Stephen Hemminger wrote:
Is there any strong reason why checking the status of iptables is restricted? Vyatta makes a distribution for routers. In our case, we use a non-root account for operator commands, and some of the commands are about querying iptables status. It seems to be less risky to just fix the kernel to allow non-root user to query rules than the current script that uses sudo. Another alternative would be building a special restricted command that could be setuid root, but just changing the kernel seems easiest. Subject: [PATCH] allow non-root to query iptables This change allows non-root users to do 'iptables -L'. --- net/ipv4/netfilter/ip_tables.c | 6 ------ net/ipv6/netfilter/ip6_tables.c | 3 --- 2 files changed, 0 insertions(+), 9 deletions(-)
We should also change arp_tables and ebtables. If you send me an updated patch I'll queue it for 2.6.26. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html