TransWikia.com

Proper way to give a binary permissions to use iptables without sudo

Unix & Linux Asked by Thomas Braun on December 24, 2020

There is a single binary for my program that needs access to iptables/ip6tables to add/remove entries as required. It seems reasonable to have an install script that sets-up the environment to allow the user to run the binary without the need of using sudo each time. The only time the user would use sudo is for the install, and thereafter, would be able to use their own account to run the binary. The thing is, I’m not sure what commands I should run to enable this in the install script

One Answer

You would create a group for the user(s) who need that permission. Perhaps such a group already exists, e.g. users.

Then do (as root, perhaps by sudo)

# chgrp users /usr/bin/iptables
# chmod u+rxs,o= /usr/sbin/iptables

Then someone in that group ought to be able to run that command as root. (Please adjust the path of iptables as appropriate.)

Another way would be to use sudo to allow a user/group to run that command. Security wise it it equivalent, as long as o= is not omitted from the chmod command. The sudo approach is a little more modern, though - and perhaps a matter of taste.

Correct answer by Ned64 on December 24, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP