User invocation of pppd (Re: diald & pppd trouble query)
On 26 November 1995 Richard Tietjen wrote:
> I'm hopeful that I can get diald working, it seems to offer great
> convenience: I won't have to login and out as root to fire up a
> connection.
I posted a related question - on how to let users fire up the ppp
connection - a while ago, but never got around to summarising the
result. Sorry, here it is:
Malc Arnold <malc@thing.demon.co.uk> suggested that I use sudo to allow
selected users to start pppd. I tried it and it worked perfectly (thanks).
However even using sudo was too much effort for me, so I did the following:
addgroup ppp
chown root.ppp /usr/sbin/pppd
chmod 4750 /usr/sbin/pppd
adduser pat ppp (pat is me, I added myself to group ppp.
Note that I was already in group dialout.)
However it turns out that this is not enough. pppd starts up setting its id
to root, but then because of the way /etc/ppp/options is set up, it starts
a shell to run /etc/ppp/ppp-connect, and the shell has my uid, and I can't
read /etc/ppp/ppp-connect, so this fails. (See Note below) So I also had to do
chown root.ppp /etc/ppp/ppp-connect
chmod 750 /etc/ppp/ppp-connect
There is a slight problem here. If I use emacs to edit this file, the new
version is back as root.root, so I have to chown it again. (This doesn't
happen with vi - is this a bug with emacs, or an unavoidable consequence of
the different backup startegy?)
(/etc/ppp/ip-up and ip-down ARE run as root, so you don't need to change
their ownerships/permissions, at least I don't think so.)
Then as me (pat) I can run pppd by typing /usr/sbin/pppd.
Actually I put a script ppp-on into /usr/local/bin to run pppd, and another
(based on the one from the PPP-HOWTO), ppp-off, to stop it. So now I just
have to type ppp-on to connect. I'm happy to send you copies if you care.
Ian Jackson <ian@chiark.chu.cam.ac.uk> pointed out that my permissions will
get messed up again if I update the ppp package, and said it would be
better for me to leave the permissions unchanged, and instead put a suid
root C-wrapper in /usr/local/bin. Thanks. (Suid shell scripts don't work.)
I guess this must be easy to do, but I haven't tracked down that C textbook
I never did finish reading, so I'm just living with this problem for
now. However I think that under this approach the ownership and permissions
on /etc/ppp/ppp-connect will still have to be fixed up.
Note: Rather than using ppp-connect, one could put chat and its arguments
directly on the "connect" line in /etc/ppp/options, which would avoid the
problem with /etc/ppp/ppp-connect. (This might also remove the need for the
user to be in group dialout, since chat may then run as root - I haven't
checked.) Slightly preferrable would be to tell chat to read its arguments
from a file, say /etc/ppp/chat-args, to stop it from displaying the ppp
password in the output of ps. I haven't checked if the ownership and
permissions of that file would have to be fixed up similarly to
/etc/ppp/ppp-connect, but maybe not, since it's not being executed. All
depends on whether chat would be run as root.
The discussion might sound complicated, but there aren't actually many
commands to execute. I just have to remember to keep the permissions on
/etc/ppp/ppp-connect correct, until I get around to trying the other
possibilities.
Hope this helps
Philip
Reply to: