LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-16-2003, 06:23 PM   #1
KendersPlace
Member
 
Registered: Feb 2003
Location: Phoenix, AZ - USA
Distribution: RedHat 8, Micro$haft
Posts: 33

Rep: Reputation: 15
Angry iptables: non-root user access?


Hello all. I am trying to figure out how to grant access to iptables by non-root users. I have tried editing /etc/sudoers, "x" permission is granted to all users on /sbin/iptables.

All I can figure is there is some hook built into iptables/netfilter that simply will not allow users other than 'root' to execute the command. Am I missing something here?

I want to give access to iptables to a net admin temp, but I don't want to give the person root access to the box, just to the firewall.

Very frustrating. I have even looked all around at netfilter.org and found nothing on controlling access. What am I missing??

Thanks!!
 
Old 06-16-2003, 08:23 PM   #2
rohang
Member
 
Registered: Aug 2002
Location: Sydney, Australia
Distribution: Redhat, Open BSD, SuSe, Debian, CentOS
Posts: 177

Rep: Reputation: 31
What were the entries in your /etc/sudoers file for iptables? Did you include the entire path for iptables (i.e. /sbin/iptables) rather than just ipables?
 
Old 06-17-2003, 07:33 AM   #3
EvilTwinSkippy
Member
 
Registered: Mar 2003
Location: Philadelphia, PA
Distribution: RedHat, Gentoo
Posts: 51

Rep: Reputation: 15
Why grant direct access?

Wouldn't a message passing approach be better? I ran into this same situation with a wireless gateway I'm in the process of designing. I want a web server to be able to open access to paying customers, but I don't want the sucker running as root.

My answer was to write a monitor daemon that ran as root, and sat in the background waiting for messages. The webserver communicates to the daemon by writing messages into a MySQL table. The daemon checks for messages periodically, but it can be waken up by opening a connection to port 8000 and closing it again. I also use this same mechanism to tell the daemon to shut down. Simply write QUIT to the socket before closing it. (Though the daemon only listens for the QUIT command from local connections.)

Here's the script in TCL:

Code:
#! /usr/bin/tclsh

###
# Preen Daemon
#
# This script sits in the background, listening for
# commands to be recieved.
#
# The poll time can be abbreviated by simply
# opening a connection to port 8000
#
# Local process can send a kill signal to the
# daemon by writing the string QUIT to 8000
###

set ::tfi(application) preend
###
# Check for updates every minute
###
set ::poll_time   [expr 1 * 60 * 1000]
set ::block 0

proc tock {} {
    if [info exists ::next_tock] {
        # Cancel any pending polls
        after cancel $::next_tock
    }
    if $::block {
        # Grr, someone tried to wake me up
        # while I was operating
        return
    }
    set ::block 1
    if [catch {
        update_loop
    } err] {
        set fout [open /tmp/preen.err a]
        puts $fout "[clock seconds] - $err"
        close $fout

        set fout [open /tmp/preen.errinfo w]
        puts $fout $::errorInfo
        close $fout
    }
    set ::block 0
    set ::next_tock [after ${::poll_time} tock]
}


proc socket_wakeup {chan addr port} {
    tock
    fconfigure $chan -buffering line -translation crlf

    if [info exists ::next_tock] {
        after cancel $::next_tock
    }
    if { $addr == "127.0.0.1" } {
        gets $chan line
        if { $line == "QUIT" } {
            exit
        }
    }
    close $chan
}

###
# Your Code Here
###
proc update_loop {} {
    # This is where it looks for commands
    puts "UPDATE [clock format [clock seconds]]"
}

###
# Listen on port 8000 for the command to wake up
###
socket -server socket_wakeup 8000

# Start the monitor
tock

vwait forever
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
usbport access as a non-root user m.harshavardhan Linux - Hardware 3 07-05-2005 07:10 PM
Gain root access to user longnam Slackware 5 03-29-2005 11:43 AM
Access on a hdd as User not root tkienzle Linux - Newbie 1 02-08-2005 09:21 PM
Access to root applications as a user Hungry ghost Fedora 1 02-04-2005 02:29 PM
No access to FAT32 for non-root user kornerr Slackware 4 01-02-2005 02:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration