How to check UFW status without sudo (or being root)?












3















I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.



How can I allow any user X to do the ufw status without being root or asking for sudo password?





UPDATE:



I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:



sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status


Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:



sudo visudo -f /etc/sudoers.d/ufwstatus


Now just follow the accepted answer below.










share|improve this question

























  • Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

    – Thomas
    11 hours ago











  • No, that would open a huge security hole.

    – not2qubit
    11 hours ago











  • What would be the difference between to allow a group using ufw without and with sudo?

    – Thomas
    11 hours ago











  • Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

    – not2qubit
    11 hours ago






  • 1





    Possible duplicate of How do I run specific sudo commands without a password?

    – Charles Green
    10 hours ago
















3















I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.



How can I allow any user X to do the ufw status without being root or asking for sudo password?





UPDATE:



I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:



sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status


Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:



sudo visudo -f /etc/sudoers.d/ufwstatus


Now just follow the accepted answer below.










share|improve this question

























  • Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

    – Thomas
    11 hours ago











  • No, that would open a huge security hole.

    – not2qubit
    11 hours ago











  • What would be the difference between to allow a group using ufw without and with sudo?

    – Thomas
    11 hours ago











  • Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

    – not2qubit
    11 hours ago






  • 1





    Possible duplicate of How do I run specific sudo commands without a password?

    – Charles Green
    10 hours ago














3












3








3








I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.



How can I allow any user X to do the ufw status without being root or asking for sudo password?





UPDATE:



I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:



sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status


Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:



sudo visudo -f /etc/sudoers.d/ufwstatus


Now just follow the accepted answer below.










share|improve this question
















I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.



How can I allow any user X to do the ufw status without being root or asking for sudo password?





UPDATE:



I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:



sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status


Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:



sudo visudo -f /etc/sudoers.d/ufwstatus


Now just follow the accepted answer below.







sudo firewall ufw






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 4 hours ago







not2qubit

















asked 12 hours ago









not2qubitnot2qubit

295210




295210













  • Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

    – Thomas
    11 hours ago











  • No, that would open a huge security hole.

    – not2qubit
    11 hours ago











  • What would be the difference between to allow a group using ufw without and with sudo?

    – Thomas
    11 hours ago











  • Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

    – not2qubit
    11 hours ago






  • 1





    Possible duplicate of How do I run specific sudo commands without a password?

    – Charles Green
    10 hours ago



















  • Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

    – Thomas
    11 hours ago











  • No, that would open a huge security hole.

    – not2qubit
    11 hours ago











  • What would be the difference between to allow a group using ufw without and with sudo?

    – Thomas
    11 hours ago











  • Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

    – not2qubit
    11 hours ago






  • 1





    Possible duplicate of How do I run specific sudo commands without a password?

    – Charles Green
    10 hours ago

















Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

– Thomas
11 hours ago





Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

– Thomas
11 hours ago













No, that would open a huge security hole.

– not2qubit
11 hours ago





No, that would open a huge security hole.

– not2qubit
11 hours ago













What would be the difference between to allow a group using ufw without and with sudo?

– Thomas
11 hours ago





What would be the difference between to allow a group using ufw without and with sudo?

– Thomas
11 hours ago













Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

– not2qubit
11 hours ago





Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

– not2qubit
11 hours ago




1




1





Possible duplicate of How do I run specific sudo commands without a password?

– Charles Green
10 hours ago





Possible duplicate of How do I run specific sudo commands without a password?

– Charles Green
10 hours ago










1 Answer
1






active

oldest

votes


















2














Here's an /etc/sudoers.d/ file that works for me:



$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status

%ufwstatus ALL=NOPASSWD: UFWSTATUS


Then add the new "ufwstatus" group (here added as a system group):



sudo groupadd -r ufwstatus


Your otherwise non-privileged user must be added to the ufwstatus group e.g.



sudo gpasswd --add testuser ufwstatus


In order for the change to take effect, the user needs to log in again:



su - testuser


Then



testuser@xenial-vm:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24


but other ufw commands are disallowed (even slight variants, such as status --verbose):



testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.





share|improve this answer


























  • Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

    – not2qubit
    4 hours ago













  • Nice answer - and avoids the "too much permission" problem!

    – Charles Green
    3 hours ago











  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

    – steeldriver
    3 hours ago











  • I hadn't noticed that - I would have to try this in my VM

    – Charles Green
    3 hours ago











  • BTW. I am running this on Mint 19.1 (Xfce), if that matters.

    – not2qubit
    3 hours ago











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1117134%2fhow-to-check-ufw-status-without-sudo-or-being-root%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














Here's an /etc/sudoers.d/ file that works for me:



$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status

%ufwstatus ALL=NOPASSWD: UFWSTATUS


Then add the new "ufwstatus" group (here added as a system group):



sudo groupadd -r ufwstatus


Your otherwise non-privileged user must be added to the ufwstatus group e.g.



sudo gpasswd --add testuser ufwstatus


In order for the change to take effect, the user needs to log in again:



su - testuser


Then



testuser@xenial-vm:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24


but other ufw commands are disallowed (even slight variants, such as status --verbose):



testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.





share|improve this answer


























  • Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

    – not2qubit
    4 hours ago













  • Nice answer - and avoids the "too much permission" problem!

    – Charles Green
    3 hours ago











  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

    – steeldriver
    3 hours ago











  • I hadn't noticed that - I would have to try this in my VM

    – Charles Green
    3 hours ago











  • BTW. I am running this on Mint 19.1 (Xfce), if that matters.

    – not2qubit
    3 hours ago
















2














Here's an /etc/sudoers.d/ file that works for me:



$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status

%ufwstatus ALL=NOPASSWD: UFWSTATUS


Then add the new "ufwstatus" group (here added as a system group):



sudo groupadd -r ufwstatus


Your otherwise non-privileged user must be added to the ufwstatus group e.g.



sudo gpasswd --add testuser ufwstatus


In order for the change to take effect, the user needs to log in again:



su - testuser


Then



testuser@xenial-vm:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24


but other ufw commands are disallowed (even slight variants, such as status --verbose):



testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.





share|improve this answer


























  • Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

    – not2qubit
    4 hours ago













  • Nice answer - and avoids the "too much permission" problem!

    – Charles Green
    3 hours ago











  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

    – steeldriver
    3 hours ago











  • I hadn't noticed that - I would have to try this in my VM

    – Charles Green
    3 hours ago











  • BTW. I am running this on Mint 19.1 (Xfce), if that matters.

    – not2qubit
    3 hours ago














2












2








2







Here's an /etc/sudoers.d/ file that works for me:



$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status

%ufwstatus ALL=NOPASSWD: UFWSTATUS


Then add the new "ufwstatus" group (here added as a system group):



sudo groupadd -r ufwstatus


Your otherwise non-privileged user must be added to the ufwstatus group e.g.



sudo gpasswd --add testuser ufwstatus


In order for the change to take effect, the user needs to log in again:



su - testuser


Then



testuser@xenial-vm:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24


but other ufw commands are disallowed (even slight variants, such as status --verbose):



testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.





share|improve this answer















Here's an /etc/sudoers.d/ file that works for me:



$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status

%ufwstatus ALL=NOPASSWD: UFWSTATUS


Then add the new "ufwstatus" group (here added as a system group):



sudo groupadd -r ufwstatus


Your otherwise non-privileged user must be added to the ufwstatus group e.g.



sudo gpasswd --add testuser ufwstatus


In order for the change to take effect, the user needs to log in again:



su - testuser


Then



testuser@xenial-vm:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24


but other ufw commands are disallowed (even slight variants, such as status --verbose):



testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.






share|improve this answer














share|improve this answer



share|improve this answer








edited 4 hours ago









not2qubit

295210




295210










answered 6 hours ago









steeldriversteeldriver

67.6k11110181




67.6k11110181













  • Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

    – not2qubit
    4 hours ago













  • Nice answer - and avoids the "too much permission" problem!

    – Charles Green
    3 hours ago











  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

    – steeldriver
    3 hours ago











  • I hadn't noticed that - I would have to try this in my VM

    – Charles Green
    3 hours ago











  • BTW. I am running this on Mint 19.1 (Xfce), if that matters.

    – not2qubit
    3 hours ago



















  • Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

    – not2qubit
    4 hours ago













  • Nice answer - and avoids the "too much permission" problem!

    – Charles Green
    3 hours ago











  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

    – steeldriver
    3 hours ago











  • I hadn't noticed that - I would have to try this in my VM

    – Charles Green
    3 hours ago











  • BTW. I am running this on Mint 19.1 (Xfce), if that matters.

    – not2qubit
    3 hours ago

















Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

– not2qubit
4 hours ago







Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

– not2qubit
4 hours ago















Nice answer - and avoids the "too much permission" problem!

– Charles Green
3 hours ago





Nice answer - and avoids the "too much permission" problem!

– Charles Green
3 hours ago













@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

– steeldriver
3 hours ago





@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

– steeldriver
3 hours ago













I hadn't noticed that - I would have to try this in my VM

– Charles Green
3 hours ago





I hadn't noticed that - I would have to try this in my VM

– Charles Green
3 hours ago













BTW. I am running this on Mint 19.1 (Xfce), if that matters.

– not2qubit
3 hours ago





BTW. I am running this on Mint 19.1 (Xfce), if that matters.

– not2qubit
3 hours ago


















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1117134%2fhow-to-check-ufw-status-without-sudo-or-being-root%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Category:香港粉麵

List *all* the tuples!

Channel [V]