# Secure way to allow a non-root user to start a service

## Magister Cistiorum

There is a PPP network interface configured as a service by creating a symlink `/etc/init.d/net.ppp0` linked to `/etc/init.d/net.lo` and adding a `/etc/conf.d/net.ppp0` config file:

```
# cd /etc/init.d

# ln -s net.lo net.ppp0

# cat > /etc/conf.d/net.ppp0 <<DELIM

> link_ppp0='pty "pptp vpn.server.org --nolaunchpppd"'

> username_ppp0='myusername'

> pppd_ppp0='defaultroute lcp-echo-interval 15 lcp-echo-failure 4 updetach'

> metric_ppp0="2"

> mtu_ppp0="1400"

> rc_net_ppp0_need="net.enp2s0"

> DELIM
```

Trying to start the service as a non-root user without root privileges I have the following message:

```
$ /etc/init.d/net.ppp0 start

net.ppp0      | * net.ppp0: superuser access required
```

The connection remains not established after that.

I'm wondering the most secure way to allow a non-root user to start/stop this server with root privileges. Since `setuid` on scripts (`/etc/init.d/net.lo` is a script) ignored the only idea I have is to use `sudo`. Are there another, perhaps more secure than using `sudo`, ways to solve this problem?

----------

## mv

Why do you think that sudo is not secure?

----------

## The Doctor

If you set up sudo correctly you can easily set it so the only thing it allows is to start that particular script.

I'm also kind of curious what kind of vulnerabilities you think sudo has.

----------

## Anon-E-moose

As the others have said sudo can be locked down to only a single app or it can be a few apps or wide open.

Sudo is not unsecure unless the person granting permissions allows it to be wide open.

----------

