How to check UFW status without sudo (or being root)?
I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.
How can I allow any user X to do the ufw status without being root or asking for sudo password?
UPDATE:
I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:
sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status
Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:
sudo visudo -f /etc/sudoers.d/ufwstatus
Now just follow the accepted answer below.
sudo firewall ufw
|
show 10 more comments
I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.
How can I allow any user X to do the ufw status without being root or asking for sudo password?
UPDATE:
I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:
sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status
Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:
sudo visudo -f /etc/sudoers.d/ufwstatus
Now just follow the accepted answer below.
sudo firewall ufw
Would it be an option to runsudo ufw ...without password? I doubt that running firewall things without root privilege will work.
– Thomas
11 hours ago
No, that would open a huge security hole.
– not2qubit
11 hours ago
What would be the difference between to allow a group using ufw without and with sudo?
– Thomas
11 hours ago
Well it depend on what you mean. If you mean to justchmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.
– not2qubit
11 hours ago
1
Possible duplicate of How do I run specific sudo commands without a password?
– Charles Green
10 hours ago
|
show 10 more comments
I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.
How can I allow any user X to do the ufw status without being root or asking for sudo password?
UPDATE:
I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:
sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status
Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:
sudo visudo -f /etc/sudoers.d/ufwstatus
Now just follow the accepted answer below.
sudo firewall ufw
I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.
How can I allow any user X to do the ufw status without being root or asking for sudo password?
UPDATE:
I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:
sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status
Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:
sudo visudo -f /etc/sudoers.d/ufwstatus
Now just follow the accepted answer below.
sudo firewall ufw
sudo firewall ufw
edited 4 hours ago
not2qubit
asked 12 hours ago
not2qubitnot2qubit
295210
295210
Would it be an option to runsudo ufw ...without password? I doubt that running firewall things without root privilege will work.
– Thomas
11 hours ago
No, that would open a huge security hole.
– not2qubit
11 hours ago
What would be the difference between to allow a group using ufw without and with sudo?
– Thomas
11 hours ago
Well it depend on what you mean. If you mean to justchmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.
– not2qubit
11 hours ago
1
Possible duplicate of How do I run specific sudo commands without a password?
– Charles Green
10 hours ago
|
show 10 more comments
Would it be an option to runsudo ufw ...without password? I doubt that running firewall things without root privilege will work.
– Thomas
11 hours ago
No, that would open a huge security hole.
– not2qubit
11 hours ago
What would be the difference between to allow a group using ufw without and with sudo?
– Thomas
11 hours ago
Well it depend on what you mean. If you mean to justchmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.
– not2qubit
11 hours ago
1
Possible duplicate of How do I run specific sudo commands without a password?
– Charles Green
10 hours ago
Would it be an option to run
sudo ufw ... without password? I doubt that running firewall things without root privilege will work.– Thomas
11 hours ago
Would it be an option to run
sudo ufw ... without password? I doubt that running firewall things without root privilege will work.– Thomas
11 hours ago
No, that would open a huge security hole.
– not2qubit
11 hours ago
No, that would open a huge security hole.
– not2qubit
11 hours ago
What would be the difference between to allow a group using ufw without and with sudo?
– Thomas
11 hours ago
What would be the difference between to allow a group using ufw without and with sudo?
– Thomas
11 hours ago
Well it depend on what you mean. If you mean to just
chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.– not2qubit
11 hours ago
Well it depend on what you mean. If you mean to just
chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.– not2qubit
11 hours ago
1
1
Possible duplicate of How do I run specific sudo commands without a password?
– Charles Green
10 hours ago
Possible duplicate of How do I run specific sudo commands without a password?
– Charles Green
10 hours ago
|
show 10 more comments
1 Answer
1
active
oldest
votes
Here's an /etc/sudoers.d/ file that works for me:
$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status
%ufwstatus ALL=NOPASSWD: UFWSTATUS
Then add the new "ufwstatus" group (here added as a system group):
sudo groupadd -r ufwstatus
Your otherwise non-privileged user must be added to the ufwstatus group e.g.
sudo gpasswd --add testuser ufwstatus
In order for the change to take effect, the user needs to log in again:
su - testuser
Then
testuser@xenial-vm:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24
but other ufw commands are disallowed (even slight variants, such as status --verbose):
testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.
testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.
Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1)su - testuserdidn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic,sudo ufw enable/disableandsudo ufw status verbosenow also works without password.
– not2qubit
4 hours ago
Nice answer - and avoids the "too much permission" problem!
– Charles Green
3 hours ago
@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should
– steeldriver
3 hours ago
I hadn't noticed that - I would have to try this in my VM
– Charles Green
3 hours ago
BTW. I am running this onMint 19.1 (Xfce), if that matters.
– not2qubit
3 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1117134%2fhow-to-check-ufw-status-without-sudo-or-being-root%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Here's an /etc/sudoers.d/ file that works for me:
$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status
%ufwstatus ALL=NOPASSWD: UFWSTATUS
Then add the new "ufwstatus" group (here added as a system group):
sudo groupadd -r ufwstatus
Your otherwise non-privileged user must be added to the ufwstatus group e.g.
sudo gpasswd --add testuser ufwstatus
In order for the change to take effect, the user needs to log in again:
su - testuser
Then
testuser@xenial-vm:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24
but other ufw commands are disallowed (even slight variants, such as status --verbose):
testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.
testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.
Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1)su - testuserdidn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic,sudo ufw enable/disableandsudo ufw status verbosenow also works without password.
– not2qubit
4 hours ago
Nice answer - and avoids the "too much permission" problem!
– Charles Green
3 hours ago
@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should
– steeldriver
3 hours ago
I hadn't noticed that - I would have to try this in my VM
– Charles Green
3 hours ago
BTW. I am running this onMint 19.1 (Xfce), if that matters.
– not2qubit
3 hours ago
add a comment |
Here's an /etc/sudoers.d/ file that works for me:
$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status
%ufwstatus ALL=NOPASSWD: UFWSTATUS
Then add the new "ufwstatus" group (here added as a system group):
sudo groupadd -r ufwstatus
Your otherwise non-privileged user must be added to the ufwstatus group e.g.
sudo gpasswd --add testuser ufwstatus
In order for the change to take effect, the user needs to log in again:
su - testuser
Then
testuser@xenial-vm:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24
but other ufw commands are disallowed (even slight variants, such as status --verbose):
testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.
testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.
Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1)su - testuserdidn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic,sudo ufw enable/disableandsudo ufw status verbosenow also works without password.
– not2qubit
4 hours ago
Nice answer - and avoids the "too much permission" problem!
– Charles Green
3 hours ago
@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should
– steeldriver
3 hours ago
I hadn't noticed that - I would have to try this in my VM
– Charles Green
3 hours ago
BTW. I am running this onMint 19.1 (Xfce), if that matters.
– not2qubit
3 hours ago
add a comment |
Here's an /etc/sudoers.d/ file that works for me:
$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status
%ufwstatus ALL=NOPASSWD: UFWSTATUS
Then add the new "ufwstatus" group (here added as a system group):
sudo groupadd -r ufwstatus
Your otherwise non-privileged user must be added to the ufwstatus group e.g.
sudo gpasswd --add testuser ufwstatus
In order for the change to take effect, the user needs to log in again:
su - testuser
Then
testuser@xenial-vm:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24
but other ufw commands are disallowed (even slight variants, such as status --verbose):
testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.
testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.
Here's an /etc/sudoers.d/ file that works for me:
$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status
%ufwstatus ALL=NOPASSWD: UFWSTATUS
Then add the new "ufwstatus" group (here added as a system group):
sudo groupadd -r ufwstatus
Your otherwise non-privileged user must be added to the ufwstatus group e.g.
sudo gpasswd --add testuser ufwstatus
In order for the change to take effect, the user needs to log in again:
su - testuser
Then
testuser@xenial-vm:~$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24
but other ufw commands are disallowed (even slight variants, such as status --verbose):
testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.
testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.
edited 4 hours ago
not2qubit
295210
295210
answered 6 hours ago
steeldriversteeldriver
67.6k11110181
67.6k11110181
Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1)su - testuserdidn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic,sudo ufw enable/disableandsudo ufw status verbosenow also works without password.
– not2qubit
4 hours ago
Nice answer - and avoids the "too much permission" problem!
– Charles Green
3 hours ago
@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should
– steeldriver
3 hours ago
I hadn't noticed that - I would have to try this in my VM
– Charles Green
3 hours ago
BTW. I am running this onMint 19.1 (Xfce), if that matters.
– not2qubit
3 hours ago
add a comment |
Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1)su - testuserdidn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic,sudo ufw enable/disableandsudo ufw status verbosenow also works without password.
– not2qubit
4 hours ago
Nice answer - and avoids the "too much permission" problem!
– Charles Green
3 hours ago
@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should
– steeldriver
3 hours ago
I hadn't noticed that - I would have to try this in my VM
– Charles Green
3 hours ago
BTW. I am running this onMint 19.1 (Xfce), if that matters.
– not2qubit
3 hours ago
Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1)
su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.– not2qubit
4 hours ago
Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1)
su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.– not2qubit
4 hours ago
Nice answer - and avoids the "too much permission" problem!
– Charles Green
3 hours ago
Nice answer - and avoids the "too much permission" problem!
– Charles Green
3 hours ago
@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should
– steeldriver
3 hours ago
@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should
– steeldriver
3 hours ago
I hadn't noticed that - I would have to try this in my VM
– Charles Green
3 hours ago
I hadn't noticed that - I would have to try this in my VM
– Charles Green
3 hours ago
BTW. I am running this on
Mint 19.1 (Xfce), if that matters.– not2qubit
3 hours ago
BTW. I am running this on
Mint 19.1 (Xfce), if that matters.– not2qubit
3 hours ago
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1117134%2fhow-to-check-ufw-status-without-sudo-or-being-root%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Would it be an option to run
sudo ufw ...without password? I doubt that running firewall things without root privilege will work.– Thomas
11 hours ago
No, that would open a huge security hole.
– not2qubit
11 hours ago
What would be the difference between to allow a group using ufw without and with sudo?
– Thomas
11 hours ago
Well it depend on what you mean. If you mean to just
chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.– not2qubit
11 hours ago
1
Possible duplicate of How do I run specific sudo commands without a password?
– Charles Green
10 hours ago