Changing User Privilege question
 

Howdy, I've been perusing the forum and finding all kinds of answers to questions I've had the past couple of weeks while gettin situated with my new computer and Linux Mandrake 9.1, thanks for all the knowledgable info here it has been very helpful. I have a simple question that probably has a simple answer but I can't seem to find the answer so here goes.

I downloaded Firestarter and installed it (works very nicely) when I went to configure it I had to do so in root. Ok so i got it running put on my desktop for easy access and changed the permission to user execute , but when I click on it I still get asked for root password "no user privilege". Is there some way for me to change the user privilege specifications for this application so I can run it from User and not just root? I don't mind turning it on manually I just want to be able to do it with out having to go to root each time. Any suggestions?

Having your firewall accessable to ordinary users strikes me as a bad security move. Linux firewalls are usually just front ends for the iptables, i.e. they automate the process of editing the iptables by hand. Only root can edit the iptables which is why your getting prompted for a root password. You can have ordinary users run the program with root privileges by changing the permissions to SetUID. It's easy to do. In a console, su to root and run:

# chmod 4755 <path to firestarter>

From a security standpoint it's a terrible idea however. That's the reason why by design the program requires root privileges to run.

The good idea for you would be to have your firewall script(the one firestarter created) load at boot up. I know how I did it in slackware, but I think it is different in mandrake. It is probably as simple as copying the script and making it exacutable and moving it to the right location, so it gets run at bootup. With a little reasearch you should be able to figure it out.

Thanks to both of you. Kilgore I'm the only user on the system so I don't see a problem although I do see what you mean and your explanation as to why it's a bad idea is well understood. Since no one else is using the system I'm not too concerned but I will give it some thought. I was just looking for convenience but I'm already getting use to going to root to start FS up. Shanein thanks, after I made the post I went back to FS's site and looked closer at the manual, there is a script that can go in to the start up file, the info can be found here

http://firestarter.sourceforge.net/m...ersistence.php

the script is given and it says to place it in the rc.local file, it also says something about kppp having an option to launch scripts when it connects but I can't seem to locate it. any one know about that particular bit of info?

both of you have given me great answers. Thanks.

I'm not sure about the kpp thing. It's been a while since I used it since I got broadband cable(Oh Happy Day!!!). Just to expand on the security concerns a bit, having other users being able to access the firewall is obviously one. Another concern deals with the situation where you are hacked despite the efforts of your firewall. The hacker would then be able to rewrite your firewall rules and totally open your system which could allow for further root exploits on the opened ports. Using setUID is always a security concern for this reason; it allows someone who gets access to your system as an ordinary user to run setUID programs as root. It should be used sparingly because the security ramifications are not always clear.

Thanks Kilgore, just one more question. Is there a way to specify a user using the chmod string?

Thanks again :)

No, a file has (exactly) one owner. That owner is changed with the command chown.

chown NEW_OWNER FILE(S)

Martin