Is 'sudoer' a must for 'ip' command? Anyway to get around it?

vn flag

I recently came across a High Availability scenario that the maintenance program needs to bind a virtual IP to the server it sits and then broadcast it over the network. To do so it runs ip and arp command respectively. However, I noticed that any such maintenance program needs sudoer privilege to run ip or arp. I do not give such root like privilege to it but want it still able to run these two commands. So is there a solution? Thanks in advance.

in flag

The HA scenario requires failing over a (virtual) IP-address and sending gratuitous arp requests to ensure that the LAN learns that an IP failover has occurred.

Making changes to a systems IP stack and sending gratuitous arp requests requires privileged / root level access.

When the tooling making those changes already runs as root, there is of-course already sufficient privileged access.

When the tooling does not run as root then a method of granting that privileged access is necessary. A sudoers policy is one method that can grant fine-grained privileges.

Edit: The answer from @symcbean made me realise: because many examples only grant unrestricted and unlimited privileges you may not be aware that sudo is explicitly designed to grant restricted privileges. The following example grants the user george only the rights to run those three commands (with arguments) via sudo with root rights

# in /etc/sudoers or as a drop-in file /etc/sudoers.d/file-name
# List of privileged commands
Cmnd_Alias IPFAILOVER = /usr/sbin/ip, /usr/sbin/arp, /usr/sbin/arping
# allow george to run the above commands as root without having to authenticate with a password 
george        ALL=(root)       NOPASSWD: IPFAILOVER

An alternative is for example set set-uid root permissions on those commands, but that allows any and all users to send gratuitous arp requests and modify the ARP caches of neighbouring systems and/or modify the systems IP stack. That is probably less desirable.

George Y avatar
vn flag
Thanks for the idea. You are right about the danger, so the method that symcbean provided is more prudent - after all I can make the special script record or control the use of those network commands.
ws flag

This is mostly comment (but not enough space in the coment box).

Is there a solution to running a command which requires elevated privileges without elevating privileges? - No

"I do not give such root like privilege" - If you had explained your reservations then we might have been able to suggest an alternative or allay your concerns, e.g.

maintenance ALL=(root) NOPASSWD: /usr/local/bin/your_provisioning_script

allows the 'maintenance' user to ONLY run the named script as root.

But I'm struggling to imagine a scenario where a service for implementing high availabiltiy would require a manual startup. Running this as a service also provides benefits in ensuring that service keeps running - so why not just provision it that way as the root user? Unfortunately DROPPING root privileges requires additional tools. So it might make more sense to run the service as a non-privileged user with sudo rules for privileged operations.

Linux also has a privilege management system described as capabilities - but granting capabilitites to solve this problem might undermine your undefined objective implied by not using the root account.

al flag

You can allow a user to execute specific commands and nothing else through sudo as any user (like the "run-as" thing in Windows). There is no obligation to give full root access, sudo can be very granular.

Do read the manual for sudoers.

For the HA scenario, that's more or less the description of VRRP

I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.