Re: pptp mppe as other than root?

From: Tauno Voipio (tauno.voipio_at_iki.fi.NOSPAM.invalid)
Date: 09/18/04 

Date: Sat, 18 Sep 2004 07:12:06 GMT

stephen wrote:
> On Fri, 17 Sep 2004 06:55:59 +0000, Tauno Voipio wrote:
>
> Thanks, Tauno. I've filled in below:
>
>
>>stephen wrote:
>>
>>>Finally! after much dickering around, swatting, and so on, I've managed to
>>>connect to my employer's windows vpn and access my work files. But I have
>>>to do it as root.
>>>
>>>I don't like that. I work for a software shop and there are some very
>>>smart people (yes there are some smart windows geeks) with idle evenings
>>>who love to poke around. As the first linux user in our company to do
>>>this, I'm going to be a target. I prefer that if someone pokes into my box
>>>that they poke into some place that does not have root access to the rest
>>>of my life. They can poke into my work stuff - fine! They know it all
>>>anyway since it's all in the abysmal VSS. But I want to be fairly sure
>>>that they'll get 'access denied' to any other area of my personal life.
>>>
>>>Ideally I could put all the vpn components under a group that does not
>>>have access.
>>>
>>>Can I do that? I've looked through the docs at
>>>http://pptpclient.sourceforge.net/ and I've googled my fingers sore, but
>>>all I see is stuff like "Solution: you have to be root".
>>>
>>>Say it isn't so or say that I'm just being silly and that I'm in some
>>>magically way protected from intrusions.
>>>
>>
>>There are too little details to give meaninful advice.
>>
>>Please describe the connection and printouts from:
>>
>> ifconfig -a
>
>
> eth0 Link encap:Ethernet HWaddr xxx
> inet addr:192.168.0.101 Bcast:192.168.0.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1491 errors:0 dropped:0 overruns:0 frame:0
> TX packets:371 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:549984 (537.0 Kb) TX bytes:33929 (33.1 Kb)
> Interrupt:10 Base address:0x4000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:2356 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2356 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1794391 (1.7 Mb) TX bytes:1794391 (1.7 Mb)
>
> ppp0 Link encap:Point-to-Point Protocol
> inet addr:10.12.1.57 P-t-P:10.12.1.50 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1496 Metric:1
> RX packets:9 errors:0 dropped:0 overruns:0 frame:0
> TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:3
> RX bytes:114 (114.0 b) TX bytes:126 (126.0 b)
>

Looks good.

>
>> route -n
>
>
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.12.1.50 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 10.12.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ppp0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
>

The connection to the company network goes inside the tunnel
(network 10.12.0.0/16).

>>
>>Do you use Samba to access the Windows files?
>
>
> Yes:
> # Samba config file created using SWAT
> # from 127.0.0.1 (127.0.0.1)
> # Date: 2004/09/15 18:29:08
>
> # Global parameters
> [global]
> workgroup = #HIDING COMPANY NAME
> log file = /var/log/samba/%m.log
> max log size = 50
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> domain logons = Yes
> dns proxy = No
> wins server = 10.12.0.11
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>

Seems good.

>
> My current configuration requires me to mount as root.
>

Good. From security standpoint it's just right.
Your mount options should allow you to use the
mounts as a non-root user (man fstab).

> # ls -l /dev | grep ppp shows all listings like this:
>
> crw------- 1 root root 45, 128 Sep 15 2003 ippp0
>
> This crw is new to me!

It is the tunnel mouth for PPP to transfer the byte stream
to/from the company network.

The tunnel is a pseudo-interface (ppp0) taking IP packets,
encoding them in the PPP way and feeding them into ippp0.
The interface ippp0 wraps the internal network packets
and finally transfers them to the other tunnel end via
the Internet, using eth0. The other end of the tunnel
then does the reverse processing for the data.

The whole idea is to transport the internal network
packets in plain brown wrapper via the public Net.

>
>>You should be able to armour your system against intrusions
>>from the company network in the same way as it has to be
>>done for Internet connections. You do have a firewall in
>>place, do you?
>
>
> My iptables are out-of-the-box Fedora Core 1. When I was
> experimenting I found that iptables on or off made no
> difference to the VPN connection. So the current configuration
> probably offers no protection. I have of course done some
> research into iptables, but don't understand them well enough to
> feel secure in this situation. I am working through a stack of
> books and enjoying it, but right now I'd like to meet my employment
> obligations without reinstalling windows.
>

To keep the connection attempts from the company network
out, drop all SYN packets from the 10.12.0.0/16 net. (Hope
that I recall correctly the SMB protocol).

> Given an opportune moment, I suspect that a knowledgeable intruder could
> make root on my vpn-ed linux box in five minutes or less.
>

The VPN does not seem to make much of an extra threat. Please
check the services you have running.

   netstat -tupan

tells which network ports are up.

   ps -ef

tells all the processes.

If you have not yet done so, please read the Linux 2.4 Packet
Filtering HOWTO, from <http://www.netfilter.org/documentation/>.

If you have Telnet server up, please close it NOW, and replace
it with SSH.

HTH

Tauno Voipio
tauno voipio (at) iki fi