0

I have a program that, at some point, create/destroys tun/tap virtual adapters.

Obviously, for these specific operations this program requires root privileges.

According to the program specifications, root privileges are dropped as soon as they are no longer needed (I assume after the tap adapter was created).

However, I'd like to secure this even more and to run it as non-root in the first place.

Is there a way of allowing a specific user to just create and destroy tun/tap adapters and leave out all other specific permissions to their default ?

ereOn
  • 519
  • 1
  • 4
  • 16

1 Answers1

2

Look into the sudo mechanism. man sudo and man sudoers.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • Doesn't `sudo` changes the effective user of the command being run ? Ideally, I'd like some of "my" developers to be allowed to create tun/tap adapters without having root access. Using sudo in their case wouldn't work because they can't install the software properly on the system (and I don't want them to) nor can they set `LD_LIBRARY_PATH` within `sudo`. – ereOn Feb 25 '13 at 10:50
  • You can allow sudo access to very specific commands, not only a general purpose shell. If you write a script that handles everything you need to create/destroy your `tun/tap` devices and grant `sudo` access to only this script, users can only do as root what this script does. – Sven Feb 25 '13 at 10:58
  • Now I feel dumb for not having thought of using a script for that... Obviously, if I set the LD_LIBRARY_PATH and the PATH inside the script, users can call it, even as `sudo`. Thanks. – ereOn Feb 25 '13 at 11:04