[TAG] lpr works for user not root in Basiclinux 2.1

Ben Okopnik ben at linuxgazette.net
Sun Feb 25 04:49:42 MSK 2007 

On Tue, Feb 20, 2007 at 10:06:26PM -0500, Sindi Keesan wrote:
> On Mon, 29 Jan 2007, Rick Moen wrote:
> >> Besides  running Opera (and maybe dialing and/or loading Xvesa and
> >> rxvt) as user should I take any other precautions on their computers?
> >
> > I don't know how many times I'm willing to say "Your design is
> > fundamentally bad, if only because it uses root logins by default."
> > This is probably the last time, as obviously I'm wasting my time.
> > I stated, for that reason, that I was uninterested in helping users
> > unwilling to do that basic step correctly -- and I meant what I said.
> 
> 
> We had a long discussion about why it is bad to go online as root, which 
> is how Basiclinux is set up to operate.
> 
> My current compromise is to:
> 
> 1.  Dial as root (because dialing as user would give the user access to 
> the login name and password, which would then let anyone with access to 
> the user account know these, and besides if I try to dial as user pppd 
> complains about not having /etc/ppp/options, which root does not need).

Just to correct a misconception on your part: the information in
/etc/ppp/*-secrets does not have to be readable by the user; this is why
'/usr/sbin/pppd' is set SUID 0. In fact, that's the default
configuration on every Linux system I've seen, including the one I've
just set up on my new laptop:

``
ben at Tyr:~$ ls -l /usr/sbin/pppd /etc/ppp/*secrets
-rw------- 1 root root     80 2006-05-30 20:58 /etc/ppp/chap-secrets
-rw------- 1 root root   1628 2006-05-30 20:58 /etc/ppp/pap-secrets
-rwsr-xr-- 1 root dip  306720 2006-07-05 06:22 /usr/sbin/pppd
'''
 
The above means that any user who is part of group 'dip' can execute
'pppd' - and since 'pppd' runs as root, it can read the files that
contain the name and the password.

In other words, it appears as though you're taking a mechanism that
works just fine and changing it so that it will do the same thing as
it's doing now. I suggest that understanding the current mechanism would
serve you better than trying to construct something new from the ground
up - especially since it's not new.

> 3.  Put into /home/user/profile the line startx (rather than editing 
> inittab to make vt1 run X, which does not work any more anyway once you 
> add a user account).

This means, of course, that you'll be trying to start X every time you
log in. Perhaps making it conditional would work better.
 
> Permission denied (publickey, password, keyboard-interactive).
> 
> If I login user:
> 
> ssh_askpass:  exec (/opt/diet/libexec/ssh_askpass):  No such file or 
> directory.
> Write failed:  broken pipe
> 
> (I don't even have an /opt).

In that case, either recompiling 'ssh' to look for 'ssh_askpass' in a
different place, or creating the above path and a link to the
actual location of 'ssh_askpass' should help.
 

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *

More information about the TAG mailing list