Confusion with allowing ppp for all users

I'm running a small home linux firewall, running
Mandrake linux 9.0

Access to the internet is through a dialup modem.

I'm trying to allow ordinary users to dialout to the isp, which uses
pap authentification.

I've set it up already to work as the root user.
But I'm not sure of all the steps to allow normal users to do it.

When runing the ppp-on script as an ordinary user I get the following
message

/usr/sbin/pppd: using the name option requires root privilege

The pppd permissions are set thus
-rwsr-xr-x 1 root pppusers 239192 Aug 9 2002 /usr/sbin/pppd*
Note the s is there.


My ordidnary user has been added to the pppusers group.

I was fiddling with permissions (post backup) in /etc/ppp
The following are the permissions for some files in my /etc/ppp directory

-rwxr-xr-x 1 root pppusers 967 Jun 22 05:06 ppp-off*
-rwxr-xr-x 1 root pppusers 1107 Jun 28 00:36 ppp-on*
-rwxr-xr-x 1 root pppusers 422 Jun 28 00:37 ppp-on-dialer*

-rw-r--r-- 1 root daemon 36 Aug 9 2002 options
-rw-r----- 1 root pppusers 95 Jun 27 22:48 pap-secrets

Is it neccessary to have all these above files groups set to pppusers ?

If someone could point me in the right direction I will be very grateful.

Thanks
- Tim

>> If someone could point me in the right direction I will be very
>> grateful.
>
> Switch to the "dial-on-demand" setup, and leave the pppd daemon up all
> the time ("ppp-go -d"). This will cause the daemon to dial out when
> there's IP traffic routed to the internet, and hang up after the traffic
> stops.

Maybe I don't understand it right, but wont that cost me heaps in phone
calls.
I don't want it to dial unless we say so to save the confusions,
since we only have one phone line.

Tim wrote:
>>> If someone could point me in the right direction I will be very
>>> grateful.
>>
>>
>> Switch to the "dial-on-demand" setup, and leave the pppd daemon up all
>> the time ("ppp-go -d"). This will cause the daemon to dial out when
>> there's IP traffic routed to the internet, and hang up after the
>> traffic stops.
>
>
> Maybe I don't understand it right, but wont that cost me heaps in phone
> calls.
> I don't want it to dial unless we say so to save the confusions,
> since we only have one phone line.

I've been running dial-on-demand on my home lan for about three or four
years now, and I haven't had a significant amount of excess traffic. Albeit,
the household consists of adults only, and our 'internet' activities are
moderately limited, but my wife would be /very/ upset with me if I spent an
inordinate amount of time on the internet. Outside of the scheduled tasks
(my server collects my email and our newsgroups nightly), we rarely have
more than a couple of hours per week on the internet. Dial-on-demand doesn't
intefere with our household telephone activities at all.

YMMV, but dial-on-demand /might/ be an acceptable solution.

--

Lew Pitcher, IT Consultant, Application Architecture
Enterprise Technology Solutions, TD Bank Financial Group

(Opinions expressed here are my own, not my employer's)

Tim <(E-Mail Removed)> wrote:
> I'm running a small home linux firewall, running
> Mandrake linux 9.0

> Access to the internet is through a dialup modem.

> I'm trying to allow ordinary users to dialout to the isp, which uses
> pap authentification.

> I've set it up already to work as the root user.
> But I'm not sure of all the steps to allow normal users to do it.

> When runing the ppp-on script as an ordinary user I get the following
> message

> /usr/sbin/pppd: using the name option requires root privilege

Doctor, Doctor, ... So don't use the name option, the proper option for
dialing into a peer that wants to authenticate you is " user username ".

> The pppd permissions are set thus
> -rwsr-xr-x 1 root pppusers 239192 Aug 9 2002 /usr/sbin/pppd*
> Note the s is there.

What does that accomplish? Since pppd has execute permission for all
users it's not necessary.

> My ordidnary user has been added to the pppusers group.

> I was fiddling with permissions (post backup) in /etc/ppp
> The following are the permissions for some files in my /etc/ppp directory

> -rwxr-xr-x 1 root pppusers 967 Jun 22 05:06 ppp-off*
> -rwxr-xr-x 1 root pppusers 1107 Jun 28 00:36 ppp-on*
> -rwxr-xr-x 1 root pppusers 422 Jun 28 00:37 ppp-on-dialer*

> -rw-r--r-- 1 root daemon 36 Aug 9 2002 options
> -rw-r----- 1 root pppusers 95 Jun 27 22:48 pap-secrets

> Is it neccessary to have all these above files groups set to pppusers ?

No. Given an suid root pppd available to all users, the only file that
really needs a special group is /dev/ttySx, the modem's serial device
file. E.g., I've put my (regular) user login name in the tty group here,
and assigned group rw permissions to that ttySx, but none to other users,
since tty is the default group for the ttySx's. That will work fine until
some program uses the ttySx and removes either it's read or it's write
permission for group tty.

> If someone could point me in the right direction I will be very grateful.

Someone is likely to give me some flack about security, but if you trust
your people that do PPP then I see nothing wrong with this arrangement.

-- Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* To extract lines: View file with "vi -R". Move cursor to first line.
Press "v". Move cursor to mark lines (Esc unmarks). Write lines to
fubar with ":w fubar <Enter>". Exit with ":q <Enter>". */

> Tim <(E-Mail Removed)> wrote:
>> I'm trying to allow ordinary users to dialout to the isp, which uses
>> pap authentification.
>> I've set it up already to work as the root user.
>> But I'm not sure of all the steps to allow normal users to do it.
>> When runing the ppp-on script as an ordinary user I get the following
>> message
>> /usr/sbin/pppd: using the name option requires root privilege
> Doctor, Doctor, ... So don't use the name option, the proper option for
> dialing into a peer that wants to authenticate you is " user username ".

Thank you, this helps.

>> Is it neccessary to have all these above files groups set to pppusers ?
>
> No. Given an suid root pppd available to all users, the only file that
> really needs a special group is /dev/ttySx, the modem's serial device
> file. E.g., I've put my (regular) user login name in the tty group here,
> and assigned group rw permissions to that ttySx, but none to other users,
> since tty is the default group for the ttySx's. That will work fine
> until
> some program uses the ttySx and removes either it's read or it's write
> permission for group tty.

I changed the ppp-on script to user the user option instead of the name
option.
I've set the permissions the the ttyS1 device (my modem) to rw for the
group
tty, and I've added my regular users to the tty group, pppd starts as my
regular user, but my log says,

pppd[1647]: Failed to open /dev/ttyS1: Permission denied

then pppd exits.

ttyS1 permissions are
crw-rw---- 1 root tty 4, 65 Jul 9 15:11 /dev/ttyS1

And I have definitely added my regular user to the tty group, Have I missed
something?

Another thing I noticed is that after connecting with the root user the
permissions
of ttyS1 are changed back to
crw-r----- 1 root tty 4, 65 Jul 9 15:47 /dev/ttyS1

Thanks for all your help so far.

Tim <(E-Mail Removed)> wrote:
>> Tim <(E-Mail Removed)> wrote:

> I changed the ppp-on script to user the user option instead of
> the name option. I've set the permissions the the ttyS1 device
> (my modem) to rw for the group tty, and I've added my regular users
> to the tty group, pppd starts as my regular user, but my log says,

> pppd[1647]: Failed to open /dev/ttyS1: Permission denied

The ttyS1 should be opened by the user actually executing pppd.
If the user is in the tty group and the ttyS1 group is tty with
rw group permissions then the user should be able to open it when
a pppd binary compiled from a pristine standard source (found at
ftp.samba.org) is used.

> then pppd exits.

> ttyS1 permissions are
> crw-rw---- 1 root tty 4, 65 Jul 9 15:11 /dev/ttyS1

> And I have definitely added my regular user to the tty group,
> Have I missed something?

Not that I know about. Double check tty group membership by executing
id as the regular user, e.g.,

~$ id
uid=1000(kite) gid=100(users) groups=100(users),5(tty),6(disk),14(uucp)

> Another thing I noticed is that after connecting with the root user the
> permissions
> of ttyS1 are changed back to
> crw-r----- 1 root tty 4, 65 Jul 9 15:47 /dev/ttyS1

A pppd binary compiled from the *standard* pppd source changes the
permissions to these but also restores the original permissions when
terminating, unless pppd is terminated with a SIGKILL - which can
also cause other problems. I'd guess that the distribution maker has
a case of paranoia and modified it's pppd to leave write permission
on ttySx only for root when terminating.

Or it's possible that I've missed something here - it's been quite
awhile since I fiddled with things here so as to be able to connect
with ppp-on and ppp-on-dialer when logged on as myself. I really
don't think I have missed anything though. FYI, the ppp-on and
ppp-on-dialer scripts here are based on those that come with the
standard pppd source.

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"
PPP-Q&A links, downloads: http://ckite.no-ip.net/
/* I gave up on politics when no matter who I voted for, I regretted it.
* -- Pepper...and Salt, WSJ */