help with sudo

raven · 01-25-2002, 04:41 AM

hello

does anybody know how i have to configure sudo so that unprivileged user can execute one speciefied program that uses other programs which also need root permission to run?

an example is wvdial: it reads/writes from/to privileged files (/etc/ppp/stuff...) accesses a device owned by root (/dev/ttyS1) and then starts a program owned by root (pppd)...

how can i tell sudo, that anyone can access these few files/devices?

thank you

acid_kewpie · 01-25-2002, 05:54 AM

although not always suitable, I'd say that a program like wvidial would best be handled just by using the suid bit on the executable, as it's a generally safe program in terms of system security

alfie · 01-25-2002, 06:42 AM

Quote:

Originally posted by raven
does anybody know how i have to configure sudo so that unprivileged user can execute one speciefied program that uses other programs which also need root permission to run?

The manual page for sudoers(5) is quite exaustive to that topic, it should be able to answer all your questions. It would be something like the following line:

Code:

ALL ALL=(root) /usr/bin/wvdial

That would allow all users to run /usr/bin/wvdial as root.

Quote:

an example is wvdial: it reads/writes from/to privileged files (/etc/ppp/stuff...) accesses a device owned by root (/dev/ttyS1) and then starts a program owned by root (pppd)...

On the other hand - for wvdial it wouldn't be really needed to be run as root at all! wvdial only needs access to that device and the files. You can make those files (at least) readable to a special group, chmod g+rw /dev/ttyS1 and make wvdial sgid to that special group which you put all those files in and the user. That has quite some advantages: An exploit in wvdial wouldn't make the system a big security risk and you can

raven · 01-25-2002, 10:11 AM

well thank you, but if I set the mandantory files readable to my users, and i let them execute pppd, the connection always breaks after 1 second...

why is this?

besides: how do you set an executable suid root? thats a question I should have asked long beforte... :-)

thanks to everyone

cya

DMR · 01-25-2002, 03:57 PM

Quote:

Originally posted by raven
well thank you, but if I set the mandantory files readable to my users, and i let them execute pppd, the connection always breaks after 1 second...

why is this?

besides: how do you set an executable suid root? thats a question I should have asked long beforte... :-)

thanks to everyone

cya

Not sure about the connection break, but here's a snip from somewhere on the SUID/SGID usage (it's also discussed in the chmod man pages):

Quote:

To give a program SUID permissions, do a chmod 4755 The 4 gives the SUID permission. The remaining three numbers follow the normal user-group-world permissions.

After, as root, you set the SUID bit on a program, anyone will then effectively become root while they are executing that program.

raven · 01-26-2002, 05:25 AM

thanks

setting suid works now, but if I dial with another user than root, the pppd dies with exit code 2. i looked at the man pages what this means, it tells me

"error processing options given... two mutually exclusive options given."

and what is that????

dialing as root always works.

thanks for the help

cya

raven

DMR · 01-26-2002, 10:17 PM

Hm,

I don't use pppd, but:

Does it die for everyone except root? Can each user can have a custom config file in their home directory, or does pppd read from a central config file (in /etc maybe)? If the error is correct, pppd is recieving conflicting instructions from somewhere, and you might have to pick through the file(s) to find the conflict.
Not being familiar with it, that's about all I can offer.

raven · 01-27-2002, 06:24 PM

the users dont have own config files, they dont even have home directories...

any other suggestion?

thanks

raven