27

I have an architecture using network namespaces (netns). I would like to allow regular users to do some operations in these netns.

I could write a script netns-exec.sh, inspired by this post, executed with sudo, containing:

ip netns exec $1 su $USER -c "$2"

and add to my sudoer file:

user ALL=(ALL) /path/to/netns-exec.sh

But I find it so ugly I could totally have nightmares about it. Is there a better solution to allow regular users to use namespaces? Is it possible to put users to some useful groups? I searched about it but found nothing.

Stephen Rauch
  • 4,239
Raspbeguy
  • 555
  • 1
    why dont you define Cmd_Alias CMD_NETNS = ip netns exec [regexp matching your namespace] su [regexp matching allowed used] -c [regexp matching allowed namespace command] in your sudoers file and then create a group in which you put your allowed users, and associate this group to this command alias. – netmonk Sep 14 '15 at 11:50
  • 2
    It's the sudo containing a su that annoys me, not the script itself. Anyway I'll write a script to wrap the thing. It makes 2 user switches, that's really ugly, don't you think ? – Raspbeguy Sep 14 '15 at 12:09
  • 6
    That should scare you. The user could modify $USER to be root. – Stephen Dec 14 '15 at 14:21
  • 1
    Yes, and it does scares me. But I figured out later that sudo provided a specific variable $SUDO_USER, which is safer. But that's still ugly. – Raspbeguy Dec 14 '15 at 16:17
  • You could do setuid on the script. – Moonchild Oct 30 '16 at 22:08
  • 1
    @Elronnd - kernel ignores setuid on scripts – Angelo Nov 27 '16 at 08:42

4 Answers4

3

Firejail can do the job

firejail --noprofile --netns=nameOfNetSpace command

Alternatively Netns-Exec, Nsutils and Netns does not require root

intika
  • 14,406
2

Solution 1

Just add a group called "netns" add all the wanted users to it. Then give ownership to root:netns and give read/exec capabilities to the group.

In other terms :

# New group netns
sudo groupadd --system netns

# Add root to "netns", not sure if needed
sudo usermod -aG netns root

# Do this for every needed user
sudo usermod -aG netns $UserName

# Change ownership to root, grant rw acces to group netns
sudo chown root:netns /path/to/netns-exec.sh
sudo chmod 633 /path/to/netns-exec.sh

Solution 2

This solution is simpler, you have to edit you sudoers file as shown in this example.

user ALL=(ALL) /bin/ip netns
Taz8du29
  • 401
  • Well, solution 1 is impossible, the command ip netns will return an error saying that only root can execute it. Solution 2 is what I had initially in mind, but wasn't satisfying in my opinion. – Raspbeguy May 28 '17 at 13:06
  • 1
    This chmod 0633 would give write+execute permissions to all users and to the netns group. I suspect you wanted to set the SGID bit on the script, but as @Angelo mentioned: setuid and setgid is ignored for shell scripts, and for good reason. – ckujau Aug 31 '17 at 06:48
1

Not a script, but I wrote an ultra-minimalist and hopefully-paranoid-enough C program that allows a non-root user to execute a process inside a Linux network namespace.

The source code is here: netns-exec.c

mpb
  • 1,611
-2

Personally I do not know if there is possibility to permit regular users to run commands in different network namespaces, but this annotated shell script may better suit your needs:

#!/bin/bash
# ip netns wrapper script, nns.
# Usage: nns nsname cmdline

case "${1}" in
    do)
        shift # remove "do"
        NSNAME="${1}" # remember nsname
        shift # remove nsname to get argument list for su -c
        [ -z "${NSNAME}" -o -z "${1}" ] && exit 1 # if either nsname or arglist is empty - error out
        echo ip netns exec "${NSNAME}" su "${SUDO_USER}" -c "${*}" # execute, ${*} merges separate arguments into single word for su/sh -c parsing. See with strace.
    ;;
    *)
        SCRIPTNAME="${0}" # remember script full path
        exec sudo "${SCRIPTNAME}" do "${@}" # run it through sudo with elevated privileges
    ;;
esac

Install it somewhere in /usr/bin and allow your users to execute it.

  • Thanks for your response (and sorry for noticing several months after). But the problem remains the same, that is to say using sudo. – Raspbeguy May 13 '17 at 21:03