<rant>
What the hell were they thinking when they (whoever) decided that KPPP should
use PAM in the authentication process? I consider KPPP the user-friendliest
dialup desktop solution but they've screwed the implementation up badly.
An ordinary user must provide the root password to run KPPP. Apparently,
there is no group that you can add your user to to permit the use of KPPP.
You can run KPPP without having to put in the root password by editing
/etc/pam.d/kppp and changing the following:
#auth sufficient /lib/security/pam_rootok.so
auth sufficient /lib/security/pam_permit.so
Great! Now KPPP will fire up in KDE without prompting you for a password BUT
the authentication unlocked keys appear on the taskbar, which means that you
can run ANY desktop or menu option as root! When you close KPPP the
authentication is STILL remembered so you now have full control of the system.
The only solution to maintain the security is to create a desktop link to KPPP
to run in a terminal window. I'm sure that this must give the terminal window
root access but because it runs in foreground as soon as kppp is terminated so
is the terminal window. I suggest that this would provide fairly easy hacking
fodder for a semi-advanced user of Linux - probably adding an ampersand to the
link will do the trick...
Stupid! I like KPPP and I think it's a great interface for your pleb user.
Why did they ruin it? Is there something that I've missed totally? Perhaps
there is a user/group privilege that someone could draw my attention to?
</rant>
Linux is still pretty cool, but I need to be able to stop novice users from
lousing up the setup I give them but at the same time I need them to be able
to _easily_ use the GUI so that it is a viable solution to Windoze.
Michael.
PS: The following solution from one website did NOT work because it does not
defeat the PAM authentication:
1. Add a new group say, dialout :
pw groupadd dialout
2. Add users say, user1 to the group :
pw groupmod dialout -M user1
3. set the permissions :
chown root.dialout /usr/local/bin/kppp
chmod 4750 /usr/local/bin/kppp
4. Create a file /etc/kppp.allow and add users, (who are authorised to do the
dialup; user1 in our case) one on each line. There's NO need to add root user
here. You can use # for comments. Spaces are also allowed.
5. create a file /etc/ppp/options if not already present
---
[EMAIL PROTECTED]
Message generated in webmail.
