LJ Archive

PPP Security and Those Pesky Run-Only Scripts

Question: who should be allowed to initiate PPP connections?

The answer, if you examine the permissions of the PPP utilities, is confusing at best. Four components are involved in starting up the connection: two scripts (ppp-on and ppp-on-dialer) and two programs (pppd and chat). As they are set up by the PPP utilities installation process (note: the assumptions about permissions change for PPP utilities obtained through other distributions), these four files have the following permissions:

There are two barriers to initiating PPP connections by non-privileged users:

  1. The permissions of the ppp-on-dialer script are restrictive.
  2. Run-only programs work but run-only scripts (such as ppp-on) do not.

The latter limitation is a UNIX security feature: you have permission to execute the script, but do not have permission to read it into an interpreter. If you try to use the utilities “as is”, you must indeed be root to start PPP. Alternately, you could follow Phil Hughes' advice in his May 1997 LJ column and write a special setuid program to start and stop PPP.

I have decided on my system (I am, admittedly, the only user) that non-privileged users can initiate PPP connections. This policy was effected with one change to the utilities—making ppp-on-dialer read/runnable by all—and one hack: rscript.

The rscript utility is a setuid-root program to solve the run-only script problem; it opens the script as a privileged user, then interprets it as the actual user. The invocation:

rscript
of rscript has two restrictive assumptions about the script being executed:

Despite the restrictions, rscript is useful in conjunction with the PPP scripts.

Is rscript a security hole? Barring the user's ability to replace the interpreter executing the script, rscript does not appear to allow the user access to the contents of the script or to perform any privileged operations. (If I'm wrong, I'm sure I'll hear about it.)

LJ Archive