Re: rootly stuff

["t.bedlam" <bedlam@xxxxxxxxxxxxxx>]

On Thu, Mar 30, 2000 at 12:27:04AM -0500, Wesley Leonard was only 
   escaped alone to tell thee:

> Jon Sanders wrote:

Congratulations on getting Linux online! 

> > Anywho, I was wondering if setting the shutdown and reboot scripts to a
> > localuser group, making my primary login user part of that group (right
> > now, this is a one-user system), and chowning and chmoding those scripts
> > to the localuser group, executable by group, would present a security
> > risk?
> 
> I would look into a program called sudo.  Sudo allows you to let normal
> users run rootly stuff (like shutdown, reboot, pppd, etc).
>  
> > Also, I've always known that it's a serious no-no to establish a PPP
> > connection while logged in as root... Why is that, and what kind of
> > powers does someone on the other side of a PPP connection have? If I'm
> > logged in as a user, can they execute any command I have set to be
> > executable by that user?
> 
> I don't know about all that. As far as I know, only root can make new
> network interfaces.

/usr/sbin/pppd needs run as root, but as a member of group "dip" (which I 
hope stands for "dial-in ppp" :) I can run pppd (rwsr-xr--  root  dip)
without being root: grp-dip can run pppd which tells itself it is 
setuid root, but in fact it only runs under my user account.

However, if I do call up pppd as root, my dip-grp account cannot kill the 
process, as pppd is being run by root. setuid is not the same as running 
apps from root -- the latter seems to carry more privilege. As for what 
trickery may be done by someone who tries to hack your pppd from 
internet-side, I have no specific info, sorry. 

FWIW, I always just su and run shutdown, et al.

-- 
bedlam@concentric.net | the one true pwd(5)