18.3. Configuring Dial-Up Permissions for Nonroot Users

Problem

You want your users to have dial-up privileges, but so far in this chapter, only the root user can use dial-up. How do you make dial-up available to nonprivileged users?

Solution

This takes a bit of tweaking permissions on a number of files:

/etc/ppp/chap-secrets
/etc/ppp/pap-secrets
/dev/ttyS*
/usr/sbin/pppd
/var/lock

Some Linux distributions come with the dialout group for dial-up users. Others use dip or uucp. Make /etc/ppp/chap-secrets, /etc/ppp/pap-secrets, and /dev/ttyS* owned by the dialout group (or dip,or uucp, it doesn't matter as long as they are all in the same group):

	# chown root:dialout /dev/ttyS3 /etc/ppp/chap-secrets \
	 /etc/ppp/pap-secrets

Next, put your authorized users in the same group these files belong to:

	dialout:x:20:alrac,foobear,fredfoo

Make sure that /etc/ppp/chap-secrets and /etc/ppp/pap-secrets are readable and writable only by the owner and group owner:

	# chmod 0660 /etc/ppp/chap-secrets /etc/ppp/pap-secrets

Next, check the /var/lock directory. It should be wide open to the world, and the sticky bit set:

	$ ls -ld /var/lock
	drwxrwxrwt 3 root root 4096 14. Okt 07:37 /var/lock

If it isn't, make it so:

	# chmod 1777 /var/lock

pppd needs to be suid, as this shows:

	$ ls -l /usr/sbin/pppd
	-rwsr-xr--1 root dip 232536 Dec 30 2004 /usr/sbin/pppd

If it isn't, make it so:

	# chmod 4754 /usr/sbin/pppd

Discussion

If the group owner of any file is root, do not add users to the root group! Change the group owner to dialout (or whatever group you choose).

You'll see messages in your logfiles complaining that "Warning—secret file /etc/ppp/ pap-secrets has world and/or group access." Don't worry about them—just make sure they are not world-readable, and be careful who goes in the dialout group.

The little s in -rwsr-xr-- tells you /usr/sbin/pppd is suid root. This means ordinary users get to run pppd with the necessary root privileges it needs to work. If you get "Cannot open device /dev/ttyS0-Device or resource busy" errors as an unprivileged user, chances are either /usr/sbin/pppd is not suid root,or /var/lock has incorrect permissions. suid opens a potential security hole, and should not be used casually; this is one of the few times where it is OK to use it.

See Also