Need to create a restricted user(Centos)
I am a newbie to Linux and I want to create a user which can only execute network config commands like ifconfig and ping(to check the config). The following is what I did but failed.
1) Created a group called 'netconfig'.
2) added a user named 'user'.
3) added user to the 'netconfig' group.
4) Changed the permissions on /bin and /sbin directories so that only groups 'root' and 'netconfig' can Read & execute.
1) I can execute ping and ifconfig commands when I log on as 'root' and can configure the network(as Default ofcourse).
2) The problem arises when I execute this command and get the following response.
/bin/ping x.x.x.x [enter]
ping: icmp open socket: Operation not permitted
eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.255.0
inet6 addr: aaaa::aaaa:aaaa:aaaa:9999/00 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1320 errors:0 dropped:0 overruns:0 frame:0
TX packets:991 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:138423 (135.1 KiB) TX bytes:178569 (174.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2343 errors:0 dropped:0 overruns:0 frame:0
TX packets:2343 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:2709476 (2.5 MiB) TX bytes:2709476 (2.5 MiB)
[this seems to work fine till I dont execute the following line]
/sbin/ifconfig eth0 down [enter]
SIOCSIFFLAGS: Permission denied
I have 2 questions
a} Am I at a right path for my goal, i.e. Am I doing right steps for creating a user which has only access to 'ifconfig' and 'ping' command?
b} Is there a better way for creating a restricted user with access to only 2 commands?
Please help with this. Any examples and experiences are welcome.
Thanks in advance,
these programs need to be run as root. Change the sticky bit using
What the user intends to do with these programs will effect how to achieve this. If the user is only going to view the settings that this can be done easily. Ping I believe should already be in /bin/, ensure you don't overwrite anything already in /bin/ else that may cause a few problems. To enable users to just run ifconfig to just view network scripts, I did the following on my own CentOS server (as root or sudoing the ln line).
This will create a symbolic link to the ifconfig in /sbin/ meaning that should you preform a yum update, when ifconfig is updated in /sbin/ then as all that is held in /bin/ is a symlink you do not have two different versions of ifconfig sat on your machine. If the user intends to perform any changes then I would suggest assigning the user a sudo entry for ifconfig in the sudoers file and ensuring the sudo privilage only refers to ifconfig. I personally would not do this as this would allow them to change the ips of interfaces what could cause issues.
only 2 commands should execute
and i can add him to the "root" group.
part of the solution
I found a solution not exactly up to the point but will like to share.
This is what I did(logged in as a root)
1) Added a group : groupadd netadmins
2) Added a user : useradd admin1
3) Gave a password for admin1 : passwd admin1
4) Added admin1 as a member of group netadmins : usermod -g netadmins admin1
5) Edited /etc/sudoers : vi /etc/sudoers
added two lines
#added this just after the "Cmnd_Alias NETWORKING decleration"
Cmnd_Alias TIGHTNETWORKING = /sbin/ifconfig, /bin/ping
#added this just after the "root ALL=(ALL) ALL"
%netadmins ALL = (ALL) NOPASSWD:TIGHTNETWORKING
saved the file with "wq!" as sudoers is a readonly file!
logged off from root, logged in as admin1.
executed the ifconfig and ping using sudo
[admin1@177 ~] sudo /sbin/ifconfig eth0 up
It worked out fine.
[admin1@177 ~] sudo /bin/ping x.x.x.x
This worked on fine and I later realized that ping works without sudo too.
This solved a major part of my problem i.e. now a non admin user can execute 'ifconfig' if the user
is a part of 'netadmins'.
Now does anyone has an idea how to disable all the other commands including "ll ls pwd ....etc etc"
Thankz in advance.
As the sudo'ed user, he'll only be able to run the cmds you allowed.
If(!) you don't want him to have a std acct ie normal login as himself, then sudo, ie only the the sudo stuff, then you need to make the sudo cmd his 'login shell' in the /etc/passwd file.
sudo ifconfig eth0 192.168.0.42
would be lost on reboot, so if your intending to allow the user to change the IP on a perm basis then this method is less then ideal, just to forewarn you of this.
I am a new linux user, Study with all.
|All times are GMT -5. The time now is 10:37 PM.|