8

I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.

How can I allow any user X to do the ufw status without being root or asking for sudo password?

UPDATE:

I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:

sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status

Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:

sudo visudo -f /etc/sudoers.d/ufwstatus

Now just follow the accepted answer below.

not2qubit
  • 606
  • 8
  • 14
  • Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work. – Thomas Feb 10 '19 at 14:17
  • No, that would open a huge security hole. – not2qubit Feb 10 '19 at 14:37
  • What would be the difference between to allow a group using ufw without and with sudo? – Thomas Feb 10 '19 at 14:40
  • Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list. – not2qubit Feb 10 '19 at 14:53
  • 1
    One doesn't need sudo - simply service ufw status – waltinator Feb 10 '19 at 15:28
  • @waltinator that only tells you the service status; ufw status lists the ruleset – steeldriver Feb 10 '19 at 15:31
  • I've linked to a similar question - but I have to point out the obvious: If the user whom you don't trust with sudo privileges has the ability to run ufw, they also have the ability to turn off the firewall. – Charles Green Feb 10 '19 at 15:40
  • Also, please make a direct note of the use of the command visudo for editing the sudoers files.... – Charles Green Feb 10 '19 at 15:43
  • @not2qubit: I did not mean to change access rights in the filesystem with chmod but rather run sudo ufw ... without providing a password. You could lock down that to a group or user as linked by Charles Green. – Thomas Feb 10 '19 at 16:29
  • I have now edited /etc/sudoers with Cmnd_Alias FWSTAT = /usr/sbin/ufw and xxxx ALL=NOPASSWD: FWSTAT. But I'm still asked to provide password... – not2qubit Feb 10 '19 at 18:52
  • Do I also need to reload something after having edited sudoers? – not2qubit Feb 10 '19 at 19:03
  • This sounds like a X-Y Problem. Why do you want to do this? – vidarlo Feb 10 '19 at 19:26
  • @vidarlo Definitely not an XY problem, but thanks for the link so that I can use that myself when I come across questions like it. – not2qubit Feb 10 '19 at 21:47
  • @CharlesGreen Yep, that dup link was really helpful but did not completely resolve my problem. However, I marked it as solved too. – not2qubit Feb 10 '19 at 21:49

1 Answers1

5

Here's an /etc/sudoers.d/ file that works for me:

$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias      UFWSTATUS = /usr/sbin/ufw status

%ufwstatus      ALL=NOPASSWD: UFWSTATUS

Then add the new "ufwstatus" group (here added as a system group):

sudo groupadd -r ufwstatus

Your otherwise non-privileged user must be added to the ufwstatus group e.g.

sudo gpasswd --add testuser ufwstatus

In order for the change to take effect, the user needs to log in again:

su - testuser

Then

testuser@xenial-vm:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       192.168.1.0/24
3389/tcp                   ALLOW       192.168.1.0/24
111                        ALLOW       192.168.1.0/24
2049                       ALLOW       192.168.1.0/24

but other ufw commands are disallowed (even slight variants, such as status --verbose):

testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.
not2qubit
  • 606
  • 8
  • 14
steeldriver
  • 136,215
  • 21
  • 243
  • 336
  • 1
    Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password. – not2qubit Feb 10 '19 at 21:45
  • Nice answer - and avoids the "too much permission" problem! – Charles Green Feb 10 '19 at 22:27
  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should – steeldriver Feb 10 '19 at 22:31
  • I hadn't noticed that - I would have to try this in my VM – Charles Green Feb 10 '19 at 22:33
  • BTW. I am running this on Mint 19.1 (Xfce), if that matters. – not2qubit Feb 10 '19 at 22:37