Chapter 14. Using PPP and root privileges

Because PPP needs to set up networking devices, change the kernel routing table and so forth, it requires root privileges to do this.

If users other than root are to set up PPP connections, the pppd program should be setuid root :-

-rwsr-xr-x   1 root     root        95225 Jul 11 00:27 /usr/sbin/pppd

If /usr/sbin/pppd is not set up this way, then as root issue the command:-

chmod u+s /usr/sbin/pppd

What this does is make pppd run with root privileges even if the binary is run by an ordinary user. This allows a normal user to run pppd with the necessary privileges to set up the network interfaces and the kernel routing table.

Programs that run 'set uid root' are potential security holes and you should be extremely cautious about making programs 'suid root'. A number of programs (including pppd) have been carefully written to minimise the danger of running suid root, so you should be safe with this one, (but no guarantees).

Depending on how you want your system to operate - specifically if you want ANY user on your system to be able to initiate a PPP link, you should make your ppp-on/off scripts world read/execute. (This is probably fine if your PC is used ONLY by you).

However, if you do NOT want just anyone to be able to start up a PPP connection (for example, your children have accounts on your Linux PC and you do not want them hooking into the Internet without your supervision), you will need to establish a PPP group (as root, edit /etc/group) and :-

  • Make pppd suid root, owned by user root and group PPP, with the 'other' permissions on this file empty. It should then look like:-

    -rwsr-x---   1 root     PPP        95225 Jul 11 00:27 /usr/sbin/pppd

  • Make the ppp-on/off scripts owned by user root and group PPP.

  • Make the ppp-on/off scripts read/executable by group PPP.

      -rwxr-x---   1 root     PPP           587 Mar 14  1995 /usr/sbin/ppp-on
      -rwxr-x---   1 root     PPP           631 Mar 14  1995 /usr/sbin/ppp-off

  • Make the other access rights for ppp-on/off nill.

  • add the users who will be firing up PPP to the PPP group in /etc/group.

Even if you do this, ordinary users will STILL not be able to shut down the link under software control! Running the ppp-off script requires root privileges. However, any user can just turn off the modem (or disconnect the telephone line from an internal modem).

An alternative (and better method) to this set up is to use the sudo program. This offers superior security and will allow you to set things up so that any (authorised) user can activate/deactivate the link using the scripts. Using sudo will allow an authorised user to activate/deactivate the PPP link cleanly and securely.

Copyright © 2010-2018 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout