Re: Must pppd be run by root?
Craig Sanders wrote:
> > > The ppp package should have a 'ppp' group, pppd should be owned by
> > > root.ppp and it should be mode 1750.
> >
> > Can we make that "dialout", please? Something already present and used
> > by (at least) dip and efax.
>
> I suppose that would do the job, but what if a sysadmin wants to allow users
> to dial in using ppp, but NOT allow them to dialout with minicom or send
> faxes?
>
> I'm absolutely certain that I wouldn't want to add users to a dialout
> group just to let them dial in with a ppp account.
I was the one who originally asked this question. I hadn't ever used sudo
so I gave that a try when the suggestion was made. Works fine for ppp in and
out.
Here is what I set up:
=====/etc/sudoers
root ALL=ALL
rickm ALL=ALL
ALL ALL=/usr/sbin/pppd
=====/etc/group
sudo:*:12:rickm,PPPuserid
=====/etc/passwd
(an entry for user "PPPuserid" that executes /etc/ppp/Login as login shell)
=====/etc/ppp/login
#!/bin/sh
PATH=/usr/local/bin:/bin:/usr/bin
mesg n
stty -tostop
exec sudo /usr/sbin/pppd calgary6: crtscts modem
OK. This tells sudo that me and root (also me) can execute anything on any
machine. Also, everyone can execute pppd. You could of course clamp this down
to a list of users. The /etc/group entry is just to stop sudo for asking for the
password a second time.
You dial my machine, enter userid PPPuserid and the password, and it drops
right into pppd.
For dialing out with ppp, I just had to prefix a few commands with "sudo".
Specifically, the call to pppd obviously, but also to the kill pppd in my
"pppoff" script that takes the line down (sudo kill -INT `cat
/var/run/$DEVICE.pid`) and the rm of stale lockfiles (sudo rm -f
/var/run/$DEVICE.pid).
Seems to work fine, although I've dialed in manually and gotten the pppd
gobbledygook but not actually called with ppp to connect yet.
For minicom, I confess that I must have set the perms to 666!
--
...RickM...
Reply to: