Mdthbs

Killing undead fish underwater

How to pronounce 'C++' in Spanish

How to creep the reader out with what seems like a normal person?

US visa is under administrative processing, I need the passport back ASAP

Any examples of headwear for races with animal ears?

Stop and Take a Breath!

Do I have to worry about players making “bad” choices on level up?

How did Captain America manage to do this?

Don’t seats that recline flat defeat the purpose of having seatbelts?

How do I deal with a coworker that keeps asking to make small superficial changes to a report, and it is seriously triggering my anxiety?

What happened to Captain America in Endgame?

a sore throat vs a strep throat vs strep throat

How could Tony Stark make this in Endgame?

Is there any limitation with Arduino Nano serial communication distance?

How to have a sharp product image?

Will a top journal at least read my introduction?

Why was Germany not as successful as other Europeans in establishing overseas colonies?

Is the 5 MB static resource size limit 5,242,880 bytes or 5,000,000 bytes?

How do we know that ממחרת השבת means from the first day of pesach and not the seventh?

The Defining Moment

How come there are so many candidates for the 2020 Democratic party presidential nomination?

If a warlock with the Repelling Blast invocation casts Eldritch Blast and hits, must the targets always be pushed back?

Please, smoke with good manners

Why do Computer Science majors learn Calculus?

What script could allow regular users to use network namespaces?

Secure way to allow any user to run programs in specific network namespaceUse network-manager in different netnsusing sudo on GUI applicationsWhy does cron silently fail to run sudo stuff in my script?Allow AD Groups to SUDOHow to transition into another domain when invoking sudo?Security of sudo not asking for a password after the first timeCan not limit commands user can run as root in devtoolset-3 enabled shellNFS mount over network namespacesstp is not working in network namespaces?Move network device between Linux network namespacesTrying to understand the difference between “modernNeo ALL=(ALL:ALL) ALL” and “modernNeo ALL=(ALL) ALL” in the sudoers file

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

21

3

I have an architecture using network namespaces (netns). I would like to allow regular users to do some operations in these netns.

I could write a script netns-exec.sh, inspired by this post, executed with sudo, containing:

ip netns exec $1 su $USER -c "$2"

and add to my sudoer file:

user ALL=(ALL) /path/to/netns-exec.sh

But I find it so ugly I could totally have nightmares about it.
Is there a better solution to allow regular users to use namespaces? Is it possible to put users to some useful groups? I searched about it but found nothing.

sudo root privileges network-namespaces

share|improve this question

edited Sep 19 '17 at 4:46

Stephen Rauch

3,348101529

asked Sep 14 '15 at 9:24

RaspbeguyRaspbeguy

173110

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  why dont you define Cmd_Alias CMD_NETNS = ip netns exec [regexp matching your namespace] su [regexp matching allowed used] -c [regexp matching allowed namespace command] in your sudoers file and then create a group in which you put your allowed users, and associate this group to this command alias.
  
  – netmonk
  Sep 14 '15 at 11:50
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  It's the sudo containing a su that annoys me, not the script itself. Anyway I'll write a script to wrap the thing. It makes 2 user switches, that's really ugly, don't you think ?
  
  – Raspbeguy
  Sep 14 '15 at 12:09
  
  
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  That should scare you. The user could modify $USER to be root.
  
  – Stephen
  Dec 14 '15 at 14:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Yes, and it does scares me. But I figured out later that sudo provided a specific variable $SUDO_USER, which is safer. But that's still ugly.
  
  – Raspbeguy
  Dec 14 '15 at 16:17
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @Elronnd - kernel ignores setuid on scripts
  
  – Angelo
  Nov 27 '16 at 8:42
  

  
  
  
  

 | 
show 1 more comment

21

3

I have an architecture using network namespaces (netns). I would like to allow regular users to do some operations in these netns.

I could write a script netns-exec.sh, inspired by this post, executed with sudo, containing:

ip netns exec $1 su $USER -c "$2"

and add to my sudoer file:

user ALL=(ALL) /path/to/netns-exec.sh

But I find it so ugly I could totally have nightmares about it.
Is there a better solution to allow regular users to use namespaces? Is it possible to put users to some useful groups? I searched about it but found nothing.

sudo root privileges network-namespaces

share|improve this question

edited Sep 19 '17 at 4:46

Stephen Rauch

3,348101529

asked Sep 14 '15 at 9:24

RaspbeguyRaspbeguy

173110

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  why dont you define Cmd_Alias CMD_NETNS = ip netns exec [regexp matching your namespace] su [regexp matching allowed used] -c [regexp matching allowed namespace command] in your sudoers file and then create a group in which you put your allowed users, and associate this group to this command alias.
  
  – netmonk
  Sep 14 '15 at 11:50
  
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  It's the sudo containing a su that annoys me, not the script itself. Anyway I'll write a script to wrap the thing. It makes 2 user switches, that's really ugly, don't you think ?
  
  – Raspbeguy
  Sep 14 '15 at 12:09
  
  
  

  
  
  
  


• 
  
  
  

  
  6
  

  
  
  
  
  
  

  
  
  That should scare you. The user could modify $USER to be root.
  
  – Stephen
  Dec 14 '15 at 14:21
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Yes, and it does scares me. But I figured out later that sudo provided a specific variable $SUDO_USER, which is safer. But that's still ugly.
  
  – Raspbeguy
  Dec 14 '15 at 16:17
  
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @Elronnd - kernel ignores setuid on scripts
  
  – Angelo
  Nov 27 '16 at 8:42
  

  
  
  
  

 | 
show 1 more comment

I have an architecture using network namespaces (netns). I would like to allow regular users to do some operations in these netns.

I could write a script netns-exec.sh, inspired by this post, executed with sudo, containing:

ip netns exec $1 su $USER -c "$2"

and add to my sudoer file:

user ALL=(ALL) /path/to/netns-exec.sh

But I find it so ugly I could totally have nightmares about it.
Is there a better solution to allow regular users to use namespaces? Is it possible to put users to some useful groups? I searched about it but found nothing.

sudo root privileges network-namespaces

share|improve this question

edited Sep 19 '17 at 4:46

Stephen Rauch

3,348101529

asked Sep 14 '15 at 9:24

RaspbeguyRaspbeguy

173110

ip netns exec $1 su $USER -c "$2"

user ALL=(ALL) /path/to/netns-exec.sh

share|improve this question

edited Sep 19 '17 at 4:46

Stephen Rauch

3,348101529

asked Sep 14 '15 at 9:24

RaspbeguyRaspbeguy

173110

share|improve this question

edited Sep 19 '17 at 4:46

Stephen Rauch

3,348101529

asked Sep 14 '15 at 9:24

RaspbeguyRaspbeguy

173110

edited Sep 19 '17 at 4:46

Stephen Rauch

3,348101529

edited Sep 19 '17 at 4:46

Stephen Rauch

3,348101529

asked Sep 14 '15 at 9:24

RaspbeguyRaspbeguy

173110

asked Sep 14 '15 at 9:24

RaspbeguyRaspbeguy

173110

3 Answers
3

active

oldest

votes

1

Solution 1

Just add a group called "netns" add all the wanted users to it.
Then give ownership to root:netns and give read/exec capabilities to the group.

In other terms :

# New group netns

sudo groupadd --system netns



# Add root to "netns", not sure if needed

sudo usermod -aG netns root



# Do this for every needed user

sudo usermod -aG netns $UserName



# Change ownership to root, grant rw acces to group netns

sudo chown root:netns /path/to/netns-exec.sh

sudo chmod 633 /path/to/netns-exec.sh

---

Solution 2

This solution is simpler, you have to edit you sudoers file as shown in this example.

user ALL=(ALL) /bin/ip netns

share|improve this answer

edited May 18 '17 at 19:46

answered May 18 '17 at 19:39

Taz8du29Taz8du29

14819

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Well, solution 1 is impossible, the command ip netns will return an error saying that only root can execute it. Solution 2 is what I had initially in mind, but wasn't satisfying in my opinion.
  
  – Raspbeguy
  May 28 '17 at 13:06
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This chmod 0633 would give write+execute permissions to all users and to the netns group. I suspect you wanted to set the SGID bit on the script, but as @Angelo mentioned: setuid and setgid is ignored for shell scripts, and for good reason.
  
  – ckujau
  Aug 31 '17 at 6:48
  
  
  

  
  
  
  

add a comment | 

0

Personally I do not know if there is possibility to permit regular users to run commands in different network namespaces, but this annotated shell script may better suit your needs:

#!/bin/bash

# ip netns wrapper script, nns.

# Usage: nns nsname cmdline



case "${1}" in

    do)

        shift # remove "do"

        NSNAME="${1}" # remember nsname

        shift # remove nsname to get argument list for su -c

        [ -z "${NSNAME}" -o -z "${1}" ] && exit 1 # if either nsname or arglist is empty - error out

        echo ip netns exec "${NSNAME}" su "${SUDO_USER}" -c "${*}" # execute, ${*} merges separate arguments into single word for su/sh -c parsing. See with strace.

    ;;

    *)

        SCRIPTNAME="${0}" # remember script full path

        exec sudo "${SCRIPTNAME}" do "${@}" # run it through sudo with elevated privileges

    ;;

esac

Install it somewhere in /usr/bin and allow your users to execute it.

share|improve this answer

answered Nov 28 '16 at 4:25

user140866

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for your response (and sorry for noticing several months after). But the problem remains the same, that is to say using sudo.
  
  – Raspbeguy
  May 13 '17 at 21:03
  
  
  

  
  
  
  

add a comment | 

0

Firejail can do the job

firejail --noprofile --netns=nameOfNetSpace command

share|improve this answer

answered 16 mins ago

intikaintika

27025

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f229548%2fwhat-script-could-allow-regular-users-to-use-network-namespaces%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

1

Solution 1

Just add a group called "netns" add all the wanted users to it.
Then give ownership to root:netns and give read/exec capabilities to the group.

In other terms :

# New group netns

sudo groupadd --system netns



# Add root to "netns", not sure if needed

sudo usermod -aG netns root



# Do this for every needed user

sudo usermod -aG netns $UserName



# Change ownership to root, grant rw acces to group netns

sudo chown root:netns /path/to/netns-exec.sh

sudo chmod 633 /path/to/netns-exec.sh

---

Solution 2

This solution is simpler, you have to edit you sudoers file as shown in this example.

user ALL=(ALL) /bin/ip netns

share|improve this answer

edited May 18 '17 at 19:46

answered May 18 '17 at 19:39

Taz8du29Taz8du29

14819

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Well, solution 1 is impossible, the command ip netns will return an error saying that only root can execute it. Solution 2 is what I had initially in mind, but wasn't satisfying in my opinion.
  
  – Raspbeguy
  May 28 '17 at 13:06
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This chmod 0633 would give write+execute permissions to all users and to the netns group. I suspect you wanted to set the SGID bit on the script, but as @Angelo mentioned: setuid and setgid is ignored for shell scripts, and for good reason.
  
  – ckujau
  Aug 31 '17 at 6:48
  
  
  

  
  
  
  

add a comment | 

1

Solution 1

Just add a group called "netns" add all the wanted users to it.
Then give ownership to root:netns and give read/exec capabilities to the group.

In other terms :

# New group netns

sudo groupadd --system netns



# Add root to "netns", not sure if needed

sudo usermod -aG netns root



# Do this for every needed user

sudo usermod -aG netns $UserName



# Change ownership to root, grant rw acces to group netns

sudo chown root:netns /path/to/netns-exec.sh

sudo chmod 633 /path/to/netns-exec.sh

---

Solution 2

This solution is simpler, you have to edit you sudoers file as shown in this example.

user ALL=(ALL) /bin/ip netns

share|improve this answer

edited May 18 '17 at 19:46

answered May 18 '17 at 19:39

Taz8du29Taz8du29

14819

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Well, solution 1 is impossible, the command ip netns will return an error saying that only root can execute it. Solution 2 is what I had initially in mind, but wasn't satisfying in my opinion.
  
  – Raspbeguy
  May 28 '17 at 13:06
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This chmod 0633 would give write+execute permissions to all users and to the netns group. I suspect you wanted to set the SGID bit on the script, but as @Angelo mentioned: setuid and setgid is ignored for shell scripts, and for good reason.
  
  – ckujau
  Aug 31 '17 at 6:48
  
  
  

  
  
  
  

add a comment | 

Solution 1

Just add a group called "netns" add all the wanted users to it.
Then give ownership to root:netns and give read/exec capabilities to the group.

In other terms :

# New group netns

sudo groupadd --system netns



# Add root to "netns", not sure if needed

sudo usermod -aG netns root



# Do this for every needed user

sudo usermod -aG netns $UserName



# Change ownership to root, grant rw acces to group netns

sudo chown root:netns /path/to/netns-exec.sh

sudo chmod 633 /path/to/netns-exec.sh

---

Solution 2

This solution is simpler, you have to edit you sudoers file as shown in this example.

user ALL=(ALL) /bin/ip netns

share|improve this answer

edited May 18 '17 at 19:46

answered May 18 '17 at 19:39

Taz8du29Taz8du29

14819

# New group netns

sudo groupadd --system netns



# Add root to "netns", not sure if needed

sudo usermod -aG netns root



# Do this for every needed user

sudo usermod -aG netns $UserName



# Change ownership to root, grant rw acces to group netns

sudo chown root:netns /path/to/netns-exec.sh

sudo chmod 633 /path/to/netns-exec.sh

user ALL=(ALL) /bin/ip netns

share|improve this answer

edited May 18 '17 at 19:46

answered May 18 '17 at 19:39

Taz8du29Taz8du29

14819

answered May 18 '17 at 19:39

Taz8du29Taz8du29

14819

answered May 18 '17 at 19:39

Taz8du29Taz8du29

14819

#!/bin/bash

# ip netns wrapper script, nns.

# Usage: nns nsname cmdline



case "${1}" in

    do)

        shift # remove "do"

        NSNAME="${1}" # remember nsname

        shift # remove nsname to get argument list for su -c

        [ -z "${NSNAME}" -o -z "${1}" ] && exit 1 # if either nsname or arglist is empty - error out

        echo ip netns exec "${NSNAME}" su "${SUDO_USER}" -c "${*}" # execute, ${*} merges separate arguments into single word for su/sh -c parsing. See with strace.

    ;;

    *)

        SCRIPTNAME="${0}" # remember script full path

        exec sudo "${SCRIPTNAME}" do "${@}" # run it through sudo with elevated privileges

    ;;

esac

#!/bin/bash

# ip netns wrapper script, nns.

# Usage: nns nsname cmdline



case "${1}" in

    do)

        shift # remove "do"

        NSNAME="${1}" # remember nsname

        shift # remove nsname to get argument list for su -c

        [ -z "${NSNAME}" -o -z "${1}" ] && exit 1 # if either nsname or arglist is empty - error out

        echo ip netns exec "${NSNAME}" su "${SUDO_USER}" -c "${*}" # execute, ${*} merges separate arguments into single word for su/sh -c parsing. See with strace.

    ;;

    *)

        SCRIPTNAME="${0}" # remember script full path

        exec sudo "${SCRIPTNAME}" do "${@}" # run it through sudo with elevated privileges

    ;;

esac

#!/bin/bash

# ip netns wrapper script, nns.

# Usage: nns nsname cmdline



case "${1}" in

    do)

        shift # remove "do"

        NSNAME="${1}" # remember nsname

        shift # remove nsname to get argument list for su -c

        [ -z "${NSNAME}" -o -z "${1}" ] && exit 1 # if either nsname or arglist is empty - error out

        echo ip netns exec "${NSNAME}" su "${SUDO_USER}" -c "${*}" # execute, ${*} merges separate arguments into single word for su/sh -c parsing. See with strace.

    ;;

    *)

        SCRIPTNAME="${0}" # remember script full path

        exec sudo "${SCRIPTNAME}" do "${@}" # run it through sudo with elevated privileges

    ;;

esac

#!/bin/bash

# ip netns wrapper script, nns.

# Usage: nns nsname cmdline



case "${1}" in

    do)

        shift # remove "do"

        NSNAME="${1}" # remember nsname

        shift # remove nsname to get argument list for su -c

        [ -z "${NSNAME}" -o -z "${1}" ] && exit 1 # if either nsname or arglist is empty - error out

        echo ip netns exec "${NSNAME}" su "${SUDO_USER}" -c "${*}" # execute, ${*} merges separate arguments into single word for su/sh -c parsing. See with strace.

    ;;

    *)

        SCRIPTNAME="${0}" # remember script full path

        exec sudo "${SCRIPTNAME}" do "${@}" # run it through sudo with elevated privileges

    ;;

esac

0

Firejail can do the job

firejail --noprofile --netns=nameOfNetSpace command

share|improve this answer

answered 16 mins ago

intikaintika

27025

add a comment | 

0

Firejail can do the job

firejail --noprofile --netns=nameOfNetSpace command

share|improve this answer

answered 16 mins ago

intikaintika

27025

add a comment | 

Firejail can do the job

firejail --noprofile --netns=nameOfNetSpace command

share|improve this answer

answered 16 mins ago

intikaintika

27025

firejail --noprofile --netns=nameOfNetSpace command

share|improve this answer

answered 16 mins ago

intikaintika

27025

answered 16 mins ago

intikaintika

27025

answered 16 mins ago

intikaintika

27025