pppd question

Kevin Buettner kev@primenet.com
Wed, 2 Feb 2000 11:07:58 -0700 

Greg,

Please reread my original message and note where I mention the sudo
utility.  This utility allows you to grant ordinary users root
privileges for certain very constrained operations.  In your case, you
can set it up so that ordinary users may run pppd as root, but you can
restrict the command line options so that either no options are
permitted or a certain subset are permitted.  This is exactly what you
want; you want users to be able to start the pppd daemon, but you
don't want them engaging in mischief which involves running arbitrary
connect scripts in "interesting" ways.

In general, the sudo utility is much preferred over setting the setuid
bits because it gives the adminstrator much more control as well as 
logging facilities.

Kevin

On Feb 2, 12:56pm, Furmanek, Greg wrote:
> Subject: RE: pppd question
> I know suid is a "Bad Idea"(tm) however I have
> a need to execute pppd as a regular user.
> Is there another way to do it???
> 
> -----Original Message-----
> From: Kevin Buettner [mailto:kev@primenet.com]
> Sent: Wednesday, February 02, 2000 10:42 AM
> To: plug-discuss@lists.PLUG.phoenix.az.us
> Subject: Re: pppd question
> 
> 
> On Feb 2, 12:28pm, Furmanek, Greg wrote:
> 
> > Setup/Background:
> > I have set up pppd deamon to dial if the
> > user who executes it is part of pppd group.
> > I have changed premissions on 
> > pppd 755 root:pppd (-r-sr-xr-x)
> > options 640 root:pppd
> > chat_script 640 root:pppd
> > 
> > Problem:
> > The pppd is giving me following error:
> > 
> > /usr/sbin/pppd: using the name option requires root privilage
> > 
> > Does anyone have a quick fix for it???
> 
> Making pppd setuid root is really not a very good idea unless you
> want to give everyone the ability to execute arbitrary scripts as
> root.  (See the connect, disconnect, pty, and welcome options.)
> 
> If you really need to give ordinary users the power to execute
> pppd (and I'm not convinced this is necessary), you should look
> into using sudo.  It will help close the security hole that you've
> opened up as well as solve your problem.
> 
> sudo may be found at
> 
> 	http://www.courtesan.com/sudo/
> 
> Kevin
> 
> -- 
> Kevin Buettner
> kev@primenet.com, kevinb@redhat.com
> 
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>-- End of excerpt from Furmanek, Greg



-- 
Kevin Buettner
kev@primenet.com, kevinb@redhat.com