Run ipchains as normal user?
I've got a bash script which sets up rules for ipchains. Also runs tcp_syncookies, icmp_ignore_bogus_error_responses, and a couple other root-only programs.
Because the script needs the IP address, it must run after the connection is made. I want to have the script be able to be run by normal users, because normal users will be doing the connecting. Problem is, normal users can't run ipchains (or /proc/sys/net/ipv4/tcp_syncookies, and a couple of other things which are also in my bash script) Can suid bash scritps, of course. Don't want to set up all normal users for sudo, unless I can restrict them to just my post-connect ipchains script. Anyone have a work-around or other advice? -------------------------------------------------------------------------- PROBLEM SOLVED EDIT FOLLOWS: I didn't understand that sudo could be configured for specific scripts. I added this to sudoers: %users ALL=NOPASSWD:/usr/bin/firewall ... then I added this to be executed after connection /usr/bin/sudo /usr/bin/firewall I guess I should have googled a bit more before posting here ;) |
A normal user is not supposed to install/modify filter rules. Only root can / should do it.
yes, sudo is the work-around. |
All times are GMT -5. The time now is 12:53 PM. |