non-admin using tcpdump and nmap

dnoy · 12-05-2008, 05:31 PM

i am using ubuntu and want my non-admin (non root) users to be able to use tcpdump and nmap.

Can you please help me do this

fordeck · 12-06-2008, 11:21 AM

Here is one way to do it. Edit the /etc/sudoers file, but first be warned that it is recommended that you edit this file with a utility called visudo which performs extra validation on the sudoers file to make sure there are no syntax problems. The potential is there to lock a user out of the system otherwise. You could add a line similar to the following:

Code:

 <username> ALL=(root) <path_to_command_here>

Where <username> is the name of your user and <path_to_command_here> is either the path to a single command or a comma separated list of commands. Give that a try and let me know if this was helpful.

Regards,

Fordeck

unSpawn · 12-06-2008, 11:29 AM

You might want to think twice about granting usage in the case of tcpdump like say sniffing usernames and passwords and in the case of nmap users say scanning a whole /8 in "insane" mode. There's ways to mitigate this but it would be good to understand the implications I think.

dnoy · 12-06-2008, 03:51 PM

i dont want to make theme part of the sudoers file because that gives them root access. i just want to give non root users the ability to use tcpdump and nmap without having root access.

unSpawn · 12-06-2008, 04:23 PM

Quote:

Originally Posted by dnoy

i dont want to make theme part of the sudoers file because that gives them root access.

Please read up on sudo or elaborate.

dnoy · 12-06-2008, 06:14 PM

i dont want a user to use nmap by issuing 'sudo nmap ...' or being able to use sudo su -. i want an ordinary user to be able to run nmap.

please let me know if you need be to elaborate more?

Thank you

unSpawn · 12-06-2008, 06:55 PM

Could supply them with global aliases. However that's still minor compared to the security implications, which you'd rather read over I think.

dnoy · 12-06-2008, 09:43 PM

why cant i just give execute rights to those programs for that user/group? Is it because they use some networking services.

unSpawn · 12-10-2008, 05:38 AM

Quote:

Originally Posted by dnoy

why cant i just give execute rights to those programs for that user/group?

The point is that those tools require root access rights (capabilities to be more exact) for some reason. Giving unprivileged users more or less unrestricted and unaudited access to those tools may seem a convenient thing to do but it weakens security. And apparently in a way I'm not able to make you fully understand. Of course you may not care.

farslayer · 12-10-2008, 07:23 AM

Quote:

Originally Posted by dnoy

i dont want a user to use nmap by issuing 'sudo nmap ...' or being able to use sudo su -. i want an ordinary user to be able to run nmap.

please let me know if you need be to elaborate more?

Thank you

Configuring sudo to grant access to those two applications will NOT grant the user rights to 'sudo su -' unless you really bork the configuration in the sudoers file.

dnoy · 12-21-2008, 10:39 AM

Thank you everyone for all your help.