Re: providing partial access to iptables for non root user

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chris Brenton <cbrenton@chrisbrenton.org>
To: "Michael Jürgens" <netfilter@juergens.name>
Cc: netfilter <netfilter@lists.netfilter.org>
Subject: Re: providing partial access to iptables for non root user
Date: Mon, 21 Feb 2005 08:38:44 -0500	[thread overview]
Message-ID: <1108993123.2238.90.camel@grendel> (raw)
In-Reply-To: <4219C6F1.2070500@juergens.name>

On Mon, 2005-02-21 at 06:33, Michael Jürgens wrote:
> 
> I´m looking for a solution to provide a non root user write access to a 
> chain.

I've written up some stuff using sudo in order to create an auditing
trail. You can read about it here:

http://www.loganalysis.org/sections/parsing/application-specific/firewall-logging.html#iptables

> his special case I have to provide the a mechanism to block some ip 
> adresses to connect to http.
> But this should be done by a non root user. The non root user should not 
> change any other rule.

The problem is you can not set permissions to different iptables
switches. So granting a person access to the binary implies they will be
able to do pretty much anything they want.

You might be able to create a front end that accepts just an IP address,
and then the back end fills out the rest of the command, but you would
need really good data scrubbing to ensure that only IP addresses are
accepted, not command line switches. You would also need to ensure that
the user does not have direct access to the binary.

HTH,
Chris

next prev parent reply	other threads:[~2005-02-21 13:38 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-21 11:33 providing partial access to iptables for non root user Michael Jürgens
2005-02-21 13:38 ` Chris Brenton [this message]
2005-02-21 14:29 ` Jason Opperisano
2005-02-23 22:38   ` Eric Leblond

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1108993123.2238.90.camel@grendel \
    --to=cbrenton@chrisbrenton.org \
    --cc=netfilter@juergens.name \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.