On 12 May 1997, Rob Browning wrote:
> I strongly recommend that you use sudo, super, or only launch pppd as
> root rather than making pppd suid root. sudo's easy to use, and much
> safer.
>
> You don't even need the wrapper script (at least not with sudo), it'll
> take arguments for the command it's going to execute as root. So if
> you enable sudo access to pppd for yourself, you can just say (for
> example):
>
> sudo pppd file /etc/ppp.options_out connect 'chat -f /etc/ppp.chatscript'
that's as insecure as just making pppd setuid root.
The whole point of the wrapper script is to prevent users from being able
to give any options to pppd (which is where the potential vulnerability
lies).
#! /bin/sh -
# if necessary, put some code in here to vary options depending on
# the user name, tty port, time of day, phase of moon, etc. e.g.:
#
# case "$LOGIN" in
# fred) OPTIONS="....." ;;
# joe) OPTIONS="....." ;;
# esac
pppd $OPTIONS
call this script '/usr/local/bin/user-pppd', and then enable sudo/super
access to this script instead of /usr/sbin/pppd.
By doing this, you determine in advance what options are provided to
pppd, which stops them from doing something evil like:
sudo pppd connect './hackscript'
where ./hackscript is a script which contains any commands which the user
might like to run as root.
(i had a really obvious example here but decided it was better not to
post it - no point in making the clueless even more dangerous)
> to launch pppd.
>
> Note that you *can* use a wrapper script if you want, but you don't
> have to.
if you're doing it for reasons of security, there isn't any point doing
otherwise :-)
craig
--
craig sanders
networking consultant Available for casual or contract
temporary autonomous zone system administration tasks.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
[EMAIL PROTECTED] .
Trouble? e-mail to [EMAIL PROTECTED] .
