User allowed commands -

Bob Goodwin bobgoodwin at wildblue.net
Wed Mar 18 17:34:56 UTC 2009


Rick Stevens wrote:
> Bob Goodwin wrote:
>> Sharpe, Sam J wrote:
>>> Bob Goodwin wrote:
>>>>
>>>> Can someone tell me how I can arrange to be able to run
>>>> system-control-network as user bobg.  It looks like I  should
>>>> be able to accomplish this via visudo but that is overwhelmingly 
>>>> complex.
>>>>
>>>> My objective is to be able to close or open my eth0 internet 
>>>> connection
>>>> without
>>>> jumping though hoops. As it stands I have to use 
>>>> system-config-network,
>>>> enter password, and when the GUI comes up I can then click on
>>>> "de/activate."
>>> Two ways to not quite accomplish accomplish roughly what you want:
>>>
>>> 1) Allow the user to control the network device - add "USERCTL=yes" 
>>> in /etc/sysconfig/network-scripts/ifcfg-eth0 as documented here:
>>> http://www.centos.org/docs/4/html/rhel-rg-en-4/s1-networkscripts-interfaces.html 
>>>
>>>
>>> - but I don't think that will allow you to launch s-c-network as a 
>>> non-root user - i think you'd still have to run "ifup eth0" and 
>>> "ifdown eth0"
>>>
>>> 2) add the following to 
>>> /etc/security/console.apps/system-config-network
>>> UGROUPS=users (assuming bobg is in the users group)
>>>
>>> That will then prompt for bobg's password rather than root - but as 
>>> you object to typing in a password I'm not sure it's great for you.
>>>
>>> -- 
>>> Sam
>>>
>> None of the above afford me any advantage, all ask me to enter a 
>> password again before permitting me to disconnect which seems like a 
>> negative security feature!
>
> You think asking you to enter a password to alter your network settings
> is a NEGATIVE security feature?  Boy, do you have a warped sense of
> security.
>
> >  It ought to be simpler ...
>>
>> ifup/down-eth0 are not valid commands.  ifdown-eth is but does not 
>> work.  "basename: missing operand"  whatever that means?
>
> The commands are "ifup eth0" or "ifdown eth0" as was shown in Sam's 
> posting.  Look closer.
>
>> The command I would really like to be able to use is 
>> "system-control-network+" which offers two buttons, Activate and 
>> Deactivate plus a Configure button.  I haven't been able to find the 
>> file that produces that GUI.
>
> The closest is system-config-network and you need to be root to run
> it--precisely what you don't like.
>
> I don't want to scold you, Bob, but when you're futzing with your
> network settings, not only can you hose your machine but you can cause
> problems on the local network as well (e.g. force-feeding a duplicate IP
> onto one of your NICs thereby corrupting your router's ARP cache).  At
> least requiring a root password to prevent normal users from potentially
> screwing the works up is a reasonable (and I would argue minimal) 
> security restraint.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer                      ricks at nerd.com -
> - AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
> -                                                                    -
> - If at first you don't succeed, quit. No sense being a damned fool! -
> ----------------------------------------------------------------------
>

Yes but it is my machine and if I "hose" it is my problem and I will 
un-hose it!

My concern is that if I see unexplained activity on my gkrellm monitor I 
should be able to shut down the internet connection immediately without 
going through a maze of Windows like commands!  I just want a direct 
means of control, with or without a password, best of all would be to 
have the password displayed on screen as I type so that I can see my 
typing errors.  I live in a virtual vacuum and only the dog and cat see 
what I am doing!

I have no problem with entering passwords as necessary and have probably 
been doing it fifty times a day setting up this "new" computer the way I 
want it.

At this time it would probably serve to replace this F-9 box which I am 
reluctant to leave for F-10.

Bob




More information about the fedora-list mailing list