The K Desktop Environment

Next Previous Table of Contents

8. kppp and Security Issues

This section is mainly for superusers (root), people with high security demands or simply technically interested people. It is not necessary to read this if you only use Linux at home for yourself (though you might learn something new when you read this)

8.1 Restricting access to kppp

A system administrator might want to restrict access to who is allowed to use kppp. There are two ways to accomplish this:

With group permissions

Create a new group (you might want to name it "dialout" or similar), put every user that should be allowed to use kppp into that group and type:

chown root.dialout /usr/local/kde/bin/kppp
chmod 4750 /usr/local/kde/bin/kppp
This assumes that KDE was installed in /usr/local/kde and your new group is named "dialout".

kpppīs way

Before doing anything, kppp checks if there is a file named /etc/kppp.allow. If such a file exists, ONLY users named in this file are allowed to dial out. This file must be readable by every user (of course NOT writable). Only login names are recognised, thus you cannot use UIDīs in this file. Hereīs a short example:

# /etc/kppp.allow
# comment lines like this are ignored, 
# as well as empty lines
fred
karl

# I put myself in here :-)
mweilguni
In the example above only the users fred, karl and mweilguni can use kppp to dial out, as well as every user with a UID of 0. So you donīt need to put root in this file.

8.2 kppp has the SUID bit on. What about security?

Itīs virtually impossible to write a dialer without the SUID bit, that is both safe and easy to use for unexperienced users. kppp addresses the security issues with the following strategy:

Many thanks to Harri Porten for writing this excellent piece of code. I thought it was impossible - he made it within a week.

Next Previous Table of Contents