• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Xubuntu: need to allow secondary account to change Network settings

X

xSauronx

Lifer
I work for a Kansas ISP doing wireless internet installations. Almost always im doing the tech side of the work like testing for a signal while another guy climbs roofs and ladders while he holds the radio we use.

However, after this ISP acquired another company near whichita, they want to send a number of us down there to learn how to do the installs, and the bodd explicitly mentioned *everyone* is to be able to do everything necessary on the software side, which means I need to get things ready on another account for these guys to use.

But I dont know how to allow them to change the network settings, which is going to be necessary, on this second account.

It seems like it should be possible (is it just the process of adding them to a certain group or something relatively simple?)

Any ideas?
 
I believe adding them to the admin group will allow all of the sudo stuff to work just fine, but be aware that you'll be giving them 100% root access that way.
 
Well unfortunately I don't have my Debian box in front of me right now, but this is generally how you would do it..

There are a couple ways you can approach it.

The Sudo command has it's configuration you edit with visudo. Normally it would be used in Ubuntu to give a desktop user a sort of 'admin' account were they can execute commands as root as long as they supply their passwords.

However you can use it to only allow specific commands to be executed by group or username.

So I don't know what all you need to configure. Weither or not it's doing any routing or firewalling or whatever. But if it's just the network interface then you can do something like...

setup a networking group and give write access to it for /etc/network/interfaces and then setup sudo to use ifup and ifdown commands. That way a admin can edit the configuration file and bring up and down the interface.

However I don't remember if ifup and ifdown are scripts or are they programs. A important security considuration for scripts is that it's easy to inject extra commands into them. So a person with root writes to a script can usually get a bash shell going with root permissions. This is why it's not possible to 'setuid to 0' for shell scripting. I don't know how much of a issue this is for you.


If you use a GUI program for configuration then it will probably be easy to setup sudo's configuration to allow a user belonging to 'networking' group to execute that as root and then configure the network interface that way.

Then all you'd have to do is add a script to the desktop that runs the gksudo (or whatever) to run the command to launch the gui. Stick that script so it gets launched by double clicking on a icon and you should be good to go.

 
Originally posted by: Nothinman
I believe adding them to the admin group will allow all of the sudo stuff to work just fine, but be aware that you'll be giving them 100% root access that way.
Click to expand...

i suspected that, but would prefer not to allow it to any of them.

honestly, none of them have ever touched linux, and wouldnt know where to start if they wanted to ruin something, id just prefer not granting it for the sake of....not granting it. ever.

Originally posted by: drag
Well unfortunately I don't have my Debian box in front of me right now, but this is generally how you would do it..

There are a couple ways you can approach it.

The Sudo command has it's configuration you edit with visudo. Normally it would be used in Ubuntu to give a desktop user a sort of 'admin' account were they can execute commands as root as long as they supply their passwords.

However you can use it to only allow specific commands to be executed by group or username.

So I don't know what all you need to configure. Weither or not it's doing any routing or firewalling or whatever. But if it's just the network interface then you can do something like...

setup a networking group and give write access to it for /etc/network/interfaces and then setup sudo to use ifup and ifdown commands. That way a admin can edit the configuration file and bring up and down the interface.

However I don't remember if ifup and ifdown are scripts or are they programs. A important security considuration for scripts is that it's easy to inject extra commands into them. So a person with root writes to a script can usually get a bash shell going with root permissions. This is why it's not possible to 'setuid to 0' for shell scripting. I don't know how much of a issue this is for you.


If you use a GUI program for configuration then it will probably be easy to setup sudo's configuration to allow a user belonging to 'networking' group to execute that as root and then configure the network interface that way.

Then all you'd have to do is add a script to the desktop that runs the gksudo (or whatever) to run the command to launch the gui. Stick that script so it gets launched by double clicking on a icon and you should be good to go.
Click to expand...

thats more like what i want, ill play around and see if i can get that to work properly tonight. a gui is what i need, its what i usually use because i have pre-set ips we switch between pretty often, and id sooner point and click than type in the same thing over and over.

thanks 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top