What script could allow regular users to use network namespaces?

sudo root privileges network-namespaces

8,941

Solution 1

Firejail can do the job

firejail --noprofile --netns=nameOfNetSpace command

Alternatively Netns-Exec, Nsutils and Netns does not require root

Solution 2

Solution 1

Just add a group called "netns" add all the wanted users to it. Then give ownership to root:netns and give read/exec capabilities to the group.

In other terms :

# New group netns
sudo groupadd --system netns

# Add root to "netns", not sure if needed
sudo usermod -aG netns root

# Do this for every needed user
sudo usermod -aG netns $UserName

# Change ownership to root, grant rw acces to group netns
sudo chown root:netns /path/to/netns-exec.sh
sudo chmod 633 /path/to/netns-exec.sh

Solution 2

This solution is simpler, you have to edit you sudoers file as shown in this example.

user ALL=(ALL) /bin/ip netns

8,941

Raspbeguy

Updated on September 18, 2022

Comments

Raspbeguy over 1 year
I have an architecture using network namespaces (netns). I would like to allow regular users to do some operations in these netns.

I could write a script netns-exec.sh, inspired by this post, executed with sudo, containing:
```
ip netns exec $1 su $USER -c "$2"
```
and add to my sudoer file:
```
user ALL=(ALL) /path/to/netns-exec.sh
```
But I find it so ugly I could totally have nightmares about it. Is there a better solution to allow regular users to use namespaces? Is it possible to put users to some useful groups? I searched about it but found nothing.
- Admin over 8 years
  
  why dont you define Cmd_Alias CMD_NETNS = ip netns exec [regexp matching your namespace] su [regexp matching allowed used] -c [regexp matching allowed namespace command] in your sudoers file and then create a group in which you put your allowed users, and associate this group to this command alias.
- Admin over 8 years
  
  It's the sudo containing a su that annoys me, not the script itself. Anyway I'll write a script to wrap the thing. It makes 2 user switches, that's really ugly, don't you think ?
- Admin over 8 years
  
  That should scare you. The user could modify $USER to be root.
- Admin over 7 years
  
  You could do setuid on the script.
- Admin over 7 years
  
  @Elronnd - kernel ignores setuid on scripts
Admin about 7 years

Thanks for your response (and sorry for noticing several months after). But the problem remains the same, that is to say using sudo.
Raspbeguy almost 7 years

Well, solution 1 is impossible, the command ip netns will return an error saying that only root can execute it. Solution 2 is what I had initially in mind, but wasn't satisfying in my opinion.
ckujau over 6 years

This chmod 0633 would give write+execute permissions to all users and to the netns group. I suspect you wanted to set the SGID bit on the script, but as @Angelo mentioned: setuid and setgid is ignored for shell scripts, and for good reason.
Admin about 2 years

you must have root privileges to use "ip netns"