[KLUG Members] kppp and modem as root only, RH 9

[Peter Buxton]

On Fri, Sep 19, 2003 at 11:47:08PM -0400, Paul VandenBosch was only escaped
   alone to tell thee:

> After installing RH9, I was able to start KPPP only after logging in as
> root.  I want users to be able to use the modem.

Have you looked at groups? On Debian, only users of group dip can access
the files in /etc/ppp/peers (and thus tell pppd what to do) and run the
pppd executable.

ls -l /etc/ppp /usr/sbin/*ppp* /usr/bin/consolehelper

> Googling around on this subject I found a few different suggestions.
> chmod 777 /dev/modem
> chmod 777 /dev/ttyS0
> these did not work.

Change them back. On Debian:

crw-rw----    1 root     dialout    4,  64 Sep 20 01:42 /dev/ttyS0

-rwsr-xr--    1 root     dip        223352 Aug 27 09:51 /usr/sbin/pppd

drwxr-s---    2 root     dip          4096 May 15 21:18 /etc/ppp/peers

Thus, pppd is setuid root to access the tty's and can only be run by
members of group dip.  The modem (ttyS?) permissions are not the first
line of defense, the exec permission limited to root and group dip are.
Since pppd doesn't accept user input, this is fairly secure.

> Another solution off the net worked:
> The desktop kppp icon calls /usr/bin/kppp.  /usr/bin/kppp is a link to
> /usr/bin/consolehelper, which apparently does authentication and then
> starts up /usr/sbin/kppp.  /usr/sbin/kppp seems to be the actual
> executable file for kppp.  So I copied /usr/sbin/kppp to /usr/bin/kppp,
> and it seems to work, although I am not sure it is 100% OK yet.
> 
> Does this sound like a good way to solve the problem?
> 
> Is there a better way to allow all users access to kppp and the modem?

It sounds like you've short-circuited all the security measures.

-- 
1
but to live outside the law you
must be honest.... -- bob dylan