LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/PPP-HOWTO/root.html

277 lines
5.1 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Using PPP and root privileges</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.52"><LINK
REL="HOME"
TITLE="Linux PPP HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="The /etc/host.conf file"
HREF="x892.html"><LINK
REL="NEXT"
TITLE="Setting up the PPP connection files"
HREF="options.html"></HEAD
><BODY
CLASS="CHAPTER"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
><A
HREF="http://www.linuxports.com/howto/ppp"
TARGET="_top"
>Linux PPP HOWTO</A
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x892.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="options.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="CHAPTER"
><H1
><A
NAME="ROOT"
>Chapter 14. Using PPP and root privileges</A
></H1
><P
>Because PPP needs to set up networking devices, change the kernel
routing table and so forth, it requires root privileges to do this.</P
><P
> If users other than root are to set up PPP connections, the pppd
program should be setuid root :-</P
><P
>&#13;<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
>-rwsr-xr-x 1 root root 95225 Jul 11 00:27 /usr/sbin/pppd</PRE
></TD
></TR
></TABLE
>&#13;</P
><P
>If /usr/sbin/pppd is not set up this way, then <I
CLASS="EMPHASIS"
>as root</I
> issue
the command:-</P
><P
>&#13;<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="SCREEN"
>chmod u+s /usr/sbin/pppd</PRE
></TD
></TR
></TABLE
>&#13;</P
><P
>What this does is make pppd run with root privileges <I
CLASS="EMPHASIS"
>even</I
> if the
binary is run by an ordinary user. This allows a normal user to run pppd
with the necessary privileges to set up the network interfaces and the
kernel routing table.</P
><P
>Programs that run 'set uid root' are potential security holes and you
should be extremely cautious about making programs 'suid root'. A number
of programs (including pppd) have been carefully written to minimise the
danger of running suid root, so you should be safe with this one, (but no
guarantees). </P
><P
>Depending on how you want your system to operate - specifically if you
want ANY user on your system to be able to initiate a PPP link, you should
make your ppp-on/off scripts world read/execute. (This is probably fine if
your PC is used ONLY by you).</P
><P
>However, if you do NOT want just anyone to be able to start up a PPP
connection (for example, your children have accounts on your Linux PC
and you do not want them hooking into the Internet without your
supervision), you will need to establish a PPP group (as root, edit
/etc/group) and :-
<P
></P
><UL
><LI
><P
>Make pppd suid root, owned by user root and group PPP, with the 'other'
permissions on this file empty. It should then look like:-
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><PRE
CLASS="SCREEN"
>-rwsr-x--- 1 root PPP 95225 Jul 11 00:27 /usr/sbin/pppd</PRE
></TD
></TR
></TABLE
>&#13;</P
></LI
><LI
><P
>Make the ppp-on/off scripts owned by user root and group PPP.&#13;</P
></LI
><LI
><P
>Make the ppp-on/off scripts read/executable by group PPP.
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="90%"
><TR
><TD
><PRE
CLASS="SCREEN"
> -rwxr-x--- 1 root PPP 587 Mar 14 1995 /usr/sbin/ppp-on
-rwxr-x--- 1 root PPP 631 Mar 14 1995 /usr/sbin/ppp-off</PRE
></TD
></TR
></TABLE
>
&#13;</P
></LI
><LI
><P
>Make the other access rights for ppp-on/off nill.&#13;</P
></LI
><LI
><P
>add the users who will be firing up PPP to the PPP group in /etc/group.</P
></LI
></UL
>&#13;</P
><P
>Even if you do this, ordinary users will STILL not be able to shut down
the link under software control! Running the <TT
CLASS="LITERAL"
>ppp-off</TT
> script
requires root privileges. However, any user can just turn off the modem
(or disconnect the telephone line from an internal modem).</P
><P
>An alternative (and better method) to this set up is to use the
<TT
CLASS="LITERAL"
>sudo</TT
> program. This offers superior security and will allow you to
set things up so that any (authorised) user can activate/deactivate the
link using the scripts. Using <TT
CLASS="LITERAL"
>sudo</TT
> will allow an authorised user to
activate/deactivate the PPP link cleanly and securely.</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x892.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="options.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>The <TT
CLASS="LITERAL"
>/etc/host.conf</TT
> file</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Setting up the PPP connection files</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink