Hey there.

I have a series of scripts and programs that I use to connect, disconnect and display status of my Internet access account. This was all good exept that only root can do it.

I think that the only way to allow a certain group access to execute these files is with "chmod +s". I don't know much about it however, and would like to know what it is for exactly (both user and group)?

If chmod will help me make these files executable by a certain group but still NOT allow them to view the files involved, then help would be much appreciated.


LordMorlock

If you set the setuid bit on a file with "chmod u+s file" then the user running the file can "assume" the user id of the file's owner for the duration of the file's execution lifetime.

pppd is owned by root. If you set the suid bit on pppd then other uses can run it and will "become root" for as long as the pppd process is executing, thus allowing them to do all the hardware stuff that users normally can't do but which is needed to talk to modems.

There's also the setgroupid bit which, as you might guess, is set with "chmod g+s file". It has a similar effect except that instead of becoming the owner of the file the user running it becomes a member of the file's group.

Numerically, u+s corresponds to a 4 and g+s is 2, so "chmod u=rwxs,g=r,o= file" is the same as saying "chmod 4740 file".

Yes, there's another one with octal representation 1. It's the sticky bit, which I always forget about. Sorry you'll have to research it yourself. It's something to do with memory and, I dunno :-(
Anyway to set it you do "chmod +t file"

You can also apply these extra bits to directories.

"chmod u+s dir" does ??? I don't know what that does. It may even do nothing...
"chmod g+s dir" has the effect of forcing newly created files in that directory to take the same group as the directory. So if you're in the users group and also the admin group and you create a directory called important and then do "chgrp admin important; chmod g+s important" then all files you create in there will by owned by you.
This would be useful, for example, if you wanted to be able to let other members of the group edit your files but you kept forgetting to chgrp them each time you create them...

Finally there's the sticky bit for directories "chmod +t dir". This gives the directory the property that only a file's owner may delete a file from a directory. You'll see that /tmp has permissions 1777 which means anyone can write into it but (because of the 1) you can only REMOVE your own stuff. Normally having write access to a directory is sufficient to remove files regardless of whether you own them.

So to answer your question about how to let users run pppd, you'd make a group (maybe called ppp) and put your users in that group. Then "chown root.ppp /usr/sbin/pppd; chmod 4710 /usr/sbin/pppd"

You need to chown before you chmod because the extended permissions are lost when you chown a file.

Now anyone in the ppp group can run pppd and they will become root for the time that they run it but they won't be able to read the config files unless they found a way to get pppd to dump them to a shell, and that's called h4x0ring :-). Furthermore because you set the other permissions to 0 no-one else will be able to run pppd at all.
Note that I set the group permissions to 1 so they can execute but not read the file. This prevents them from copying it, which may be desirable.

Once you've done this the usual next step is to put your webserver in the ppp group and knock up a php or perl web page that let's you "click here to connect"...

WOW!

Thankyou furrycat. Your assistance was most appreciated. That is about the 6th time you have helped me out.

http://discussions.linuxplanet.com/smile.gif
LordMorlock