What script could allow regular users to use network namespaces?
Solution 1
Firejail can do the job
firejail --noprofile --netns=nameOfNetSpace command
Alternatively Netns-Exec, Nsutils and Netns does not require root
Solution 2
Solution 1
Just add a group called "netns" add all the wanted users to it. Then give ownership to root:netns and give read/exec capabilities to the group.
In other terms :
# New group netns
sudo groupadd --system netns
# Add root to "netns", not sure if needed
sudo usermod -aG netns root
# Do this for every needed user
sudo usermod -aG netns $UserName
# Change ownership to root, grant rw acces to group netns
sudo chown root:netns /path/to/netns-exec.sh
sudo chmod 633 /path/to/netns-exec.sh
Solution 2
This solution is simpler, you have to edit you sudoers file as shown in this example.
user ALL=(ALL) /bin/ip netns
Related videos on Youtube
Raspbeguy
Updated on September 18, 2022Comments
-
Raspbeguy over 1 year
I have an architecture using network namespaces (netns). I would like to allow regular users to do some operations in these netns.
I could write a script
netns-exec.sh
, inspired by this post, executed withsudo
, containing:ip netns exec $1 su $USER -c "$2"
and add to my sudoer file:
user ALL=(ALL) /path/to/netns-exec.sh
But I find it so ugly I could totally have nightmares about it. Is there a better solution to allow regular users to use namespaces? Is it possible to put users to some useful groups? I searched about it but found nothing.
-
Admin over 8 yearswhy dont you define
Cmd_Alias CMD_NETNS = ip netns exec [regexp matching your namespace] su [regexp matching allowed used] -c [regexp matching allowed namespace command]
in your sudoers file and then create a group in which you put your allowed users, and associate this group to this command alias. -
Admin over 8 yearsIt's the
sudo
containing asu
that annoys me, not the script itself. Anyway I'll write a script to wrap the thing. It makes 2 user switches, that's really ugly, don't you think ? -
Admin over 8 yearsThat should scare you. The user could modify $USER to be root.
-
Admin over 7 yearsYou could do setuid on the script.
-
Admin over 7 years@Elronnd - kernel ignores setuid on scripts
-
-
Admin about 7 yearsThanks for your response (and sorry for noticing several months after). But the problem remains the same, that is to say using sudo.
-
Raspbeguy almost 7 yearsWell, solution 1 is impossible, the command
ip netns
will return an error saying that only root can execute it. Solution 2 is what I had initially in mind, but wasn't satisfying in my opinion. -
ckujau over 6 yearsThis
chmod 0633
would givewrite+execute
permissions to all users and to thenetns
group. I suspect you wanted to set the SGID bit on the script, but as @Angelo mentioned:setuid
andsetgid
is ignored for shell scripts, and for good reason. -
Admin about 2 yearsyou must have root privileges to use "ip netns"