277 lines
5.1 KiB
HTML
277 lines
5.1 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Using PPP and root privileges</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.52"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux PPP HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="The /etc/host.conf file"
|
|
HREF="x892.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Setting up the PPP connection files"
|
|
HREF="options.html"></HEAD
|
|
><BODY
|
|
CLASS="CHAPTER"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
><A
|
|
HREF="http://www.linuxports.com/howto/ppp"
|
|
TARGET="_top"
|
|
>Linux PPP HOWTO</A
|
|
></TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x892.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="options.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="CHAPTER"
|
|
><H1
|
|
><A
|
|
NAME="ROOT"
|
|
>Chapter 14. Using PPP and root privileges</A
|
|
></H1
|
|
><P
|
|
>Because PPP needs to set up networking devices, change the kernel
|
|
routing table and so forth, it requires root privileges to do this.</P
|
|
><P
|
|
> If users other than root are to set up PPP connections, the pppd
|
|
program should be setuid root :-</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>-rwsr-xr-x 1 root root 95225 Jul 11 00:27 /usr/sbin/pppd</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
> </P
|
|
><P
|
|
>If /usr/sbin/pppd is not set up this way, then <I
|
|
CLASS="EMPHASIS"
|
|
>as root</I
|
|
> issue
|
|
the command:-</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>chmod u+s /usr/sbin/pppd</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
> </P
|
|
><P
|
|
>What this does is make pppd run with root privileges <I
|
|
CLASS="EMPHASIS"
|
|
>even</I
|
|
> if the
|
|
binary is run by an ordinary user. This allows a normal user to run pppd
|
|
with the necessary privileges to set up the network interfaces and the
|
|
kernel routing table.</P
|
|
><P
|
|
>Programs that run 'set uid root' are potential security holes and you
|
|
should be extremely cautious about making programs 'suid root'. A number
|
|
of programs (including pppd) have been carefully written to minimise the
|
|
danger of running suid root, so you should be safe with this one, (but no
|
|
guarantees). </P
|
|
><P
|
|
>Depending on how you want your system to operate - specifically if you
|
|
want ANY user on your system to be able to initiate a PPP link, you should
|
|
make your ppp-on/off scripts world read/execute. (This is probably fine if
|
|
your PC is used ONLY by you).</P
|
|
><P
|
|
>However, if you do NOT want just anyone to be able to start up a PPP
|
|
connection (for example, your children have accounts on your Linux PC
|
|
and you do not want them hooking into the Internet without your
|
|
supervision), you will need to establish a PPP group (as root, edit
|
|
/etc/group) and :-
|
|
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>Make pppd suid root, owned by user root and group PPP, with the 'other'
|
|
permissions on this file empty. It should then look like:-
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>-rwsr-x--- 1 root PPP 95225 Jul 11 00:27 /usr/sbin/pppd</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
> </P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Make the ppp-on/off scripts owned by user root and group PPP. </P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Make the ppp-on/off scripts read/executable by group PPP.
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
> -rwxr-x--- 1 root PPP 587 Mar 14 1995 /usr/sbin/ppp-on
|
|
-rwxr-x--- 1 root PPP 631 Mar 14 1995 /usr/sbin/ppp-off</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Make the other access rights for ppp-on/off nill. </P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>add the users who will be firing up PPP to the PPP group in /etc/group.</P
|
|
></LI
|
|
></UL
|
|
> </P
|
|
><P
|
|
>Even if you do this, ordinary users will STILL not be able to shut down
|
|
the link under software control! Running the <TT
|
|
CLASS="LITERAL"
|
|
>ppp-off</TT
|
|
> script
|
|
requires root privileges. However, any user can just turn off the modem
|
|
(or disconnect the telephone line from an internal modem).</P
|
|
><P
|
|
>An alternative (and better method) to this set up is to use the
|
|
<TT
|
|
CLASS="LITERAL"
|
|
>sudo</TT
|
|
> program. This offers superior security and will allow you to
|
|
set things up so that any (authorised) user can activate/deactivate the
|
|
link using the scripts. Using <TT
|
|
CLASS="LITERAL"
|
|
>sudo</TT
|
|
> will allow an authorised user to
|
|
activate/deactivate the PPP link cleanly and securely.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x892.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="options.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>The <TT
|
|
CLASS="LITERAL"
|
|
>/etc/host.conf</TT
|
|
> file</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Setting up the PPP connection files</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |