I noticed that even checking the status of firewalld seems to require sudo. I want to keep the privileges of this script as low as possible and, for that reason, I would like the user to be able to check the port status as a regular user. If necessary, they can then request escalation to sudo.
Is it possible to achieve this on a RHEL-based system, or do you need to be sudo for all of it?
visudo
To check open ports with firewalld this requires administrative privileges sudo.
It's not a very clean way, but you can edit the sudoers file with:
sudo visudo
Add this and replace USER with the username you want to grant permissions to:
<USER> ALL=(root) NOPASSWD: /usr/bin/firewall-cmd --list-ports
This grants the USER permission to execute the firewall-cmd --list-ports command.
It is important to caution when modifying system configurations and granting permissions!
How to List Open Ports in Firewalld
Show list of open ports using firewalld in CentOS7
Exit/save edit to sudoers file?
How to Edit Sudoers File in Linux
How to Use Sudo and the Sudoers File
setuid
You can create a script that runs with elevated privileges with setuid.
Using the setuid or setgid bit on a shell script will create more problems—especially security problems—than it solves. Some systems (such as Linux) don’t even honor the setuid bit on shell scripts, so creating setuid shell scripts creates an unnecessary portability problem in addition to the security risks.
Why do my setuid root bash shell scripts not work?
Writing setuid or setgid Scripts
Both solutions should only be used with caution and with the greatest care!
For security reasons, it is recommended to perform the check for open ports with firewalld at the end using either the root user or a user with administrative rights.
