How to check UFW status without sudo (or being root)? [duplicate]





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







3
















This question already has an answer here:




  • How do I run specific sudo commands without a password?

    2 answers




I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.



How can I allow any user X to do the ufw status without being root or asking for sudo password?





UPDATE:



I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:



sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status


Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:



sudo visudo -f /etc/sudoers.d/ufwstatus


Now just follow the accepted answer below.










share|improve this question















marked as duplicate by vidarlo, Charles Green, karel, Fabby, Warren Hill Feb 11 at 15:35


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.



















  • Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

    – Thomas
    Feb 10 at 14:17











  • No, that would open a huge security hole.

    – not2qubit
    Feb 10 at 14:37











  • What would be the difference between to allow a group using ufw without and with sudo?

    – Thomas
    Feb 10 at 14:40











  • Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

    – not2qubit
    Feb 10 at 14:53











  • One doesn't need sudo - simply service ufw status

    – waltinator
    Feb 10 at 15:28


















3
















This question already has an answer here:




  • How do I run specific sudo commands without a password?

    2 answers




I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.



How can I allow any user X to do the ufw status without being root or asking for sudo password?





UPDATE:



I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:



sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status


Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:



sudo visudo -f /etc/sudoers.d/ufwstatus


Now just follow the accepted answer below.










share|improve this question















marked as duplicate by vidarlo, Charles Green, karel, Fabby, Warren Hill Feb 11 at 15:35


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.



















  • Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

    – Thomas
    Feb 10 at 14:17











  • No, that would open a huge security hole.

    – not2qubit
    Feb 10 at 14:37











  • What would be the difference between to allow a group using ufw without and with sudo?

    – Thomas
    Feb 10 at 14:40











  • Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

    – not2qubit
    Feb 10 at 14:53











  • One doesn't need sudo - simply service ufw status

    – waltinator
    Feb 10 at 15:28














3












3








3









This question already has an answer here:




  • How do I run specific sudo commands without a password?

    2 answers




I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.



How can I allow any user X to do the ufw status without being root or asking for sudo password?





UPDATE:



I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:



sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status


Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:



sudo visudo -f /etc/sudoers.d/ufwstatus


Now just follow the accepted answer below.










share|improve this question

















This question already has an answer here:




  • How do I run specific sudo commands without a password?

    2 answers




I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.



How can I allow any user X to do the ufw status without being root or asking for sudo password?





UPDATE:



I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:



sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status


Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:



sudo visudo -f /etc/sudoers.d/ufwstatus


Now just follow the accepted answer below.





This question already has an answer here:




  • How do I run specific sudo commands without a password?

    2 answers








sudo firewall ufw






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 10 at 21:53







not2qubit

















asked Feb 10 at 13:30









not2qubitnot2qubit

292210




292210




marked as duplicate by vidarlo, Charles Green, karel, Fabby, Warren Hill Feb 11 at 15:35


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.









marked as duplicate by vidarlo, Charles Green, karel, Fabby, Warren Hill Feb 11 at 15:35


This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.















  • Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

    – Thomas
    Feb 10 at 14:17











  • No, that would open a huge security hole.

    – not2qubit
    Feb 10 at 14:37











  • What would be the difference between to allow a group using ufw without and with sudo?

    – Thomas
    Feb 10 at 14:40











  • Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

    – not2qubit
    Feb 10 at 14:53











  • One doesn't need sudo - simply service ufw status

    – waltinator
    Feb 10 at 15:28



















  • Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

    – Thomas
    Feb 10 at 14:17











  • No, that would open a huge security hole.

    – not2qubit
    Feb 10 at 14:37











  • What would be the difference between to allow a group using ufw without and with sudo?

    – Thomas
    Feb 10 at 14:40











  • Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

    – not2qubit
    Feb 10 at 14:53











  • One doesn't need sudo - simply service ufw status

    – waltinator
    Feb 10 at 15:28

















Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

– Thomas
Feb 10 at 14:17





Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

– Thomas
Feb 10 at 14:17













No, that would open a huge security hole.

– not2qubit
Feb 10 at 14:37





No, that would open a huge security hole.

– not2qubit
Feb 10 at 14:37













What would be the difference between to allow a group using ufw without and with sudo?

– Thomas
Feb 10 at 14:40





What would be the difference between to allow a group using ufw without and with sudo?

– Thomas
Feb 10 at 14:40













Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

– not2qubit
Feb 10 at 14:53





Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

– not2qubit
Feb 10 at 14:53













One doesn't need sudo - simply service ufw status

– waltinator
Feb 10 at 15:28





One doesn't need sudo - simply service ufw status

– waltinator
Feb 10 at 15:28










1 Answer
1






active

oldest

votes


















2














Here's an /etc/sudoers.d/ file that works for me:



$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status

%ufwstatus ALL=NOPASSWD: UFWSTATUS


Then add the new "ufwstatus" group (here added as a system group):



sudo groupadd -r ufwstatus


Your otherwise non-privileged user must be added to the ufwstatus group e.g.



sudo gpasswd --add testuser ufwstatus


In order for the change to take effect, the user needs to log in again:



su - testuser


Then



testuser@xenial-vm:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24


but other ufw commands are disallowed (even slight variants, such as status --verbose):



testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.





share|improve this answer


























  • Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

    – not2qubit
    Feb 10 at 21:45













  • Nice answer - and avoids the "too much permission" problem!

    – Charles Green
    Feb 10 at 22:27











  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

    – steeldriver
    Feb 10 at 22:31











  • I hadn't noticed that - I would have to try this in my VM

    – Charles Green
    Feb 10 at 22:33











  • BTW. I am running this on Mint 19.1 (Xfce), if that matters.

    – not2qubit
    Feb 10 at 22:37


















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














Here's an /etc/sudoers.d/ file that works for me:



$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status

%ufwstatus ALL=NOPASSWD: UFWSTATUS


Then add the new "ufwstatus" group (here added as a system group):



sudo groupadd -r ufwstatus


Your otherwise non-privileged user must be added to the ufwstatus group e.g.



sudo gpasswd --add testuser ufwstatus


In order for the change to take effect, the user needs to log in again:



su - testuser


Then



testuser@xenial-vm:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24


but other ufw commands are disallowed (even slight variants, such as status --verbose):



testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.





share|improve this answer


























  • Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

    – not2qubit
    Feb 10 at 21:45













  • Nice answer - and avoids the "too much permission" problem!

    – Charles Green
    Feb 10 at 22:27











  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

    – steeldriver
    Feb 10 at 22:31











  • I hadn't noticed that - I would have to try this in my VM

    – Charles Green
    Feb 10 at 22:33











  • BTW. I am running this on Mint 19.1 (Xfce), if that matters.

    – not2qubit
    Feb 10 at 22:37
















2














Here's an /etc/sudoers.d/ file that works for me:



$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status

%ufwstatus ALL=NOPASSWD: UFWSTATUS


Then add the new "ufwstatus" group (here added as a system group):



sudo groupadd -r ufwstatus


Your otherwise non-privileged user must be added to the ufwstatus group e.g.



sudo gpasswd --add testuser ufwstatus


In order for the change to take effect, the user needs to log in again:



su - testuser


Then



testuser@xenial-vm:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24


but other ufw commands are disallowed (even slight variants, such as status --verbose):



testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.





share|improve this answer


























  • Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

    – not2qubit
    Feb 10 at 21:45













  • Nice answer - and avoids the "too much permission" problem!

    – Charles Green
    Feb 10 at 22:27











  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

    – steeldriver
    Feb 10 at 22:31











  • I hadn't noticed that - I would have to try this in my VM

    – Charles Green
    Feb 10 at 22:33











  • BTW. I am running this on Mint 19.1 (Xfce), if that matters.

    – not2qubit
    Feb 10 at 22:37














2












2








2







Here's an /etc/sudoers.d/ file that works for me:



$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status

%ufwstatus ALL=NOPASSWD: UFWSTATUS


Then add the new "ufwstatus" group (here added as a system group):



sudo groupadd -r ufwstatus


Your otherwise non-privileged user must be added to the ufwstatus group e.g.



sudo gpasswd --add testuser ufwstatus


In order for the change to take effect, the user needs to log in again:



su - testuser


Then



testuser@xenial-vm:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24


but other ufw commands are disallowed (even slight variants, such as status --verbose):



testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.





share|improve this answer















Here's an /etc/sudoers.d/ file that works for me:



$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias UFWSTATUS = /usr/sbin/ufw status

%ufwstatus ALL=NOPASSWD: UFWSTATUS


Then add the new "ufwstatus" group (here added as a system group):



sudo groupadd -r ufwstatus


Your otherwise non-privileged user must be added to the ufwstatus group e.g.



sudo gpasswd --add testuser ufwstatus


In order for the change to take effect, the user needs to log in again:



su - testuser


Then



testuser@xenial-vm:~$ sudo ufw status
Status: active

To Action From
-- ------ ----
22/tcp ALLOW 192.168.1.0/24
3389/tcp ALLOW 192.168.1.0/24
111 ALLOW 192.168.1.0/24
2049 ALLOW 192.168.1.0/24


but other ufw commands are disallowed (even slight variants, such as status --verbose):



testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.






share|improve this answer














share|improve this answer



share|improve this answer








edited Feb 10 at 21:54









not2qubit

292210




292210










answered Feb 10 at 19:19









steeldriversteeldriver

70.7k11115187




70.7k11115187













  • Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

    – not2qubit
    Feb 10 at 21:45













  • Nice answer - and avoids the "too much permission" problem!

    – Charles Green
    Feb 10 at 22:27











  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

    – steeldriver
    Feb 10 at 22:31











  • I hadn't noticed that - I would have to try this in my VM

    – Charles Green
    Feb 10 at 22:33











  • BTW. I am running this on Mint 19.1 (Xfce), if that matters.

    – not2qubit
    Feb 10 at 22:37



















  • Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

    – not2qubit
    Feb 10 at 21:45













  • Nice answer - and avoids the "too much permission" problem!

    – Charles Green
    Feb 10 at 22:27











  • @CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

    – steeldriver
    Feb 10 at 22:31











  • I hadn't noticed that - I would have to try this in my VM

    – Charles Green
    Feb 10 at 22:33











  • BTW. I am running this on Mint 19.1 (Xfce), if that matters.

    – not2qubit
    Feb 10 at 22:37

















Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

– not2qubit
Feb 10 at 21:45







Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

– not2qubit
Feb 10 at 21:45















Nice answer - and avoids the "too much permission" problem!

– Charles Green
Feb 10 at 22:27





Nice answer - and avoids the "too much permission" problem!

– Charles Green
Feb 10 at 22:27













@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

– steeldriver
Feb 10 at 22:31





@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

– steeldriver
Feb 10 at 22:31













I hadn't noticed that - I would have to try this in my VM

– Charles Green
Feb 10 at 22:33





I hadn't noticed that - I would have to try this in my VM

– Charles Green
Feb 10 at 22:33













BTW. I am running this on Mint 19.1 (Xfce), if that matters.

– not2qubit
Feb 10 at 22:37





BTW. I am running this on Mint 19.1 (Xfce), if that matters.

– not2qubit
Feb 10 at 22:37



Popular posts from this blog

Human spaceflight

Can not write log (Is /dev/pts mounted?) - openpty in Ubuntu-on-Windows?

張江高科駅