Print Friendly, PDF & Email

 
REQUEST

Listing iptables rules without being root user, without providing a sudo password, without setting SUID on the iptables executiable, without using sudo keyword.

 
RELATED

 
SOLUTION

In this example, the user maxpatrol is being used.

First, you should back up your sudoers file

[root@rhel511 ~]# cp /etc/sudoers /etc/sudoers.$(date +%d%b%y)
[root@rhel511 ~]# ls -l /etc/sudoers*
-r--r----- 1 root root 3515 Apr 20  2017 /etc/sudoers
-r--r----- 1 root root 3515 Nov 19 10:41 /etc/sudoers.19Nov18

Then add the following line to the sudoers file

maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptables

It’ll allow the user maxpatrol to execute /sbin/iptables executable without providing a password. Any arguments are allowed for that executable.

[root@rhel511 ~]# echo "maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptables" >> /etc/sudoers
[root@rhel511 ~]# egrep maxpatrol /etc/sudoers
maxpatrol ALL=(ALL) NOPASSWD:/sbin/iptables

Switch to the maxpatrol user and test if you are able to list iptables rules

############################
## Without sudo keyword
############################
[root@rhel511 ~]# su - maxpatrol
[maxpatrol@rhel511 ~]$ /sbin/iptables -nvL
iptables v1.3.5: can't initialize iptables table `filter': Permission denied (you must be root)

############################
## With sudo keyword
############################
[maxpatrol@rhel511 ~]$ sudo /sbin/iptables -nvL
Chain INPUT (policy ACCEPT 1 packets, 484 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2 packets, 842 bytes)
 pkts bytes target     prot opt in     out     source               destination

Everything works with sudo keyword. But I want to eliminate using sudo keyword, so a trick should be used.

Issue the following command to create a script

{
echo "sudo /sbin/iptables \${1}" > /home/maxpatrol/iptables
chmod 500 iptables
ls -l iptables
}
[maxpatrol@rhel511 ~]$ {
> echo "sudo /sbin/iptables \${1}" > /home/maxpatrol/iptables
> chmod 500 iptables
> ls -l iptables
> }

-r-x------ 1 maxpatrol auditor 21 Nov 19 10:52 iptables

Here the script name is the same as the name of iptables executable. Run the script to verify it works

[maxpatrol@rhel511 ~]$ ./iptables -nvL
Chain INPUT (policy ACCEPT 2858K packets, 3924M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2895K packets, 4656M bytes)
 pkts bytes target     prot opt in     out     source               destination

So, script works. As the next step of the trick I need to call my script by default instead of original iptables executable. For this purpose the script location must be added to PATH variable.

[maxpatrol@rhel511 ~]$ export PATH=/home/maxpatrol:$PATH

Now you should be able to run the script by its name

[maxpatrol@rhel511 ~]$ iptables -nvL
Chain INPUT (policy ACCEPT 3745K packets, 5030M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3764K packets, 5551M bytes)
 pkts bytes target     prot opt in     out     source               destination

And as the final step, add the script path to PATH variable in .bash_profile file

[maxpatrol@rhel511 ~]$ echo "export PATH=/home/maxpatrol:\${PATH}" >> ~/.bash_profile
[maxpatrol@rhel511 ~]$ egrep PATH ~/.bash_profile
PATH=$PATH:$HOME/bin
export PATH
export PATH=/home/maxpatrol:${PATH}

Relogin and verify it again

#########################
## Relogin
#########################
[maxpatrol@rhel511 ~]$ exit
logout
[root@rhel511 ~]# su - maxpatrol

#########################
## Ensure the iptables command points to your script
#########################
[maxpatrol@rhel511 ~]$ which iptables
~/iptables

#########################
## Execute command
#########################
[maxpatrol@rhel511 ~]$ iptables -nvL
Chain INPUT (policy ACCEPT 5058K packets, 6191M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5106K packets, 6848M bytes)
 pkts bytes target     prot opt in     out     source               destination

 
 

Version  : 10:32 AM 20.11.2018
Platform : Red Hat Enterprise Linux Server release 5.7 (Tikanga)