File: README.sudo

package info (click to toggle)
fwanalog 0.6.9-8
  • links: PTS
  • area: main
  • in suites: bookworm, bullseye, buster, sid
  • size: 1,004 kB
  • ctags: 25
  • sloc: sh: 1,541; makefile: 48
file content (49 lines) | stat: -rw-r--r-- 2,129 bytes parent folder | download | duplicates (7)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Running fwanalog as a normal user, using sudo

The problem: usually, only root can access the logfiles with the
firewall logs, so fwanalog.sh must be run by root. However, it is a
fairly complex shell script, bugs in it could be fatal if exploited. So
it would be nice if normal users could run fwanalog.sh.

Fortunately, there are some solutions for this.

Solution 1: add the user to the admin/wheel/whatever group that can read
the logfiles. However, this grants her/him more privileges than are
really necessary.

Solution 2: use Sudo to grant the user the permission to search for
firewall patterns in the system log.

As root, type "visudo", this edits /etc/sudoers or wherever it is on
your system. Be sure that you read "man sudo" and "man sudoers" before
so you know what you do.

Add the following lines:

# rules for people who can use fwanalog on this machine
User_Alias      FWANALOG_USERS = {username}
Cmnd_Alias      FWANALOG_ZEGREP = {zegrep command} {zegrep params} {logfiles}
FWANALOG_USERS  ALL = NOPASSWD: FWANALOG_ZEGREP

{username} should be the name of the user who runs fwanalog
{zegrep command} is your zegrep. 
    If you want to be really safe, use the path name, e.g /bin/zegrep
{zegrep params} is what fwanalog uses for grepping your logfiles. Look
    into fwanalog.sh, locate the function that searches the patterns in
	your logfiles, and copy its command line parameters: -h and the
	pattern, without the quotes, and without "$inputfiles".
{logfiles} should be your logfiles, either as a shell pattern 
    (e.g. /var/log/messages*) or specified directly (e.g. 
	/var/log/messages /var/log/messages.0)

For example, my sudoers entry on a Linux 2.4 machine looks like this:

User_Alias      FWANALOG_USERS = bb
Cmnd_Alias      FWANALOG_ZEGREP = /bin/zegrep -h IN.+OUT.+SRC.+DST.+LEN.+TTL.+PROTO.+ /var/log/messages*
FWANALOG_USERS  ALL = NOPASSWD: FWANALOG_ZEGREP

Test it by executing "sudo /path/to/zegrep {params} {logfiles}" as the
user. If it works, you can modify the "zegrep=..." line in fwanalog.opts
to 'zegrep="sudo /path/to/zegrep"'.

$Id: README.sudo,v 1.1 2002/03/08 09:06:51 bb Exp $