Allowing Chnage IP Access
 

I want to create a new user and give them very limited access, but the one (and only) thing I want them to be able to do is change system IP address.

How do I create a user and allow them to change the IP address of the box without giving them root or SU?

Cheers!
Dave

Are you saying that at login you want them to change the IP address then exit? Or are you saying in additional to their normal user functions you want them to be able to change the IP address.

For either you'd need to work out the command line syntax to do the modification (or launch the GUI that does the modification) which is different for different distros of Linux. Ideally you'd create a script to do what you want.

To have them do the login, change and exit you can modify their login script (e.g. $HOME/.bashrc) to run an "exec" on the script - this makes it replace the shell with the script and once the script completes and exits it exits completely from the system. (For this to work you also need to disable traps and shell escapes.)

For the normal user setup and addition of IP address change you should setup sudo to run the script/command that does the IP change. Sudo is designed to allow non-root users to run specific root commands as if they were root without actually becoming the root user or needing to know the root password. Typing "man sudo" and "man visudo" will give you more information. The key point if you write a script is to insure that it is only writable by root user so that they can't change it to add other commands. (This also means the script should be in a protected directory so that the user can't change permissions on it.)

Yeah sorry I am new to Linux and did not explain very well.

I created an account on my box for a contractor to be able to login. Then I want him to be able to change the IP on the box for me so that I can remote into it.
So far I have worked out this command:

chmod a+rw /etc/sysconfig/network-scripts/ifcfg-eth0

This allows the user to edit that file and save it. Then he can reboot it by pulling the power.
Is there a way he can apply the new address change without having access to the reboot command?

Cheers!
Dave

Do NOT just pull power; very likely cause corruption.

BTW, if it's only changing the IP, you could write script that does that and takes new ip as a param; then make that root only and sudo run just that (& service restart at the end).

Great thanks for that info.

The issue is the standard user is not allowed to run the command "service network restart".
Is there a way I can give him explicit access to that command?

Cheers!
Dave

Yes. As noted previously you can give them access to do sudo. See the sudo and visudo man pages.

After granting access they'd run "sudo service network restart" instead of just "service network restart". That prompts for their login rather than root's but then runs the command as root. (Be sure when specifying the command that you specify the full command and not just "service" to avoid having them do other stop/starts of key services.

Also you can avoid sudo and hard boot altogether by simply having them hit "ctrl-alt-del" on the console. That will perform a soft boot (normal shutdown and restart).

So I have been monkeying around with "nano /etc/sudoers" and adding lines like:

satworker localhost=/sbin/shutdown -r now
satworker ALL = NETWORKING, SERVICES, PROCESSES

But I always get back the same responce:

[trixbox1.localdomain /]# sudo shutdown -r now
sudo: shutdown: command not found
[trixbox1.localdomain /]#

Any help would be great.
Cheers!
Dave

shutdown is /sbin/shutdown so you either need /sbin in your PATH or to enter /sbin/shutdown

Ahhhhhhh!!!

Thanks Catkin, that did it!
And thanks to all others for your help.

Cheers!
Dave