[plug] Running root commands

Bernard Blackham bernard at blackham.com.au
Thu Mar 15 22:10:24 WST 2001 

On Thu, 15 Mar 2001, connell wrote:
> and stop the connection to our ISP as every thing has to go thru a SSH2
> client window.  I had thought of creating a logon and a logoff account
> that would run the necessary scripts and then exit.  However, it
> requires root to run /usr/sbin/pppd which these accounts aren't.  I
> think setuid might be what I need but the setuid man page just leaves me
> scratching my head.  Any suggestions?,


This topic has been discussed before, surely it's in the archives ... try
a search for "pppd" - around last November IIRC. But briefly, there's a
few ways of going about it.

1. Make the modem device and pppd all owned by a group "modem" or
something (on some distro's I think it's already done), and give chmod 664
/dev/ttySx where ttySx is your modem device. Then add any users you want
to the modem group.

2. Read up on RSA Authentication (man ssh) to allow any user to ssh to
root without needing a password. Then put it all behind a script like
"log-on":

     #!/bin/sh
     ssh root at localhost ifup ppp0

and another similar one for log off, so all the user does is log in with
their account and type log-on or log-off. This is insecure, if the users
have bad intentions, or even if they don't, but it's generally bad
practice to give anybody root who doesn't need it. No matter how much
they're trusted.

3. Use sudo. Program that allows certain users to run certain commands as
root, but nothing else. It should be included as a package in most
distros, else I'm sure it's on freshmeat. Only downside is it requires
users to enter their password at least twice, which can bug some people.



Solution 1 would probably be the most elegant. I'm sure people have their
opinions, especially about #2, but it's the easiest to extend later,
surely not the most secure. It's worth reading up on RSA Authentication,
and use a Windows SSH clients that do it. It makes things a 'lil easier
for those not used to passwords.

>         After I get this firewall bedded down, I can look at turning one
> of the 98 machines into a linux workstation.

Woohoo! =)

HTH,

Bernard

-- 
 Bernard Blackham
 bernard at blackham.com.au

More information about the plug mailing list