Home / server / Questions / 1136474
Accepted
George Y
Asked: 2023-07-10 17:21:45 +0800 CST

Is 'sudoer' a must for 'ip' command? Anyway to get around it?

  • 772

I recently came across a High Availability scenario that the maintenance program needs to bind a virtual IP to the server it sits and then broadcast it over the network. To do so it runs ip and arp command respectively. However, I noticed that any such maintenance program needs sudoer privilege to run ip or arp. I do not give such root like privilege to it but want it still able to run these two commands. So is there a solution? Thanks in advance.

linux

3 Answers

  1. Best Answer

    The HA scenario requires failing over a (virtual) IP-address and sending gratuitous arp requests to ensure that the LAN learns that an IP failover has occurred.

    Making changes to a systems IP stack and sending gratuitous arp requests requires privileged / root level access.

    When the tooling making those changes already runs as root, there is of-course already sufficient privileged access.

    When the tooling does not run as root then a method of granting that privileged access is necessary. A sudoers policy is one method that can grant fine-grained privileges.

    Edit: The answer from @symcbean made me realise: because many examples only grant unrestricted and unlimited privileges you may not be aware that sudo is explicitly designed to grant restricted privileges. The following example grants the user george only the rights to run those three commands (with arguments) via sudo with root rights

    # in /etc/sudoers or as a drop-in file /etc/sudoers.d/file-name
# List of privileged commands
Cmnd_Alias IPFAILOVER = /usr/sbin/ip, /usr/sbin/arp, /usr/sbin/arping
 
# allow george to run the above commands as root without having to authenticate with a password 
george        ALL=(root)       NOPASSWD: IPFAILOVER

    An alternative is for example set set-uid root permissions on those commands, but that allows any and all users to send gratuitous arp requests and modify the ARP caches of neighbouring systems and/or modify the systems IP stack. That is probably less desirable.

    • 2

  2. This is mostly comment (but not enough space in the coment box).

    Is there a solution to running a command which requires elevated privileges without elevating privileges? - No

    "I do not give such root like privilege" - If you had explained your reservations then we might have been able to suggest an alternative or allay your concerns, e.g.

    maintenance ALL=(root) NOPASSWD: /usr/local/bin/your_provisioning_script

    allows the 'maintenance' user to ONLY run the named script as root.

    But I'm struggling to imagine a scenario where a service for implementing high availabiltiy would require a manual startup. Running this as a service also provides benefits in ensuring that service keeps running - so why not just provision it that way as the root user? Unfortunately DROPPING root privileges requires additional tools. So it might make more sense to run the service as a non-privileged user with sudo rules for privileged operations.

    Linux also has a privilege management system described as capabilities - but granting capabilitites to solve this problem might undermine your undefined objective implied by not using the root account.

    • 2

  3. You can allow a user to execute specific commands and nothing else through sudo as any user (like the "run-as" thing in Windows). There is no obligation to give full root access, sudo can be very granular.

    Do read the manual for sudoers.

    For the HA scenario, that's more or less the description of VRRP

    • 0