Re: ppp: invocation by users?
Hi Philip,
> I would like to allow users to open the PPP link themselves as needed,
> rather than doing it at boot time via /etc/init.d/ppp (or making them su
> to root and running pppd). I would be grateful if anyone has an opinion
> about the nicest way to do this under Debian. (Given that the binary is
> under /usr/sbin, I guess users are not expected to use it, so I am
> resigned to transgressing against Debian to some extent.) As I understand
> it, I can do this by chmod-ing the pppd binary to be suid, with root as
> the owner. For further security, I can create a group ppp, chown pppd to
> root.ppp, give only the group execute access to pppd, and add the relevant
> users to the group ppp. Finally, as the binary is in /usr/sbin, there is
> an aesthetic question about whether the users should include this in their
> path, or if I should make a link from /usr/local/bin/pppd (or something)
> to /usr/sbin/pppd. (I know diald exists, but I wanted to get a simple
> solution working first.)
Forget all that, by far the easiest (and IMHO best) way to do this is
to use sudo to allow the *specific* users you want to start pppd.
Here's the relevant lines from my /etc/sudoers file:
Cmnd_Alias PPP=/usr/sbin/pppd,/usr/sbin/pppstats
Cmnd_Alias KILL=/bin/kill
Host_Alias THING=thing
malc THING=PPP,KILL
This lets the users start and kill the ppp daemon. You could fine-tune it
a bit by writing as program or script to kill pppd only, and not anything
else, but I'm not that paranoid about my users (yet ;-).
Cheers,
--
M a l c . . . | "We've checked, and it's definitely not a bug.
(malc@thing.demon.co.uk) | It's fixed in the new release." -- Help line.
Reply to: