Linux Step By Steps
 
Restricting PPP Users
Step by Step for restricting certain users from any file on the system.

The problem:

I have 6 users (accounts) on my linux system and I wanted 5 of the 6 users to be able to dial out using kppp, and the other one to be restricted from doing so.

This step by step can be extrapolated to any file on the linux system, but I will use kppp as the file to restrict usage for.

Essentially, two things must be done to accomplish this feat:

1) create a new Group with the users that I want to be able to use kppp

2) change the kppp file to use that group of users and reject all others


The following is for complete neophytes:

First some explanation is in order:

All linux files have permissions: the order is by USER / GROUP / OTHER.
USER permissions tell what the owner of the file can do
GROUP permissions tell what the group can do with this file
OTHER permissions tell what everyone else can do with this file

So when you do a ls -l on kppp then you get the following:

-rwSr-xr-x   1 root     root    371796 Aug 10 23:24 /opt/kde/bin/kppp

-rwSr-xr-x are the permissions part of the file listing

The first position is a - if it is a regular file, or d if it is a directory, and others as well, but that is not relavent to our discussion here.

the next 3 positions are rwx for readable, writeable, executable for USER
the next 3 positions are rwx for readable, writeable, executable for GROUP
the next 3 positions are rwx for readable, writeable, executable for OTHER

The S in the x position of the USER permission fields means this file has the setuid bit set on this file. This means that anyone who can execute this file, executes it as if they were root (the account that can do anything in the system). This is needed because kppp uses another file that only root can access, thereby solving the problem.

Note also that root is the owner and root is the group.

The way the permissions are set above, this means that root and all others can Read (r) and Execute (x) this file since user, group, and other all have the r and x attributes set.

We want to change that.


Down to Nuts and Bolts:

First we create a Group of trusted users by editing the /etc/group file like the following:

trusted::300:user1,user2,user4,user5,user6

This tells the system that I have a group whose name is trusted and it has a groupid number of 300 and thatuser1, user2, user4, user5 and user6 are in that group.  Note that the groupid number MUST BE UNIQUE in the /etc/groups file. Also note that user3 is absent from the list -- that user will be restricted.

Now change the kppp file permissions so that no one in the Other category can access the file, and change the group to trusted.

We do the next two commands to do this (as root of course):

chmod o-rx /opt/kde/bin/kppp
chgrp trusted /opt/kde/bin/kppp

chmod changes the permissions on the file (in this case take away rx from OTHER)
chgrp changes the group (in this case to trusted)

Now you have:

-rwSr-x---   1 root     trusted    371796 Aug 10 23:24 /opt/kde/bin/kppp

Looking at it again, we have rwS for the owner (root) r and x for the group (which is the new group we added called trusted) and no permissions at all for other.

This now means that only root and the users deliniated in the group trusted will be able to read and execute the file. All others have no permission whatsover.

Now when user3 tries kppp he gets a permission error, which effectively stops him from using kppp to dial out. However all the other users can use kppp.