<HTML ><HEAD ><TITLE >Using PPP and root privileges</TITLE ><META NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.52"><LINK REL="HOME" TITLE="Linux PPP HOWTO" HREF="index.html"><LINK REL="PREVIOUS" TITLE="The /etc/host.conf file" HREF="x892.html"><LINK REL="NEXT" TITLE="Setting up the PPP connection files" HREF="options.html"></HEAD ><BODY CLASS="CHAPTER" BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#840084" ALINK="#0000FF" ><DIV CLASS="NAVHEADER" ><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TH COLSPAN="3" ALIGN="center" ><A HREF="http://www.linuxports.com/howto/ppp" TARGET="_top" >Linux PPP HOWTO</A ></TH ></TR ><TR ><TD WIDTH="10%" ALIGN="left" VALIGN="bottom" ><A HREF="x892.html" >Prev</A ></TD ><TD WIDTH="80%" ALIGN="center" VALIGN="bottom" ></TD ><TD WIDTH="10%" ALIGN="right" VALIGN="bottom" ><A HREF="options.html" >Next</A ></TD ></TR ></TABLE ><HR ALIGN="LEFT" WIDTH="100%"></DIV ><DIV CLASS="CHAPTER" ><H1 ><A NAME="ROOT" >Chapter 14. Using PPP and root privileges</A ></H1 ><P >Because PPP needs to set up networking devices, change the kernel routing table and so forth, it requires root privileges to do this.</P ><P > If users other than root are to set up PPP connections, the pppd program should be setuid root :-</P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="SCREEN" >-rwsr-xr-x 1 root root 95225 Jul 11 00:27 /usr/sbin/pppd</PRE ></TD ></TR ></TABLE > </P ><P >If /usr/sbin/pppd is not set up this way, then <I CLASS="EMPHASIS" >as root</I > issue the command:-</P ><P > <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="100%" ><TR ><TD ><PRE CLASS="SCREEN" >chmod u+s /usr/sbin/pppd</PRE ></TD ></TR ></TABLE > </P ><P >What this does is make pppd run with root privileges <I CLASS="EMPHASIS" >even</I > if the binary is run by an ordinary user. This allows a normal user to run pppd with the necessary privileges to set up the network interfaces and the kernel routing table.</P ><P >Programs that run 'set uid root' are potential security holes and you should be extremely cautious about making programs 'suid root'. A number of programs (including pppd) have been carefully written to minimise the danger of running suid root, so you should be safe with this one, (but no guarantees). </P ><P >Depending on how you want your system to operate - specifically if you want ANY user on your system to be able to initiate a PPP link, you should make your ppp-on/off scripts world read/execute. (This is probably fine if your PC is used ONLY by you).</P ><P >However, if you do NOT want just anyone to be able to start up a PPP connection (for example, your children have accounts on your Linux PC and you do not want them hooking into the Internet without your supervision), you will need to establish a PPP group (as root, edit /etc/group) and :- <P ></P ><UL ><LI ><P >Make pppd suid root, owned by user root and group PPP, with the 'other' permissions on this file empty. It should then look like:- <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="90%" ><TR ><TD ><PRE CLASS="SCREEN" >-rwsr-x--- 1 root PPP 95225 Jul 11 00:27 /usr/sbin/pppd</PRE ></TD ></TR ></TABLE > </P ></LI ><LI ><P >Make the ppp-on/off scripts owned by user root and group PPP. </P ></LI ><LI ><P >Make the ppp-on/off scripts read/executable by group PPP. <TABLE BORDER="0" BGCOLOR="#E0E0E0" WIDTH="90%" ><TR ><TD ><PRE CLASS="SCREEN" > -rwxr-x--- 1 root PPP 587 Mar 14 1995 /usr/sbin/ppp-on -rwxr-x--- 1 root PPP 631 Mar 14 1995 /usr/sbin/ppp-off</PRE ></TD ></TR ></TABLE > </P ></LI ><LI ><P >Make the other access rights for ppp-on/off nill. </P ></LI ><LI ><P >add the users who will be firing up PPP to the PPP group in /etc/group.</P ></LI ></UL > </P ><P >Even if you do this, ordinary users will STILL not be able to shut down the link under software control! Running the <TT CLASS="LITERAL" >ppp-off</TT > script requires root privileges. However, any user can just turn off the modem (or disconnect the telephone line from an internal modem).</P ><P >An alternative (and better method) to this set up is to use the <TT CLASS="LITERAL" >sudo</TT > program. This offers superior security and will allow you to set things up so that any (authorised) user can activate/deactivate the link using the scripts. Using <TT CLASS="LITERAL" >sudo</TT > will allow an authorised user to activate/deactivate the PPP link cleanly and securely.</P ></DIV ><DIV CLASS="NAVFOOTER" ><HR ALIGN="LEFT" WIDTH="100%"><TABLE WIDTH="100%" BORDER="0" CELLPADDING="0" CELLSPACING="0" ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" ><A HREF="x892.html" >Prev</A ></TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" ><A HREF="index.html" >Home</A ></TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" ><A HREF="options.html" >Next</A ></TD ></TR ><TR ><TD WIDTH="33%" ALIGN="left" VALIGN="top" >The <TT CLASS="LITERAL" >/etc/host.conf</TT > file</TD ><TD WIDTH="34%" ALIGN="center" VALIGN="top" > </TD ><TD WIDTH="33%" ALIGN="right" VALIGN="top" >Setting up the PPP connection files</TD ></TR ></TABLE ></DIV ></BODY ></HTML >