Hi,

I tried to allow a Linux user to use iftop for monitoring network. The trouble is that iftop doesn't work for users and using sudo allows user to access shell console. Is there a option to restrict user for using shell console from iftop ???


Thanks !

I believe there is a way to allow users to do this by editing the sudoers file. But that is for someone far smarter than I.

Iftop "not working for users" is correct behaviour because it can be used to sniff traffic in promiscuous mode. Allowing unprivileged users to make a network device enter promiscuous mode requires root account rights (CAP_MOD capability IIRC) and exposes information those users may or should not have access to. If you do not like to give users console access for monitoring (set up a separate account that can only execute 'sudo iftop' as login shell) then an alternative solution could be to run iftop through Xinetd or a webserver CGI so users can only access displayed results. Unfortunately iftop will not work that way since it expects to run continuously. There's other interface statistics tools that will display network stats like Ntop. It has a built-in webserver, the trade-off being more dependencies (RRD, GDBM) and configuration compared to KISS-honouring tools like iftop.