12 Security

At this stage, usernames and passwords are sent in clear-text. This means they are potentially vulnerable to sniffing. However, considering the gateway is the host dwun is almost certainly run on I don't see this as a real problem.

Dwun can happily run as a non-root user provided the following:

• it is able to run the command to connect. This may involve making the pppd binary setuid root and giving the user access to the serial port. It may be better to use something like sudo to restrict the arguments and environment of pppd.
• it can read its rcfile5.
• it can read/write the authfile5.
• it can write to its pidfile5.
• it can write to its logfiles (if used).

If you wish to chroot dwun, this will be more difficult. You must place the pppd binary, plus anything needed by the dialup scripts, such as ip-up, ip-down, /bin/sh, ping plus any libraries that are needed. You can avoid having to include syslog in the chroot jail by setting dwun to log to a file. The modem serial device and null (/dev/null) must be present in the chrooted /dev.