LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-19-2009, 02:57 AM   #1
mad_penguin
Member
 
Registered: Mar 2008
Posts: 69

Rep: Reputation: 15
allow iftop without shell console


Hi,

I tried to allow a Linux user to use iftop for monitoring network. The trouble is that iftop doesn't work for users and using sudo allows user to access shell console. Is there a option to restrict user for using shell console from iftop ???


Thanks !
 
Old 03-19-2009, 09:13 PM   #2
snowman81
Member
 
Registered: Aug 2006
Location: Michigan
Distribution: Ubuntu
Posts: 225

Rep: Reputation: 30
I believe there is a way to allow users to do this by editing the sudoers file. But that is for someone far smarter than I.
 
Old 03-20-2009, 04:55 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
Iftop "not working for users" is correct behaviour because it can be used to sniff traffic in promiscuous mode. Allowing unprivileged users to make a network device enter promiscuous mode requires root account rights (CAP_MOD capability IIRC) and exposes information those users may or should not have access to. If you do not like to give users console access for monitoring (set up a separate account that can only execute 'sudo iftop' as login shell) then an alternative solution could be to run iftop through Xinetd or a webserver CGI so users can only access displayed results. Unfortunately iftop will not work that way since it expects to run continuously. There's other interface statistics tools that will display network stats like Ntop. It has a built-in webserver, the trade-off being more dependencies (RRD, GDBM) and configuration compared to KISS-honouring tools like iftop.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
possible to run iftop as non-root? drokmed Linux - Software 3 01-18-2010 11:25 AM
iftop -- unable to get IP address for interface Ramonvel Slackware 3 05-28-2008 08:47 AM
Problems installing iftop jim.thornton Linux - Software 0 01-13-2008 06:44 PM
Network or Samba slow, except when running iftop? Dee-ehn Linux - Hardware 3 09-25-2007 12:58 AM
iftop will not load mahjong Linux - Software 0 10-16-2003 10:27 AM


All times are GMT -5. The time now is 03:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration