port-mac68k: Re: Can't /etc/ppp/ppp-up & /etc/ppp-down when log in as user name.

Subject: Re: Can't /etc/ppp/ppp-up & /etc/ppp-down when log in as user name.
To: Naoki Kobayashi <tsu23715@mail.interq.or.jp>
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
List: port-mac68k
Date: 08/23/1998 00:29:29

On Fri, Aug 21, 1998 at 09:07:21PM +0900, Naoki Kobayashi wrote:

>  When I log in as root,no problem to /etc/ppp/ppp-up & /etc/ppp/ppp-down.
> But when I log in as other user's name,I can't /etc/ppp/ppp-up 
> and /etc/ppp/ppp-down.
>  What should I do to fix?

Hi!

Other folks have mentioned doing "chmod +x foo" to allow access to your
ppp-up and ppp-down files. The problem here is that you probably want them
to be SUID root so that they can muck about with your default route and
stuff.

Here's what I do... I have a small "wrapper" program that is itself SUID
root, but only executable by someone of group "netter". This way, I can
control access to the scripts... Only people in that group can execute
the ppp scripts, and the scripts themselves are run SUID root, without
having to worry about the user doing something nasty to snag root access
from you.

Following is the wrapper program itself, and following that are instructions
for setting the permissions.

#include <errno.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>

main()
{
    int theError = 0;

    printf("Setting UID appropriately...\n");
    theError = setuid(0);
    if (theError) {
        printf("Error %d encountered in setuid(): ", errno);
        puts(strerror(errno));
        exit();
    }

    printf("Running /etc/ppp/ppp-up...\n");
    theError = execl("/etc/ppp/ppp-up", "ppp-up", (char *) NULL);
    if (theError) {
        printf("Error %d encountered in execl(): ", errno);
        puts(strerror(errno));
    }
}

Once you've built this and put it somewhere, change the owner to root and
the group to netter (or something, first making sure it exists in your
/etc/group file) like so:

chown root.netter filename

Then, set the permissions so the program is SUID root, but only executable
by netter people:

chmod 4010 filename

This ought to do ya. :)

Good luck...

PS: The administrative overhead and some random other issues make me not
want to use sudo, but it exists, and you can find it in the package system,
at /usr/pkgsrc/security/sudo. It can also solve your permissions problem.

-- 
Mason Loring Bliss..mason@acheron.middleboro.ma.us..acheron.dyn.ml.org/mason
"In the drowsy dark cave of the mind dreams build their nest with fragments
  dropped from day's caravan."--Rabindranath Tagore..awake ? sleep : dream;