COMMAND

    debian pppd chatscript

SYSTEMS AFFECTED

    Debian Linux

PROBLEM

    Stephen Hardman posted  following.  This  is a bit  old, but still
    present.  The default logfile (/var/log/ppp.log) is world readable
    by default.

    --- extract from /var/log/ppp.log ---

    Dec 14 16:43:14 gateway chat[362]: ^Mlogin -- got it
    Dec 14 16:43:14 gateway chat[362]: send (loginname^M)
    Dec 14 16:43:15 gateway chat[362]: expect (word)
    Dec 14 16:43:15 gateway chat[362]: : loginname^M
    Dec 14 16:43:15 gateway chat[362]: Password -- got it
    Dec 14 16:43:15 gateway chat[362]: send (MyPassWoRd^M)

    --- end extract ---

    So it seems  it is not  hiding the sent  password as it  should do
    when the password is preceeded  by \q in /etc/ppp.chatscript.   \q
    suppress writing the string to the SYSLOG file. The string  ??????
    is written to the log in its place.  (not valid in expect.)   This
    was tested under following verions:

    ii  ppp             2.2.0f-23      Point-to-Point Protocol (PPP) daemon
    pppd version 2.2 patch level 0
    Debian 1.3

SOLUTION

    There was a  bug in one  of the Debian  packages with the  example
    chatscript.  The  error  was  that  there  was  a  line  like  the
    following:

        assword:                \qPaSsWoRd\q

    Since \q is a toggle, the second \q toggles the do-no-display flag
    and the password is faithfully  echoed to the syslog so  it's easy
    to make error in your script.