User allowed commands -

Rick Stevens ricks at nerd.com
Wed Mar 18 17:20:19 UTC 2009


Bob Goodwin wrote:
> Sharpe, Sam J wrote:
>> Bob Goodwin wrote:
>>>
>>> Can someone tell me how I can arrange to be able to run
>>> system-control-network as user bobg.  It looks like I  should
>>> be able to accomplish this via visudo but that is overwhelmingly 
>>> complex.
>>>
>>> My objective is to be able to close or open my eth0 internet connection
>>> without
>>> jumping though hoops. As it stands I have to use system-config-network,
>>> enter password, and when the GUI comes up I can then click on
>>> "de/activate."
>> Two ways to not quite accomplish accomplish roughly what you want:
>>
>> 1) Allow the user to control the network device - add "USERCTL=yes" in 
>> /etc/sysconfig/network-scripts/ifcfg-eth0 as documented here:
>> http://www.centos.org/docs/4/html/rhel-rg-en-4/s1-networkscripts-interfaces.html 
>>
>>
>> - but I don't think that will allow you to launch s-c-network as a 
>> non-root user - i think you'd still have to run "ifup eth0" and 
>> "ifdown eth0"
>>
>> 2) add the following to /etc/security/console.apps/system-config-network
>> UGROUPS=users (assuming bobg is in the users group)
>>
>> That will then prompt for bobg's password rather than root - but as 
>> you object to typing in a password I'm not sure it's great for you.
>>
>> -- 
>> Sam
>>
> None of the above afford me any advantage, all ask me to enter a 
> password again before permitting me to disconnect which seems like a 
> negative security feature!

You think asking you to enter a password to alter your network settings
is a NEGATIVE security feature?  Boy, do you have a warped sense of
security.

 >  It ought to be simpler ...
> 
> ifup/down-eth0 are not valid commands.  ifdown-eth is but does not 
> work.  "basename: missing operand"  whatever that means?

The commands are "ifup eth0" or "ifdown eth0" as was shown in Sam's 
posting.  Look closer.

> The command I would really like to be able to use is 
> "system-control-network+" which offers two buttons, Activate and 
> Deactivate plus a Configure button.  I haven't been able to find the 
> file that produces that GUI.

The closest is system-config-network and you need to be root to run
it--precisely what you don't like.

I don't want to scold you, Bob, but when you're futzing with your
network settings, not only can you hose your machine but you can cause
problems on the local network as well (e.g. force-feeding a duplicate IP
onto one of your NICs thereby corrupting your router's ARP cache).  At
least requiring a root password to prevent normal users from potentially
screwing the works up is a reasonable (and I would argue minimal) 
security restraint.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
- If at first you don't succeed, quit. No sense being a damned fool! -
----------------------------------------------------------------------




More information about the fedora-list mailing list