udev: chown of /dev/ppp
Hia Marco andf Russell, tahnk you very much for your help. Well, I checked out and changed all permissions as it should be. The environment is now as follows: 1. /usr/sbin/pppd is now set 0475 with owner root:dip -rwsr-xr-- 1 root dip 269156 28. Nov 2008 /usr/sbin/pppd 2. The normal user is added in group dip and dialout 3. The application /usr/bin/umtsmon is now -rwsr-xr-- 1 root dip 757636 27. Apr 2009 /usr/bin/umtsmon So everyone in group dip is allowed to start it. This is what I wanted. But I still got the problem, that it crashes due to access rights, when I start it as the normal user. As root everythnbig is working well! This error message appears: /usr/sbin/pppd: using the noauth option requires root privileges This message was the reason for my very first report. What did I miss? Is there something else I should check? Please feel free to ask for more information. Besides, I know, umtsmon is still not in the debian repository, and the main reason for this is exactly the problem I described in the past. Best regards Hans -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201007181137.25554.hans.ullr...@loop.de
Re: udev: chown of /dev/ppp
On Sun, 18 Jul 2010, Hans-J. Ullrich hans.ullr...@loop.de wrote: /usr/sbin/pppd: using the noauth option requires root privileges This message was the reason for my very first report. What did I miss? Is there something else I should check? The man page gives some information on this. If that isn't enough then the debian-user list should be a useful resource for you. -- russ...@coker.com.au http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201007181951.59574.russ...@coker.com.au
udev: chown of /dev/ppp
Hello debian-team, I checked, that /dev/ppp is set to 600 with owner root:root. IMO this is not a good idea. IMOI this might be cause a security hole, because applications, which are using /dev/ppp also must be run as root. I think, for a normal and unexperienbced user it is no good idea, to let him run as root, and of course, the other thing is, applications which a normal user is normally allowed to run, should be run under a dedicated group or owner. In this case my suggestion is the following: Normal users, which are allowed to dial out, should be added to group dialout by root. Device /dev/ppp should be set to 660, and owner root:dialout. As /dev/ppp is created by udev (I hope I am correct here!), udev should set the permisions corectly by default. I thinbk, this is set by /lib/udev/rules.d/91-permissions.rules. I suggest, to add these changes in the next version of udev. Doing so as a standard, it is easy to set all dialout applications, like kppp, umtsmon, gppp and other similar to execute as group dialout. Anyway, I will be pleased, if I could improve debian a little bit with my thoughts. Best regards Hans-J. Ullrich -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201007172145.52982.hans.ullr...@loop.de
Re: udev: chown of /dev/ppp
On Jul 17, Hans-J. Ullrich hans.ullr...@loop.de wrote: applications, which are using /dev/ppp also must be run as root. I think, for We have group dip to manage access to programs which can start network connections. Normal users, which are allowed to dial out, should be added to group dialout by root. Device /dev/ppp should be set to 660, and owner root:dialout. No way, this is totally wrong. I suggest, to add these changes in the next version of udev. Doing so as a standard, it is easy to set all dialout applications, like kppp, umtsmon, gppp and other similar to execute as group dialout. They are not supposed to. BTW, I am the udev *and* ppp maintainer. -- ciao, Marco signature.asc Description: Digital signature
Re: udev: chown of /dev/ppp
[Marco d'Itri] We have group dip to manage access to programs which can start network connections. How does this interact with policykit? I was told that policykit uses ACLs to grant device access to those that should have it, but have not verified that it is true. Mentioning it here to see if someone can verify or reject the hypothesis. :) Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2flk4otak8f@login1.uio.no
Re: udev: chown of /dev/ppp
Am Samstag, 17. Juli 2010 schrieb Marco d'Itri: On Jul 17, Hans-J. Ullrich hans.ullr...@loop.de wrote: applications, which are using /dev/ppp also must be run as root. I think, for We have group dip to manage access to programs which can start network connections. Sorry. if I am wrong, I am not very well experienced with the required access rights. The background of my report is, that I tried to start the application umtsmon (a dialout application for 3g-modems) as a normal user, and I found no way to start it as no one else as root. The main problem is: It MUST be started as root, as /dev/ppp has to be accessed by root. In other words: If you start umtsmon as user root, everything is working fine, if you start it as a normal user (which should be able to), it crashes because it cannot get access to /dev/ppp. Normal users, which are allowed to dial out, should be added to group dialout by root. Device /dev/ppp should be set to 660, and owner root:dialout. No way, this is totally wrong. Ok, I am still learning. What is the better way? I suggest, to add these changes in the next version of udev. Doing so as a standard, it is easy to set all dialout applications, like kppp, umtsmon, gppp and other similar to execute as group dialout. They are not supposed to. Just an idea BTW, I am the udev *and* ppp maintainer. This is very fine, so everything is in one hand and I hope, if I have questions, I may ask them, even if they are dump. Please be gentle... I will check the situation and maybe find another way. Happy hacking! Hans -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201007172325.36698.hans.ullr...@loop.de
Re: udev: chown of /dev/ppp
On Sat, Jul 17, 2010 at 09:45:52PM +0200, Hans-J. Ullrich wrote: Normal users, which are allowed to dial out, should be added to group dialout by root. Device /dev/ppp should be set to 660, and owner root:dialout. You should read: /usr/share/doc/base-passwd/users-and-groups.html dialout Full and direct access to serial ports. Members of this group can reconfigure the modem, dial anywhere, etc. $ ls -l /dev/ttyS* crw-rw 1 root dialout 4, 64 Jul 17 09:09 /dev/ttyS0 crw-rw 1 root dialout 4, 65 Jul 17 09:09 /dev/ttyS1 crw-rw 1 root dialout 4, 66 Jul 17 09:09 /dev/ttyS2 crw-rw 1 root dialout 4, 67 Jul 17 09:09 /dev/ttyS3 That is what it means. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100717213254.ga24...@debian.org
Re: udev: chown of /dev/ppp
On Sun, 18 Jul 2010, Hans-J. Ullrich hans.ullr...@loop.de wrote: Sorry. if I am wrong, I am not very well experienced with the required access rights. The background of my report is, that I tried to start the application umtsmon (a dialout application for 3g-modems) as a normal user, and I found no way to start it as no one else as root. The main problem is: It MUST be started as root, as /dev/ppp has to be accessed by root. In other words: If The pppd needs to configure routes and also launch scripts from /etc/ppp/ip- up.d/ as root. Simply changing the group permissions of /dev/ppp isn't going to do what you desire. By default /usr/sbin/pppd in Debian is SUID root and executable by group dip, so adding the user in question to group dip will do what you want. Also there is the option of configuring sudo to permit running pppd, sudo can be configured to allow this without requiring a password. -- russ...@coker.com.au http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201007180809.30804.russ...@coker.com.au
Re: udev: chown of /dev/ppp
On Jul 17, Petter Reinholdtsen p...@hungry.com wrote: [Marco d'Itri] We have group dip to manage access to programs which can start network connections. How does this interact with policykit? I was told that policykit uses It does not. ACLs to grant device access to those that should have it, but have not It grants access to audio devices and other similar *hardware*. -- ciao, Marco signature.asc Description: Digital signature
Re: udev: chown of /dev/ppp
On Jul 17, Hans-J. Ullrich hans.ullr...@loop.de wrote: Sorry. if I am wrong, I am not very well experienced with the required access rights. The background of my report is, that I tried to start the application umtsmon (a dialout application for 3g-modems) as a normal user, and I found no way to start it as no one else as root. The main problem is: It MUST be started as root, as /dev/ppp has to be accessed by root. In other words: If you start umtsmon as user root, everything is working fine, if you start it as a normal user (which should be able to), it crashes because it cannot get access to /dev/ppp. Maybe this program needs to be modified to use a suid helper or a daemon which interacts with the hardware. But I can't see why it would need access to /dev/ppp. -- ciao, Marco signature.asc Description: Digital signature
Re: udev: chown of /dev/ppp
Am Sonntag, 18. Juli 2010 schrieb Marco d'Itri: Maybe this program needs to be modified to use a suid helper or a daemon which interacts with the hardware. But I can't see why it would need access to /dev/ppp. Marco, this problem is tellling: cant get access to /dev/ppp when it is started as a normal user (even, when started with kdesu). Starting as root it is working. So I guessed, that it is a rights problem. Is it corrrect, what russel told, that /usr/sbin/pppd should be set to rwxsrxr-x root:dip ? Mine is set to rwxr-xr-x root:root, although it is installed by default (I didn't change anything). By the way, there is somewhere a bugreport related to this problem of umtsmon somewhere in the mailinglist. Best regards Hans -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201007180051.08853.hans.ullr...@loop.de
Re: udev: chown of /dev/ppp
On Sun, 18 Jul 2010, Hans-J. Ullrich hans.ullr...@loop.de wrote: Is it corrrect, what russel told, that /usr/sbin/pppd should be set to rwxsrxr-x root:dip ? It should not be set to 04755 unless you want everyone on the system to be able to run it - which probably isn't what you desire. On my system it is 04754, I don't recall doing that deliberately so I think that part of the default Squeeze install did it. -- russ...@coker.com.au http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201007180857.01664.russ...@coker.com.au
Re: udev: chown of /dev/ppp
On Jul 18, Hans-J. Ullrich hans.ullr...@loop.de wrote: Mine is set to rwxr-xr-x root:root, although it is installed by default (I didn't change anything). I highly doubt it. This is how it is installed on Debian systems: -rwsr-xr-- 1 root dip 269540 Jul 26 2008 /usr/sbin/pppd* -- ciao, Marco signature.asc Description: Digital signature
Re: udev: chown of /dev/ppp
Am Sonntag, 18. Juli 2010 schrieben Sie: On Sun, 18 Jul 2010, Hans-J. Ullrich hans.ullr...@loop.de wrote: Is it corrrect, what russel told, that /usr/sbin/pppd should be set to rwxsrxr-x root:dip ? It should not be set to 04755 unless you want everyone on the system to be able to run it - which probably isn't what you desire. On my system it is 04754, I don't recall doing that deliberately so I think that part of the default Squeeze install did it. Yeah, you are right. As I am the only physical person who runs the system, it is no good idea, to let everyone get access. Well, when you say, the settings are correct, then I will change umtsmon to other rights. I just thought, there might have been an error with pppd, and /dev/ppp, so I thought it worth to mention it. But as Marco told, everything is as wanted, I think, I will find another solution for my special problem. Thank you all very much for your help indeed!!! Best regards Hans-J. Ullrich -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201007180107.40723.hans.ullr...@loop.de
