LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-12-2014, 08:01 PM   #1
stateless
Member
 
Registered: Jan 2013
Distribution: Debian
Posts: 166
Blog Entries: 1

Rep: Reputation: 4
give user advanced networking privileges


Is there a way to give a regular user the ability to use the following functionality, without having to use the sudo command?

ifconfig (add/del/etc.)
brctl
ip tuntap

I thought I read somewhere that there was some security setting that could be set for the user. I have a 3.2.0 kernel (Debian wheezy).
 
Old 08-14-2014, 08:28 AM   #2
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 262

Rep: Reputation: 55
I don't know if this is the best way, but you could set up an alias to do this. I.E. create an alias for ifconfig that will actually do sudo ifconfig in the background. And then in your sudoers file set it so that the password is not required for those commands for that user.
 
Old 08-14-2014, 10:51 AM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,188

Rep: Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066
Quote:
Originally Posted by stateless View Post
Is there a way to give a regular user the ability to use the following functionality, without having to use the sudo command?

ifconfig (add/del/etc.)
brctl
ip tuntap

I thought I read somewhere that there was some security setting that could be set for the user. I have a 3.2.0 kernel (Debian wheezy).
I disagree with what YankeePride13 said, although it WOULD work. It's a good idea in principle, but what that does leave you with is a potential security hole. If that alias is compromised, someone COULD run other commands as root. Speaking as someone who was bitten by this before, I would advise against it.

That said, it's VERY easy to set sudo up to only let some user(s) run ONLY some commands..this sort of thing is exactly what sudo was meant for. For ease of use, just set up a user group in sudoers, then list the commands, as such:
Code:
# User alias specification. Add more user ID's to this group if needed.
User_Alias NETWORKERS = user1, user2, ...

# Commmand alias specification
Cmnd_Alias NETWORKCMD = ifconfig, brctl, ip tuntap

# User group privilege specification
VENDORS ALL = NOPASSWD: !ALL, !NETWORKCMD
That will let any user who you put in the NETWORKERS group only run the commands specified in the NETWORKCMD list as SUDO/root, with no password, and deny them anything else, and not prompt them for a password. That way, they won't have to pop a password in to do something they're allowed to do (which is irritating), and YOU will have a log of who ran what command(s), when. It uses the standard sudo framework, which makes it easy to maintain and audit, too.
 
Old 08-14-2014, 10:56 AM   #4
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 262

Rep: Reputation: 55
Quote:
Originally Posted by TB0ne View Post
I disagree with what YankeePride13 said, although it WOULD work. It's a good idea in principle, but what that does leave you with is a potential security hole. If that alias is compromised, someone COULD run other commands as root. Speaking as someone who was bitten by this before, I would advise against it.

That said, it's VERY easy to set sudo up to only let some user(s) run ONLY some commands..this sort of thing is exactly what sudo was meant for. For ease of use, just set up a user group in sudoers, then list the commands, as such:
Code:
# User alias specification. Add more user ID's to this group if needed.
User_Alias NETWORKERS = user1, user2, ...

# Commmand alias specification
Cmnd_Alias NETWORKCMD = ifconfig, brctl, ip tuntap

# User group privilege specification
VENDORS ALL = NOPASSWD: !ALL, !NETWORKCMD
That will let any user who you put in the NETWORKERS group only run the commands specified in the NETWORKCMD list as SUDO/root, with no password, and deny them anything else, and not prompt them for a password. That way, they won't have to pop a password in to do something they're allowed to do (which is irritating), and YOU will have a log of who ran what command(s), when. It uses the standard sudo framework, which makes it easy to maintain and audit, too.
TB0ne,

I don't see what the difference is between what you said and what I said. The only difference being the alias which could be set at the user level. If another user were to gain access to the alias, they'd still need the sudo access which they wouldn't have. Please explain (not being sarcastic, I want to learn).
 
Old 08-14-2014, 11:28 AM   #5
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,188

Rep: Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066
Quote:
Originally Posted by YankeePride13 View Post
TB0ne,
I don't see what the difference is between what you said and what I said. The only difference being the alias which could be set at the user level. If another user were to gain access to the alias, they'd still need the sudo access which they wouldn't have. Please explain (not being sarcastic, I want to learn).
I'm not aliasing anything from the command-side of things, and using the standard SUDO model to do it, while limiting the user(s) to one certain set of commands.

When you say "alias", you're either talking about a command-alias in bash/shell, right? Which is set in the users profile...which they can modify. So while they start out with the alias equaling "ifconfig", they can change it to be "passwd root", or something similar. Nothing is stopping them from modifying their own profile. And since they're already IN sudoers, those commands go right through. Also, if you want to add more users, you'd have to make these changes to THEIR profiles too, just adding to things you have to maintain/do/remember on your system. By using sudo for what it was intended for, you centralize all of it..and ONLY admins can change commands, and adding/deleting users from the alias group in sudoers is a bit easier.

I always think it's dangerous to do such things...not saying it's wrong, just not something I'd ever do. I'm not being critical of your solution, and it definitely WILL work.

Last edited by TB0ne; 08-14-2014 at 11:30 AM.
 
Old 08-14-2014, 12:11 PM   #6
YankeePride13
Member
 
Registered: Aug 2012
Distribution: Ubuntu 10.04, CentOS 6.3, Windows 7
Posts: 262

Rep: Reputation: 55
Quote:
Originally Posted by TB0ne View Post
When you say "alias", you're either talking about a command-alias in bash/shell, right? Which is set in the users profile...which they can modify.
yep

Quote:
So while they start out with the alias equaling "ifconfig", they can change it to be "passwd root", or something similar. Nothing is stopping them from modifying their own profile.
But if the entry in the sudoers file is command specific, they wouldn't have the rights to passwd. The only command they could use using sudo would be ifconfig (or whatever is specified by the OP)

The only reason I was saying to alias it was because the OP said they didn't want their users to have to type sudo when using ifconfig. Otherwise, I think we are talking about the same thing.

Quote:
I always think it's dangerous to do such things...not saying it's wrong, just not something I'd ever do. I'm not being critical of your solution, and it definitely WILL work.
Never said you were being critical. I am here to learn, so I appreciate conversations like this. Sorry if I come off as defensive, that isn't my intent.
 
Old 08-14-2014, 12:49 PM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,188

Rep: Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066Reputation: 8066
Quote:
Originally Posted by YankeePride13 View Post
But if the entry in the sudoers file is command specific, they wouldn't have the rights to passwd. The only command they could use using sudo would be ifconfig (or whatever is specified by the OP)

The only reason I was saying to alias it was because the OP said they didn't want their users to have to type sudo when using ifconfig. Otherwise, I think we are talking about the same thing.
Gotcha, and I see where you're coming from..sort of a combination of both methods.
Quote:
Never said you were being critical. I am here to learn, so I appreciate conversations like this. Sorry if I come off as defensive, that isn't my intent.
No, not a bit...and I didn't want YOU to think I was being defensive either.
 
Old 08-14-2014, 01:07 PM   #8
stateless
Member
 
Registered: Jan 2013
Distribution: Debian
Posts: 166

Original Poster
Blog Entries: 1

Rep: Reputation: 4
I think what I was looking for was CAP_NET_ADMIN kernel capability.

http://linux.die.net/man/7/capabilities
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Give normal user root privileges and using same password. linustalman Linux - Security 7 08-11-2014 08:59 PM
How to give Domain Administrator privileges to Root user in Domain Controller Sumitsm Linux - Newbie 12 08-24-2009 12:53 AM
How to give only certain root privileges linuxfia Ubuntu 3 06-01-2009 11:35 AM
how to give root privileges to normal user? caedo Linux - Newbie 11 08-28-2008 03:15 PM
How to give user always root privileges? SimeonV SUSE / openSUSE 18 06-23-2005 11:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration