Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-12-2014, 08:01 PM
|
#1
|
Member
Registered: Jan 2013
Distribution: Debian
Posts: 166
Rep:
|
give user advanced networking privileges
Is there a way to give a regular user the ability to use the following functionality, without having to use the sudo command?
ifconfig (add/del/etc.)
brctl
ip tuntap
I thought I read somewhere that there was some security setting that could be set for the user. I have a 3.2.0 kernel (Debian wheezy).
|
|
|
08-14-2014, 08:28 AM
|
#2
|
Member
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 262
Rep:
|
I don't know if this is the best way, but you could set up an alias to do this. I.E. create an alias for ifconfig that will actually do sudo ifconfig in the background. And then in your sudoers file set it so that the password is not required for those commands for that user.
|
|
|
08-14-2014, 10:51 AM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,188
|
Quote:
Originally Posted by stateless
Is there a way to give a regular user the ability to use the following functionality, without having to use the sudo command?
ifconfig (add/del/etc.)
brctl
ip tuntap
I thought I read somewhere that there was some security setting that could be set for the user. I have a 3.2.0 kernel (Debian wheezy).
|
I disagree with what YankeePride13 said, although it WOULD work. It's a good idea in principle, but what that does leave you with is a potential security hole. If that alias is compromised, someone COULD run other commands as root. Speaking as someone who was bitten by this before, I would advise against it.
That said, it's VERY easy to set sudo up to only let some user(s) run ONLY some commands..this sort of thing is exactly what sudo was meant for. For ease of use, just set up a user group in sudoers, then list the commands, as such:
Code:
# User alias specification. Add more user ID's to this group if needed.
User_Alias NETWORKERS = user1, user2, ...
# Commmand alias specification
Cmnd_Alias NETWORKCMD = ifconfig, brctl, ip tuntap
# User group privilege specification
VENDORS ALL = NOPASSWD: !ALL, !NETWORKCMD
That will let any user who you put in the NETWORKERS group only run the commands specified in the NETWORKCMD list as SUDO/root, with no password, and deny them anything else, and not prompt them for a password. That way, they won't have to pop a password in to do something they're allowed to do (which is irritating), and YOU will have a log of who ran what command(s), when. It uses the standard sudo framework, which makes it easy to maintain and audit, too.
|
|
|
08-14-2014, 10:56 AM
|
#4
|
Member
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 262
Rep:
|
Quote:
Originally Posted by TB0ne
I disagree with what YankeePride13 said, although it WOULD work. It's a good idea in principle, but what that does leave you with is a potential security hole. If that alias is compromised, someone COULD run other commands as root. Speaking as someone who was bitten by this before, I would advise against it.
That said, it's VERY easy to set sudo up to only let some user(s) run ONLY some commands..this sort of thing is exactly what sudo was meant for. For ease of use, just set up a user group in sudoers, then list the commands, as such:
Code:
# User alias specification. Add more user ID's to this group if needed.
User_Alias NETWORKERS = user1, user2, ...
# Commmand alias specification
Cmnd_Alias NETWORKCMD = ifconfig, brctl, ip tuntap
# User group privilege specification
VENDORS ALL = NOPASSWD: !ALL, !NETWORKCMD
That will let any user who you put in the NETWORKERS group only run the commands specified in the NETWORKCMD list as SUDO/root, with no password, and deny them anything else, and not prompt them for a password. That way, they won't have to pop a password in to do something they're allowed to do (which is irritating), and YOU will have a log of who ran what command(s), when. It uses the standard sudo framework, which makes it easy to maintain and audit, too.
|
TB0ne,
I don't see what the difference is between what you said and what I said. The only difference being the alias which could be set at the user level. If another user were to gain access to the alias, they'd still need the sudo access which they wouldn't have. Please explain (not being sarcastic, I want to learn).
|
|
|
08-14-2014, 11:28 AM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,188
|
Quote:
Originally Posted by YankeePride13
TB0ne,
I don't see what the difference is between what you said and what I said. The only difference being the alias which could be set at the user level. If another user were to gain access to the alias, they'd still need the sudo access which they wouldn't have. Please explain (not being sarcastic, I want to learn).
|
I'm not aliasing anything from the command-side of things, and using the standard SUDO model to do it, while limiting the user(s) to one certain set of commands.
When you say "alias", you're either talking about a command-alias in bash/shell, right? Which is set in the users profile...which they can modify. So while they start out with the alias equaling "ifconfig", they can change it to be "passwd root", or something similar. Nothing is stopping them from modifying their own profile. And since they're already IN sudoers, those commands go right through. Also, if you want to add more users, you'd have to make these changes to THEIR profiles too, just adding to things you have to maintain/do/remember on your system. By using sudo for what it was intended for, you centralize all of it..and ONLY admins can change commands, and adding/deleting users from the alias group in sudoers is a bit easier.
I always think it's dangerous to do such things...not saying it's wrong, just not something I'd ever do. I'm not being critical of your solution, and it definitely WILL work.
Last edited by TB0ne; 08-14-2014 at 11:30 AM.
|
|
|
08-14-2014, 12:11 PM
|
#6
|
Member
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 262
Rep:
|
Quote:
Originally Posted by TB0ne
When you say "alias", you're either talking about a command-alias in bash/shell, right? Which is set in the users profile...which they can modify.
|
yep
Quote:
So while they start out with the alias equaling "ifconfig", they can change it to be "passwd root", or something similar. Nothing is stopping them from modifying their own profile.
|
But if the entry in the sudoers file is command specific, they wouldn't have the rights to passwd. The only command they could use using sudo would be ifconfig (or whatever is specified by the OP)
The only reason I was saying to alias it was because the OP said they didn't want their users to have to type sudo when using ifconfig. Otherwise, I think we are talking about the same thing.
Quote:
I always think it's dangerous to do such things...not saying it's wrong, just not something I'd ever do. I'm not being critical of your solution, and it definitely WILL work.
|
Never said you were being critical. I am here to learn, so I appreciate conversations like this. Sorry if I come off as defensive, that isn't my intent.
|
|
|
08-14-2014, 12:49 PM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,188
|
Quote:
Originally Posted by YankeePride13
But if the entry in the sudoers file is command specific, they wouldn't have the rights to passwd. The only command they could use using sudo would be ifconfig (or whatever is specified by the OP)
The only reason I was saying to alias it was because the OP said they didn't want their users to have to type sudo when using ifconfig. Otherwise, I think we are talking about the same thing.
|
Gotcha, and I see where you're coming from..sort of a combination of both methods.
Quote:
Never said you were being critical. I am here to learn, so I appreciate conversations like this. Sorry if I come off as defensive, that isn't my intent.
|
No, not a bit...and I didn't want YOU to think I was being defensive either.
|
|
|
08-14-2014, 01:07 PM
|
#8
|
Member
Registered: Jan 2013
Distribution: Debian
Posts: 166
Original Poster
Rep:
|
I think what I was looking for was CAP_NET_ADMIN kernel capability.
http://linux.die.net/man/7/capabilities
|
|
|
All times are GMT -5. The time now is 11:50 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|