pppd and setuidness (was Re: 3 Questions)
>>good question. and why isn't pppd setuid root? if it's a security issue,
>>a ppp group would be in order.
>
>I'd say 'because it doesn't neeed to be' is a good justification.
>
>If you need to have non-root users execute ppp as root, take a look
>at the 'sudo' or 'super' packages. They allow you to define commands
>that can be executed as root by a set of users... without forcing
>your choice of 'this should be setuid root' programs on all other
>Debian users.
Personally I find that the diald package is an excellent way of
avoiding this whole issue. However:
As someone pointed out last time this came up, when your machine is
acting as a PPP server you need to run the pppd as root from a dialin
account. One way of doing this (with the commercial PPP with which I
am familiar) is to make the pppd setuid root and run it from a shell
script which is that user's login shell.
(I suppose you could run the pppd directly, but doing it from scripts
is more convenient as it allows you to pass arguments to the pppd and
set various options on a per-user basis.)
One could make the uid of the account zero to achieve this without
making pppd setuid, though I can imagine this making people jump up
and down about security - can anyone think of an attack on this?
- Richard
--
http://www.elmail.co.uk/staff/richard/
GCS d- s+:- a-- C++ ULVS+++$ P+++ L++ E++ W(++,--) N(++,+) o? K w---
O? M- V? PS(+,+++) PE Y+ PGP+ t- 5++ X+@ R tv--- b++>++++ DI+ D+ G e++
h r% y++
Reply to: