0

I am trying to understand the kind of elevated permission that would be required for executing the /sbin/ip command on a linux server. I have basic understanding and I am able to make it work partially. But looking for suggestion on what could be missing in the setup below:

Setup - linux distro SLES 11.3 vm-manager, vm1, vm2. (passwordless auth setup between the 3 for user - test_user)

sudoers file on all servers have this entry:

# Command alias specification
Cmnd_Alias CAL=/sbin/ip
# User configuration to allow user to access commands only from the alias group CAL
test_user ALL=(ALL) NOPASSWD: CAL

From the vm-manager, I am trying to execute ip command as below - 

vm-manager> ssh test_user@vm1 "/sbin/ip addr show”

Successful output.

However, 

vm-manager> ssh test_user@vm1 "/sbin/ip addr del <my VIP>/22 dev eth0”
RTNETLINK answers: Operation not permitted

Why is the 'ip addr del' command not permitted when 'ip addr show' is being permitted..?

vinnar
  • 15
  • 2
  • 8
  • You need to be root to execute `ip addr del`. `ip addr show` is a read-only activity available to non-root users. So, use `sudo`. – codeforester Jan 26 '17 at 19:19
  • I'm no expert in these matters, but wouldn't you want to `sudo` the remote command? If I'm understanding correctly, you've configured `sudo` so that it can be used by `test_user` on `/sbin/ip`, but you aren't actually trying to use `sudo` in your `ssh` remote command -- you're going directly to `/sbin/ip`. Like I say, I'm not familiar with this, so I could be completely wrong, but don't you need to actually invoke `sudo` for it to run a command as root? – Jonathan Gilbert Jan 26 '17 at 19:21
  • Thanks guys. I assumed since I didnt need sudo for `ip addr show`, I wouldnt need for `ip addr del`. But you are right, added sudo in front and it worked. – vinnar Jan 26 '17 at 19:25
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Jan 27 '17 at 03:08

0 Answers0