Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Secure way to allow a non-root user to start a service
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Magister Cistiorum
n00b
n00b


Joined: 22 Dec 2010
Posts: 14

PostPosted: Tue Nov 26, 2013 7:48 pm    Post subject: Secure way to allow a non-root user to start a service Reply with quote

There is a PPP network interface configured as a service by creating a symlink `/etc/init.d/net.ppp0` linked to `/etc/init.d/net.lo` and adding a `/etc/conf.d/net.ppp0` config file:

Code:
# cd /etc/init.d
# ln -s net.lo net.ppp0
# cat > /etc/conf.d/net.ppp0 <<DELIM
> link_ppp0='pty "pptp vpn.server.org --nolaunchpppd"'
> username_ppp0='myusername'
> pppd_ppp0='defaultroute lcp-echo-interval 15 lcp-echo-failure 4 updetach'
> metric_ppp0="2"
> mtu_ppp0="1400"
> rc_net_ppp0_need="net.enp2s0"
> DELIM


Trying to start the service as a non-root user without root privileges I have the following message:

Code:
$ /etc/init.d/net.ppp0 start
net.ppp0      | * net.ppp0: superuser access required


The connection remains not established after that.

I'm wondering the most secure way to allow a non-root user to start/stop this server with root privileges. Since `setuid` on scripts (`/etc/init.d/net.lo` is a script) ignored the only idea I have is to use `sudo`. Are there another, perhaps more secure than using `sudo`, ways to solve this problem?
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6309

PostPosted: Tue Nov 26, 2013 8:46 pm    Post subject: Reply with quote

Why do you think that sudo is not secure?
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2609

PostPosted: Tue Nov 26, 2013 10:56 pm    Post subject: Reply with quote

If you set up sudo correctly you can easily set it so the only thing it allows is to start that particular script.

I'm also kind of curious what kind of vulnerabilities you think sudo has.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4409
Location: Dallas area

PostPosted: Tue Nov 26, 2013 11:59 pm    Post subject: Reply with quote

As the others have said sudo can be locked down to only a single app or it can be a few apps or wide open.

Sudo is not unsecure unless the person granting permissions allows it to be wide open.
_________________
PRIME x570-pro, 3700x, RX 550 & 560, 5.5.15 zen kernel, gcc 9.3.0
Acer E5-575 (laptop), i3-7100u - i965, 5.0.13 zen kernel, gcc 8.2.0
---both---
profile 17.1 (no-pie & modified) amd64-no-multilib eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum