Re: [Cooker] kppp and suid
> It seems that pppd can't be run as non-root user. > I've tried and pppd writes the following to syslog: > "/usr/sbin/pppd: must be root to run /usr/sbin/pppd, since it is not > setuid-root" Errm, perhaps I was wrong, I tried to set device on pppd command line ... But a strace on pppd gave this : geteuid32() = 501 write(2, "/usr/sbin/pppd: must be root to "..., 80/usr/sbin/pppd: must be root to run /usr/sbin/pppd, since it is not setuid-root Shouldn't geteuid32() return 0 since geteuid() returns the effective user ID of the current process. The effective ID corresponds to the set ID bit on the file being executed, so root with pppd. -- Olivier Blin
Re: [Cooker] kppp and suid
> pppd running as root != pppd running by root yes > The only way to dial up for user is to use peer scripts and having > pppd setuid root. This way pppd can be started by user, since pppd > call is not a priviliged option. :) It seems that pppd can't be run as non-root user. I've tried and pppd writes the following to syslog: "/usr/sbin/pppd: must be root to run /usr/sbin/pppd, since it is not setuid-root" But pppd is setuid root ... $ ls -l /usr/sbin/pppd -rwsr-xr-t1 root root 221656 aoû 13 12:03 /usr/sbin/pppd -- Olivier Blin
Re: [Cooker] kppp and suid
Am Samstag, 16. August 2003 22:37 schrieb Olivier Blin: > > > kppp has root suid, is it really necessary ? > > > pppd has already root suid, shouldn't it be be enough ? > > > > no, since kppp needs to write into /etc/ppp/* > > Does it really need to write there ? > No way to use ~/.ppprc only ? > > I've noticed that all dialers use /var/lock/LCK..ttyS? files. > So they must be run as root. > This prevent for example wvdial to be run as non-root user. Well nothing to discuss here. pppd running as root != pppd running by root The only way to dial up for user is to use peer scripts and having pppd setuid root. This way pppd can be started by user, since pppd call is not a priviliged option. :) Steffen
Re: [Cooker] kppp and suid
> > kppp has root suid, is it really necessary ? > > pppd has already root suid, shouldn't it be be enough ? > no, since kppp needs to write into /etc/ppp/* Does it really need to write there ? No way to use ~/.ppprc only ? I've noticed that all dialers use /var/lock/LCK..ttyS? files. So they must be run as root. This prevent for example wvdial to be run as non-root user. -- Olivier Blin
Re: [Cooker] kppp and suid
Am Samstag, 16. August 2003 21:20 schrieb Diego Iastrubni: > בשבת, 16 באוגוסט 2003, 21:25, Steffen Barszus כתב: > > Am Samstag, 16. August 2003 19:13 schrieb Olivier Blin: > > > Hi > > > > > > kppp has root suid, is it really necessary ? > > > pppd has already root suid, shouldn't it be be enough ? > > > > pppd setuid root => pppd has access to all files it needs as well as > > devices and is able to set the route > > kppp setuid root => using pppd as you were root, needed since using pppd > > as user you have only limited access to pppd. you can only dial with > > peerscripts and not set priviliged options. So kppp not running setuid > > root would result in not beeing able to use it at all. > > > > Steffen > > but if kppp is run as normal user, and then it invokes pppd which is suid > root, then pppd will become root no? What I mean is the following (man pppd): As indicated above, some security-sensitive options are privileged, which means that they may not be used by an ordinary non-privileged user running a setuid-root pppd, either on the command line, in the user's ~/.ppprc file, or in an options file read using the file option. Privileged options may be used in /etc/ppp/options file or in an options file read using the call option. If pppd is being run by the root user, privileged options can be used without restriction. If pppd is setuid root it has access as if it is root, but it is not run as if root has started it. Steffen
Re: [Cooker] kppp and suid
בשבת, 16 באוגוסט 2003, 21:25, Steffen Barszus כתב: > Am Samstag, 16. August 2003 19:13 schrieb Olivier Blin: > > Hi > > > > kppp has root suid, is it really necessary ? > > pppd has already root suid, shouldn't it be be enough ? > > pppd setuid root => pppd has access to all files it needs as well as > devices and is able to set the route > kppp setuid root => using pppd as you were root, needed since using pppd as > user you have only limited access to pppd. you can only dial with > peerscripts and not set priviliged options. So kppp not running setuid root > would result in not beeing able to use it at all. > > Steffen but if kppp is run as normal user, and then it invokes pppd which is suid root, then pppd will become root no? -- - diego _ / Come, landlord, fill the flowing bowl \ | until it does run over, Tonight we will | | all merry be -- tomorrow we'll get | | sober. -- John Fletcher, "The Bloody| \ Brother", II, 2 / - \ ^__^ \ (xx)\___ (__)\ )\/\ U ||w | || || Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html
Re: [Cooker] kppp and suid
Am Samstag, 16. August 2003 19:13 schrieb Olivier Blin: > Hi > > kppp has root suid, is it really necessary ? > pppd has already root suid, shouldn't it be be enough ? pppd setuid root => pppd has access to all files it needs as well as devices and is able to set the route kppp setuid root => using pppd as you were root, needed since using pppd as user you have only limited access to pppd. you can only dial with peerscripts and not set priviliged options. So kppp not running setuid root would result in not beeing able to use it at all. Steffen
Re: [Cooker] kppp and suid
On Saturday 16 August 2003 19:51, Diego Iastrubni wrote: > > Hi > > > > kppp has root suid, is it really necessary ? > > pppd has already root suid, shouldn't it be be enough ? > > no, since kppp needs to write into /etc/ppp/* what about using a group for this ? /etc/ppp/ could be group writeable, and kppp sgid to this group. -- Michaël Scherer
Re: [Cooker] kppp and suid
בשבת, 16 באוגוסט 2003, 20:13, Olivier Blin כתב: > Hi > > kppp has root suid, is it really necessary ? > pppd has already root suid, shouldn't it be be enough ? no, since kppp needs to write into /etc/ppp/* -- - diego _ / Never lie down with a woman who's got \ | more troubles than you -- Murphy's Laws | \ on Sex n°39 / - \ ^__^ \ (xx)\___ (__)\ )\/\ U ||w | || || Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html
Re: [Cooker] kppp messing up CHAP logins?
On Mon, 2002-08-12 at 19:32, Crispin Boylan wrote: > Hi > i've tried to use kppp with BTOpenworld here in the uk (it uses CHAP > authentication) but no matter what I do, it won't connect. However, my > other ISP Easynet which uses PAP for authentication connects perfectly > everytime. > > using just the normal pppd scripts works fine for both its only in kppp > that problems occur..incidently with Easynet CHAP and PAP is supported > and CHAP doesnt work for easynet in kppp either, whilst using pppd > scripts with it and chap work fine as well. > It works fine for me. I use kppp to connect to BTInternet, so don't think it's a general issue. ian.
Re: [Cooker] kppp and wrong permission on /etc/resolv.conf
I posted this to the KDE bug system, but so far no feed back. Owen On Saturday 25 Aug 2001 4:03 pm, you wrote: > Hi all, > is someone fixing that boring bugs on kppp? Each time kppp starts, files > /etc/resolve.conf has permission > > -rw---rootWHO_USED_KPPP resolv.conf > > C.
RE: [Cooker] kppp problem
> > Yes, I reported this a few days ago to the kde bug system. When kppp drops > the connection it changes the permisions on /etc/resolv.conf to "-r--- > - > root root" so mere mortals cannot even read it. I now keep a root console > open just to reset the permissions on the file !!! It all works then. > Actually it is "root ". Which does change the fact that it is root-only readable. -andrej
Re: [Cooker] kppp problem
Yes, I reported this a few days ago to the kde bug system. When kppp drops the connection it changes the permisions on /etc/resolv.conf to "-r root root" so mere mortals cannot even read it. I now keep a root console open just to reset the permissions on the file !!! It all works then. Owen On Wednesday 22 Aug 2001 8:25 pm, you wrote: > As I just joined the list, I don't know if this problem has been brought up > before. I am having a problem with kppp going in and changing perms on > /etc/resolv.conf to 600. Then neither kppp nor the browsers are able to > access /etc/resolv.conf. Anybody aware of whats going on here? > > Thanks, > > George Mitchell > [EMAIL PROTECTED]
Re: [Cooker] KPPP
On Sun, 08 Oct 2000, Christopher Molnar wrote: > On Thu, 05 Oct 2000, Prana wrote: > > Hiya, > > KPPP doesn't dock anymore. I missed KDE1 when KPPP can dock into the > > panel when it dials up. Note that I didn't try this yet on 1.99 > > though... > > kppp ---> setup ---> misc tab and select dock on connect. > You also need to add the System Tray applet to your panel. -- -- Peter Ruskin <[EMAIL PROTECTED]> Wrexham, UK KDE - the professionals' choice --
Re: [Cooker] KPPP
What's the button that seems to be below quit on disconnect in kppp misc options? on mine I can barely see the top of a button. On Sun, 08 Oct 2000, you wrote: > > > KPPP doesn't dock anymore. I missed KDE1 when KPPP can dock into the > > > panel when it dials up. Note that I didn't try this yet on 1.99 > > > though... > > > > kppp ---> setup ---> misc tab and select dock on connect. > > I think you're wrong. KDE2 doens't support docking of KDE1-Apps. > (But perhaps kppp is ready for KDE2, I didn't test this...) > > I also would like to repeat what I already wrote twice but never got an > answer: In 7.2beta3, a kppp link appears on the KDE2-Desktop captionned > "Internet". I think this is no good since people without a modem cannot > dial with kppp. Any answers?
Re: [Cooker] KPPP
> > KPPP doesn't dock anymore. I missed KDE1 when KPPP can dock into the > > panel when it dials up. Note that I didn't try this yet on 1.99 > > though... > > kppp ---> setup ---> misc tab and select dock on connect. > I think you're wrong. KDE2 doens't support docking of KDE1-Apps. (But perhaps kppp is ready for KDE2, I didn't test this...) I also would like to repeat what I already wrote twice but never got an answer: In 7.2beta3, a kppp link appears on the KDE2-Desktop captionned "Internet". I think this is no good since people without a modem cannot dial with kppp. Any answers?
Re: [Cooker] KPPP
On Thu, 05 Oct 2000, Prana wrote: > Hiya, > KPPP doesn't dock anymore. I missed KDE1 when KPPP can dock into the > panel when it dials up. Note that I didn't try this yet on 1.99 > though... kppp ---> setup ---> misc tab and select dock on connect. -Chris
Re: [Cooker] kppp doesnt work with normal user (kde2 beta 4)
It is known problem. There was discussion on KDE-User list concerning this appx. 2 weeks ago. Unfortunately, I was the only Mandrake user, and proposed solution was not working for me (edit pam file for kppp) Take a look on kde-user archieve. Vadim On Thu, 31 Aug 2000, Andrew Kirrage wrote: | | When logged on as a normal user( not root), kppp doesnt work in the | current kde2 beta . Firstly it says 'unable to open lock file'. Then when I | untick the use lock file box it says 'unable to open modem' | | Thanks | | Andrew Content-Type: text/html; name="unnamed" Content-Transfer-Encoding: quoted-printable Content-Description: -- Vadim Plessky
Re: [Cooker] Kppp and some permissions problems
Civileme <[EMAIL PROTECTED]> writes: > Custom > > Low Security > > Passwoeds were activated. > > User gets message that suid bit not set in pppd and kppp cannot run > please contact system administrator > > OK > > pppd suid bit set with chmod. > > User now hangs on "cannot create lock file" and "cannot open modem" > > This may need some attention before release. > > Civileme you have tried an older version. i just tried it, it works nice. -- Guillaume Cottenceau
Re: [Cooker] Kppp and some permissions problems
Civileme <[EMAIL PROTECTED]> writes: > Custom > > Low Security > > Passwoeds were activated. > > User gets message that suid bit not set in pppd and kppp cannot run > please contact system administrator > > OK > > pppd suid bit set with chmod. > > User now hangs on "cannot create lock file" and "cannot open modem" chmod +s /usr/bin/kppp > This may need some attention before release. sure. > > Civileme > > > > -- > BETA-testing Netscape 6 > and its mailer > > -- Guillaume Cottenceau
