LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Need to create a restricted user(Centos) (https://www.linuxquestions.org/questions/linux-newbie-8/need-to-create-a-restricted-user-centos-753650/)

ankushpandit 09-08-2009 03:18 PM
Need to create a restricted user(Centos)
 
Hi,

I am a newbie to Linux and I want to create a user which can only execute network config commands like ifconfig and ping(to check the config). The following is what I did but failed.
1) Created a group called 'netconfig'.
2) added a user named 'user'.
3) added user to the 'netconfig' group.
4) Changed the permissions on /bin and /sbin directories so that only groups 'root' and 'netconfig' can Read & execute.

The Result

1) I can execute ping and ifconfig commands when I log on as 'root' and can configure the network(as Default ofcourse).
2) The problem arises when I execute this command and get the following response.

[A]
/bin/ping x.x.x.x [enter]
ping: icmp open socket: Operation not permitted

[B]
/sbin/ifconfig [enter]
eth0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:x.x.x.x Bcast:x.x.x.255 Mask:255.255.255.0
inet6 addr: aaaa::aaaa:aaaa:aaaa:9999/00 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1320 errors:0 dropped:0 overruns:0 frame:0
TX packets:991 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:138423 (135.1 KiB) TX bytes:178569 (174.3 KiB)
Memory:d0200000-d0220000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2343 errors:0 dropped:0 overruns:0 frame:0
TX packets:2343 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2709476 (2.5 MiB) TX bytes:2709476 (2.5 MiB)

[this seems to work fine till I dont execute the following line]

[C]
/sbin/ifconfig eth0 down [enter]
SIOCSIFFLAGS: Permission denied

I have 2 questions
a} Am I at a right path for my goal, i.e. Am I doing right steps for creating a user which has only access to 'ifconfig' and 'ping' command?

b} Is there a better way for creating a restricted user with access to only 2 commands?

Please help with this. Any examples and experiences are welcome.

Thanks in advance,

Ankush Pandit.

adam999 09-08-2009 03:49 PM
these programs need to be run as root. Change the sticky bit using
Code:
chmod +s

r3sistance 09-08-2009 07:17 PM
What the user intends to do with these programs will effect how to achieve this. If the user is only going to view the settings that this can be done easily. Ping I believe should already be in /bin/, ensure you don't overwrite anything already in /bin/ else that may cause a few problems. To enable users to just run ifconfig to just view network scripts, I did the following on my own CentOS server (as root or sudoing the ln line).

cd /bin
ln /sbin/ifconfig

This will create a symbolic link to the ifconfig in /sbin/ meaning that should you preform a yum update, when ifconfig is updated in /sbin/ then as all that is held in /bin/ is a symlink you do not have two different versions of ifconfig sat on your machine. If the user intends to perform any changes then I would suggest assigning the user a sudo entry for ifconfig in the sudoers file and ensuring the sudo privilage only refers to ifconfig. I personally would not do this as this would allow them to change the ips of interfaces what could cause issues.

ankushpandit 09-09-2009 08:02 AM
Quote:
Originally Posted by r3sistance (Post 3675059)
What the user intends to do with these programs will effect how to achieve this. If the user is only going to view the settings that this can be done easily. Ping I believe should already be in /bin/, ensure you don't overwrite anything already in /bin/ else that may cause a few problems. To enable users to just run ifconfig to just view network scripts, I did the following on my own CentOS server (as root or sudoing the ln line).

cd /bin
ln /sbin/ifconfig

This will create a symbolic link to the ifconfig in /sbin/ meaning that should you preform a yum update, when ifconfig is updated in /sbin/ then as all that is held in /bin/ is a symlink you do not have two different versions of ifconfig sat on your machine. If the user intends to perform any changes then I would suggest assigning the user a sudo entry for ifconfig in the sudoers file and ensuring the sudo privilage only refers to ifconfig. I personally would not do this as this would allow them to change the ips of interfaces what could cause issues.
first of all thankz for the replies guyz. I think i gave too much information about the problem. The point here is to have a user who can not execute any command! except for ifconfig and ping.

only 2 commands should execute
1) ifconfig
2) ping

and i can add him to the "root" group.

Quote:
Originally Posted by r3sistance (Post 3675059)
"I personally would not do this as this would allow them to change the ips of interfaces what could cause issues."
I understand this. But here is the real deal. we are deploying a server(written in java) on centos. what we need is when the customer get this server he should be able to change the network configs. But only the network config nothing else.

ankushpandit 09-09-2009 02:40 PM
part of the solution
 
Hi

I found a solution not exactly up to the point but will like to share.

This is what I did(logged in as a root)

1) Added a group : groupadd netadmins
2) Added a user : useradd admin1
3) Gave a password for admin1 : passwd admin1
4) Added admin1 as a member of group netadmins : usermod -g netadmins admin1
5) Edited /etc/sudoers : vi /etc/sudoers

added two lines

1st
#added this just after the "Cmnd_Alias NETWORKING decleration"
Cmnd_Alias TIGHTNETWORKING = /sbin/ifconfig, /bin/ping

2nd
#added this just after the "root ALL=(ALL) ALL"
%netadmins ALL = (ALL) NOPASSWD:TIGHTNETWORKING

saved the file with "wq!" as sudoers is a readonly file!
---------------------------------------------------------------------
The result

logged off from root, logged in as admin1.
executed the ifconfig and ping using sudo

[admin1@177 ~] sudo /sbin/ifconfig eth0 up

It worked out fine.

[admin1@177 ~] sudo /bin/ping x.x.x.x

This worked on fine and I later realized that ping works without sudo too.

This solved a major part of my problem i.e. now a non admin user can execute 'ifconfig' if the user

is a part of 'netadmins'.

Now does anyone has an idea how to disable all the other commands including "ll ls pwd ....etc etc"

Thankz in advance.

chrism01 09-09-2009 06:35 PM
As the sudo'ed user, he'll only be able to run the cmds you allowed.
If(!) you don't want him to have a std acct ie normal login as himself, then sudo, ie only the the sudo stuff, then you need to make the sudo cmd his 'login shell' in the /etc/passwd file.

r3sistance 09-10-2009 02:11 AM
Quote:
Originally Posted by ankushpandit (Post 3675782)
I understand this. But here is the real deal. we are deploying a server(written in java) on centos. what we need is when the customer get this server he should be able to change the network configs. But only the network config nothing else.
You know changes done via ifconfig such as...

sudo ifconfig eth0 192.168.0.42

would be lost on reboot, so if your intending to allow the user to change the IP on a perm basis then this method is less then ideal, just to forewarn you of this.

wswxf 09-10-2009 09:24 AM
I am a new linux user, Study with all.


All times are GMT -5. The time now is 07:44 PM.