What script could allow regular users to use network namespaces?

Question

I have an architecture using network namespaces (netns). I would like to allow regular users to do some operations in these netns.

I could write a script netns-exec.sh, inspired by this post, executed with sudo, containing:

ip netns exec $1 su $USER -c "$2"

and add to my sudoer file:

user ALL=(ALL) /path/to/netns-exec.sh

But I find it so ugly I could totally have nightmares about it. Is there a better solution to allow regular users to use namespaces? Is it possible to put users to some useful groups? I searched about it but found nothing.

why dont you define `Cmd_Alias CMD_NETNS = ip netns exec [regexp matching your namespace] su [regexp matching allowed used] -c [regexp matching allowed namespace command]` in your sudoers file and then create a group in which you put your allowed users, and associate this group to this command alias. — netmonk, Sep 14 '15 at 11:50
It's the `sudo` containing a `su` that annoys me, not the script itself. Anyway I'll write a script to wrap the thing. It makes 2 user switches, that's really ugly, don't you think ? — Raspbeguy, Sep 14 '15 at 12:09
That should scare you. The user could modify $USER to be root. — Stephen, Dec 14 '15 at 14:21
Yes, and it does scares me. But I figured out later that `sudo` provided a specific variable `$SUDO_USER`, which is safer. But that's still ugly. — Raspbeguy, Dec 14 '15 at 16:17

intika · Answer 1 · 2019-06-02T01:54:41.413

3

Firejail can do the job

firejail --noprofile --netns=nameOfNetSpace command

Alternatively Netns-Exec, Nsutils and Netns does not require root

edited Jun 02 '19 at 01:54

answered Apr 28 '19 at 06:20

intika

13,920
7
41
79

2

you must have root privileges to use "ip netns" – Shōgun8 May 11 '22 at 21:27

Taz8du29 · Answer 2 · 2017-05-18T19:46:21.920

2

Solution 1

Just add a group called "netns" add all the wanted users to it. Then give ownership to root:netns and give read/exec capabilities to the group.

In other terms :

# New group netns
sudo groupadd --system netns

# Add root to "netns", not sure if needed
sudo usermod -aG netns root

# Do this for every needed user
sudo usermod -aG netns $UserName

# Change ownership to root, grant rw acces to group netns
sudo chown root:netns /path/to/netns-exec.sh
sudo chmod 633 /path/to/netns-exec.sh

Solution 2

This solution is simpler, you have to edit you sudoers file as shown in this example.

user ALL=(ALL) /bin/ip netns

edited May 18 '17 at 19:46

answered May 18 '17 at 19:39

Taz8du29

301
3
10

Well, solution 1 is impossible, the command `ip netns` will return an error saying that only root can execute it. Solution 2 is what I had initially in mind, but wasn't satisfying in my opinion. – Raspbeguy May 28 '17 at 13:06
1

This `chmod 0633` would give `write+execute` permissions to all users and to the `netns` group. I suspect you wanted to set the SGID bit on the script, but as @Angelo mentioned: `setuid` and `setgid` is ignored for shell scripts, and [for good reason](http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html "Section - How can I get setuid shell scripts to work?"). – ckujau Aug 31 '17 at 06:48

score 1 · Answer 3 · answered Oct 09 '22 at 19:56

1

Not a script, but I wrote an ultra-minimalist and hopefully-paranoid-enough C program that allows a non-root user to execute a process inside a Linux network namespace.

The source code is here: netns-exec.c

answered Oct 09 '22 at 19:56

mpb

1,501
1
15
23

score -2 · Answer 4 · answered Nov 28 '16 at 04:25

Personally I do not know if there is possibility to permit regular users to run commands in different network namespaces, but this annotated shell script may better suit your needs:

#!/bin/bash
# ip netns wrapper script, nns.
# Usage: nns nsname cmdline

case "${1}" in
    do)
        shift # remove "do"
        NSNAME="${1}" # remember nsname
        shift # remove nsname to get argument list for su -c
        [ -z "${NSNAME}" -o -z "${1}" ] && exit 1 # if either nsname or arglist is empty - error out
        echo ip netns exec "${NSNAME}" su "${SUDO_USER}" -c "${*}" # execute, ${*} merges separate arguments into single word for su/sh -c parsing. See with strace.
    ;;
    *)
        SCRIPTNAME="${0}" # remember script full path
        exec sudo "${SCRIPTNAME}" do "${@}" # run it through sudo with elevated privileges
    ;;
esac

Install it somewhere in /usr/bin and allow your users to execute it.

Thanks for your response (and sorry for noticing several months after). But the problem remains the same, that is to say using sudo. — Raspbeguy, May 13 '17 at 21:03

What script could allow regular users to use network namespaces?

4 Answers4

Linked