[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ppp: invocation by users?

Hi Philip,

> I would like to allow users to open the PPP link themselves as needed,
> rather than doing it at boot time via /etc/init.d/ppp (or making them su
> to root and running pppd). I would be grateful if anyone has an opinion
> about the nicest way to do this under Debian. (Given that the binary is
> under /usr/sbin, I guess users are not expected to use it, so I am
> resigned to transgressing against Debian to some extent.) As I understand
> it, I can do this by chmod-ing the pppd binary to be suid, with root as
> the owner. For further security, I can create a group ppp, chown pppd to
> root.ppp, give only the group execute access to pppd, and add the relevant
> users to the group ppp. Finally, as the binary is in /usr/sbin, there is
> an aesthetic question about whether the users should include this in their
> path, or if I should make a link from /usr/local/bin/pppd (or something)
> to /usr/sbin/pppd. (I know diald exists, but I wanted to get a simple 
> solution working first.)

Forget all that, by far the easiest (and IMHO best) way to do this is
to use sudo to allow the *specific* users you want to start pppd.
Here's the relevant lines from my /etc/sudoers file:

Cmnd_Alias      PPP=/usr/sbin/pppd,/usr/sbin/pppstats
Cmnd_Alias      KILL=/bin/kill
Host_Alias      THING=thing
malc            THING=PPP,KILL

This lets the users start and kill the ppp daemon.  You could fine-tune it
a bit by writing as program or script to kill pppd only, and not anything
else, but I'm not that paranoid about my users (yet ;-).

M a l c . . .             |  "We've checked, and it's definitely not a bug.
(malc@thing.demon.co.uk)  |  It's fixed in the new release."  -- Help line.

Reply to: