledgement from ANU
that the work I have done on pppd belongs to me and not to ANU, so I
have changed the ANU copyright notices to reflect this. I have emails
from Pedro Roque Marques, Tommi Komulainen and Eric Rosenquist giving
me permission to change their copyright notices to be similar to the
CMU notice.
on Solaris. Added support for Solaris 10. Quieted down warning in
ppp_comp.c due to bad preprocessor usage. Quieted WorkShop warnings
in options.c (casting of void * to function) and pppd.h (constant too
large). Tested in 32 and 64 bit modes with gcc and WorkShop.
support for MS-CHAP (client and server are now supported.)
Allow another plugin to select a different RADIUS server.
Modified radiusclient library to include two new APIs:
rc_acct_using_server and rc_auth_using_server in which caller specifies
which RADIUS servers to use, instead of using the default ones in the
config file. The /etc/radiusclient/servers file must still contain
secrets for those servers.
grouped into groups where necessary, so the command line overrides
the per-tty options file, plus the ability to print out the set of
options currently in effect. Some options moved from lcp.c to tty.c.
