Re: pptp mppe as other than root?

From: Tauno Voipio (tauno.voipio_at_iki.fi.NOSPAM.invalid)
Date: 09/17/04 

Date: Fri, 17 Sep 2004 06:55:59 GMT

stephen wrote:
> Finally! after much dickering around, swatting, and so on, I've managed to
> connect to my employer's windows vpn and access my work files. But I have
> to do it as root.
>
> I don't like that. I work for a software shop and there are some very
> smart people (yes there are some smart windows geeks) with idle evenings
> who love to poke around. As the first linux user in our company to do
> this, I'm going to be a target. I prefer that if someone pokes into my box
> that they poke into some place that does not have root access to the rest
> of my life. They can poke into my work stuff - fine! They know it all
> anyway since it's all in the abysmal VSS. But I want to be fairly sure
> that they'll get 'access denied' to any other area of my personal life.
>
> Ideally I could put all the vpn components under a group that does not
> have access.
>
> Can I do that? I've looked through the docs at
> http://pptpclient.sourceforge.net/ and I've googled my fingers sore, but
> all I see is stuff like "Solution: you have to be root".
>
> Say it isn't so or say that I'm just being silly and that I'm in some
> magically way protected from intrusions.
>

There are too little details to give meaninful advice.

Please describe the connection and printouts from:

   ifconfig -a
   route -n

taken when the tunnel is up. If you like, you can
obscure the top part of public IP addresses. If the
internal networks use RFC 1918 addresses (10.x.y.z,
172.16.x.y-172.31.x.y, 192.168.x.y), please do not
obscure them.

Do you use Samba to access the Windows files?

The VPN is just a network connection. In Linux, building
and ripping network connections is considered to be such
tasks that they should be limited to root only. This does
not mean that the connections should be used as root only.
This means that the tunnel should be started as root and
log in as a normal user for using the tunnel.

There are plenty of different ways to build a VPN
tunnel, so details are also needed here (PPTP?).

You should be able to armour your system against intrusions
from the company network in the same way as it has to be
done for Internet connections. You do have a firewall in
place, do you?

There are reports that the average break-in time to an
unprotected WinXP computer is 20 minutes, if the computer
is connected to a broadband connection. We have practical
experience - a freshly installed Windows 2000 workstation
was broken in before it had time to get all the Microsoft
patches needed to protect it (pretty near the reported
average time: 17 minutes).

HTH

Tauno Voipio
tauno voipio (at) iki fi

protect against the intruders.