From owner-freebsd-questions@FreeBSD.ORG Tue Sep 4 15:10:38 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD53116A420 for ; Tue, 4 Sep 2007 15:10:38 +0000 (UTC) (envelope-from mnslinky@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.227]) by mx1.freebsd.org (Postfix) with ESMTP id 4073313C457 for ; Tue, 4 Sep 2007 15:10:38 +0000 (UTC) (envelope-from mnslinky@gmail.com) Received: by wr-out-0506.google.com with SMTP id 70so736353wra for ; Tue, 04 Sep 2007 08:10:37 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=euNW0TQLoi5bg+3Ys53vv/RQsodXTGSa8i7SPRZ4HxlgG4THHyBcDS4Q3jslv018mtOQUsGyCmsd2afxMQtx0EUOjS1P/ZO5kNwf9BBoM+ycZlLu63Jpv8MFBH+NMgHWhx6d+gVqw0DBUfYRd2ldspJabvqCu8Y+FroPJ7olXCU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=TwpxqiAH9jOofFW6IOdPIyrPkNmyftzdsKzl5RWHZWiPQcLqb/4zv3vQp2y93pTHX3PljKgG51aC/9T384bCShUAMU6DHPabtLuHGi2bk27pkxFNiY6G4d7X5gqNpcY2lyjprFbPcfSVJa9ivZGeoW/0rmvBHH+GSrpxVJE38cg= Received: by 10.90.88.13 with SMTP id l13mr5526382agb.1188918635837; Tue, 04 Sep 2007 08:10:35 -0700 (PDT) Received: from ?10.0.0.14? ( [74.95.66.25]) by mx.google.com with ESMTPS id a79sm6880273pye.2007.09.04.08.10.33 (version=SSLv3 cipher=OTHER); Tue, 04 Sep 2007 08:10:34 -0700 (PDT) In-Reply-To: <20070904105515.05e0d875.wmoran@potentialtech.com> References: <521035.63933.qm@web45613.mail.sp1.yahoo.com> <20070904105515.05e0d875.wmoran@potentialtech.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Eric Crist Date: Tue, 4 Sep 2007 10:10:31 -0500 To: Bill Moran X-Mailer: Apple Mail (2.752.3) Cc: Juri Mianovich , freebsd-questions@freebsd.org Subject: Re: allowing non-root to "ipfw show" ? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2007 15:10:38 -0000 On Sep 4, 2007, at 9:55 AMSep 4, 2007, Bill Moran wrote: > In response to Juri Mianovich : > >> Is there any way to allow a non-root user the ability >> to view firewall rules with: >> >> ipfw show >> >> I would really like to allow some non-root users to >> see certain "count" rules I have in place, but they >> don't seem to be allowed to run 'ipfw' in any >> capacity. >> >> Suggestions ? > > sudo will give you this fine-grained control. It's in ports. To expand on that, a couple lines similar to the following should work for you: User_Alias IPFWSHOW = user1, user2, user3 IPFWSHOW ALL = NOPASSWD: /sbin/ipfw show The command they would need to use would be: $ sudo ipfw show The entry dictates that there would be no additional password required. It also limits them to ipfw show, and they're not able to use ipfw add, delete, etc. HTH ----- Eric F Crist Secure Computing Networks