Linuxdoc Linux Questions
Click here to ask our community of linux experts!
Custom Search
Custom Search
Custom Search

Chapter 14. Using PPP and root privileges

Because PPP needs to set up networking devices, change the kernel routing table and so forth, it requires root privileges to do this.

If users other than root are to set up PPP connections, the pppd program should be setuid root :-

-rwsr-xr-x   1 root     root        95225 Jul 11 00:27 /usr/sbin/pppd

If /usr/sbin/pppd is not set up this way, then as root issue the command:-

chmod u+s /usr/sbin/pppd

What this does is make pppd run with root privileges even if the binary is run by an ordinary user. This allows a normal user to run pppd with the necessary privileges to set up the network interfaces and the kernel routing table.

Programs that run 'set uid root' are potential security holes and you should be extremely cautious about making programs 'suid root'. A number of programs (including pppd) have been carefully written to minimise the danger of running suid root, so you should be safe with this one, (but no guarantees).

Depending on how you want your system to operate - specifically if you want ANY user on your system to be able to initiate a PPP link, you should make your ppp-on/off scripts world read/execute. (This is probably fine if your PC is used ONLY by you).

However, if you do NOT want just anyone to be able to start up a PPP connection (for example, your children have accounts on your Linux PC and you do not want them hooking into the Internet without your supervision), you will need to establish a PPP group (as root, edit /etc/group) and :-

Even if you do this, ordinary users will STILL not be able to shut down the link under software control! Running the ppp-off script requires root privileges. However, any user can just turn off the modem (or disconnect the telephone line from an internal modem).

An alternative (and better method) to this set up is to use the sudo program. This offers superior security and will allow you to set things up so that any (authorised) user can activate/deactivate the link using the scripts. Using sudo will allow an authorised user to activate/deactivate the PPP link cleanly and securely.