Re: [RFC] Allowing non-root to get iptables info?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stephen Hemminger wrote:
Is there any strong reason why checking the status of iptables is restricted?

Vyatta makes a distribution for routers. In our case, we use a non-root account
for operator commands, and some of the commands are about querying iptables status.
It seems to be less risky to just fix the kernel to allow non-root user to query rules
than the current script that uses sudo. Another alternative would be building a special
restricted command that could be setuid root, but just changing the kernel seems easiest.



Subject: [PATCH] allow non-root to query iptables

This change allows non-root users to do 'iptables -L'.

---
 net/ipv4/netfilter/ip_tables.c  |    6 ------
 net/ipv6/netfilter/ip6_tables.c |    3 ---
 2 files changed, 0 insertions(+), 9 deletions(-)


We should also change arp_tables and ebtables. If you send me an
updated patch I'll queue it for 2.6.26.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux