How to check UFW status without sudo (or being root)? [duplicate]

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

This question already has an answer here:

How do I run specific sudo commands without a password?

2 answers

I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.

How can I allow any user X to do the ufw status without being root or asking for sudo password?

UPDATE:

I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:

sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status

Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:

sudo visudo -f /etc/sudoers.d/ufwstatus

Now just follow the accepted answer below.

edited Feb 10 at 21:53

asked Feb 10 at 13:30

not2qubit

292210

marked as duplicate by vidarlo, Charles Green, karel, Fabby, Warren Hill Feb 11 at 15:35

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.

Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

– Thomas
Feb 10 at 14:17

No, that would open a huge security hole.

– not2qubit
Feb 10 at 14:37

What would be the difference between to allow a group using ufw without and with sudo?

– Thomas
Feb 10 at 14:40

Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

– not2qubit
Feb 10 at 14:53

One doesn't need sudo - simply service ufw status

– waltinator
Feb 10 at 15:28

|
show 9 more comments

This question already has an answer here:

How do I run specific sudo commands without a password?

2 answers

How can I allow any user X to do the ufw status without being root or asking for sudo password?

UPDATE:

I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:

sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status

Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:

sudo visudo -f /etc/sudoers.d/ufwstatus

Now just follow the accepted answer below.

edited Feb 10 at 21:53

asked Feb 10 at 13:30

not2qubit

292210

marked as duplicate by vidarlo, Charles Green, karel, Fabby, Warren Hill Feb 11 at 15:35

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.

Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

– Thomas
Feb 10 at 14:17

No, that would open a huge security hole.

– not2qubit
Feb 10 at 14:37

What would be the difference between to allow a group using ufw without and with sudo?

– Thomas
Feb 10 at 14:40

Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

– not2qubit
Feb 10 at 14:53

One doesn't need sudo - simply service ufw status

– waltinator
Feb 10 at 15:28

|
show 9 more comments

This question already has an answer here:

How do I run specific sudo commands without a password?

2 answers

How can I allow any user X to do the ufw status without being root or asking for sudo password?

UPDATE:

I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:

sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status

Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:

sudo visudo -f /etc/sudoers.d/ufwstatus

Now just follow the accepted answer below.

edited Feb 10 at 21:53

asked Feb 10 at 13:30

not2qubit

292210

This question already has an answer here:

How do I run specific sudo commands without a password?

2 answers

How can I allow any user X to do the ufw status without being root or asking for sudo password?

UPDATE:

I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:

sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status

Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:

sudo visudo -f /etc/sudoers.d/ufwstatus

Now just follow the accepted answer below.

This question already has an answer here:

How do I run specific sudo commands without a password?

2 answers

sudo firewall ufw

edited Feb 10 at 21:53

asked Feb 10 at 13:30

not2qubit

292210

edited Feb 10 at 21:53

asked Feb 10 at 13:30

not2qubit

292210

edited Feb 10 at 21:53

asked Feb 10 at 13:30

not2qubit

292210

asked Feb 10 at 13:30

not2qubit

292210

asked Feb 10 at 13:30

not2qubit

292210

marked as duplicate by vidarlo, Charles Green, karel, Fabby, Warren Hill Feb 11 at 15:35

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.

marked as duplicate by vidarlo, Charles Green, karel, Fabby, Warren Hill Feb 11 at 15:35

This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.

Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

– Thomas
Feb 10 at 14:17

No, that would open a huge security hole.

– not2qubit
Feb 10 at 14:37

What would be the difference between to allow a group using ufw without and with sudo?

– Thomas
Feb 10 at 14:40

Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

– not2qubit
Feb 10 at 14:53

One doesn't need sudo - simply service ufw status

– waltinator
Feb 10 at 15:28

|
show 9 more comments

Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

– Thomas
Feb 10 at 14:17

No, that would open a huge security hole.

– not2qubit
Feb 10 at 14:37

What would be the difference between to allow a group using ufw without and with sudo?

– Thomas
Feb 10 at 14:40

Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

– not2qubit
Feb 10 at 14:53

One doesn't need sudo - simply service ufw status

– waltinator
Feb 10 at 15:28

Would it be an option to run sudo ufw ... without password? I doubt that running firewall things without root privilege will work.

– Thomas
Feb 10 at 14:17

No, that would open a huge security hole.

– not2qubit
Feb 10 at 14:37

What would be the difference between to allow a group using ufw without and with sudo?

– Thomas
Feb 10 at 14:40

Well it depend on what you mean. If you mean to just chmod 777, then I'd rather say no, as any user could disable the FW. I'm looking for a proper solution to add people to groups or add specific users/execs to some sudoers list.

– not2qubit
Feb 10 at 14:53

One doesn't need sudo - simply service ufw status

– waltinator
Feb 10 at 15:28

|
show 9 more comments

1 Answer
1

active

oldest

votes

Here's an /etc/sudoers.d/ file that works for me:

$ sudo cat /etc/sudoers.d/ufwstatus

Cmnd_Alias      UFWSTATUS = /usr/sbin/ufw status



%ufwstatus      ALL=NOPASSWD: UFWSTATUS

Then add the new "ufwstatus" group (here added as a system group):

sudo groupadd -r ufwstatus

Your otherwise non-privileged user must be added to the ufwstatus group e.g.

sudo gpasswd --add testuser ufwstatus

In order for the change to take effect, the user needs to log in again:

su - testuser

Then

testuser@xenial-vm:~$ sudo ufw status

Status: active



To                         Action      From

--                         ------      ----

22/tcp                     ALLOW       192.168.1.0/24

3389/tcp                   ALLOW       192.168.1.0/24

111                        ALLOW       192.168.1.0/24

2049                       ALLOW       192.168.1.0/24

but other ufw commands are disallowed (even slight variants, such as status --verbose):

testuser@xenial-vm:~$ sudo ufw status --verbose

Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.



testuser@xenial-vm:~$ sudo ufw disable

Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.

edited Feb 10 at 21:54

not2qubit

292210

answered Feb 10 at 19:19

steeldriver

70.7k11115187

Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

– not2qubit
Feb 10 at 21:45

Nice answer - and avoids the "too much permission" problem!

– Charles Green
Feb 10 at 22:27

@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

– steeldriver
Feb 10 at 22:31

I hadn't noticed that - I would have to try this in my VM

– Charles Green
Feb 10 at 22:33

BTW. I am running this on Mint 19.1 (Xfce), if that matters.

– not2qubit
Feb 10 at 22:37

add a comment |

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

Here's an /etc/sudoers.d/ file that works for me:

$ sudo cat /etc/sudoers.d/ufwstatus

Cmnd_Alias      UFWSTATUS = /usr/sbin/ufw status



%ufwstatus      ALL=NOPASSWD: UFWSTATUS

Then add the new "ufwstatus" group (here added as a system group):

sudo groupadd -r ufwstatus

Your otherwise non-privileged user must be added to the ufwstatus group e.g.

sudo gpasswd --add testuser ufwstatus

In order for the change to take effect, the user needs to log in again:

su - testuser

Then

testuser@xenial-vm:~$ sudo ufw status

Status: active



To                         Action      From

--                         ------      ----

22/tcp                     ALLOW       192.168.1.0/24

3389/tcp                   ALLOW       192.168.1.0/24

111                        ALLOW       192.168.1.0/24

2049                       ALLOW       192.168.1.0/24

but other ufw commands are disallowed (even slight variants, such as status --verbose):

testuser@xenial-vm:~$ sudo ufw status --verbose

Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.



testuser@xenial-vm:~$ sudo ufw disable

Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.

edited Feb 10 at 21:54

not2qubit

292210

answered Feb 10 at 19:19

steeldriver

70.7k11115187

Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

– not2qubit
Feb 10 at 21:45

Nice answer - and avoids the "too much permission" problem!

– Charles Green
Feb 10 at 22:27

@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

– steeldriver
Feb 10 at 22:31

I hadn't noticed that - I would have to try this in my VM

– Charles Green
Feb 10 at 22:33

BTW. I am running this on Mint 19.1 (Xfce), if that matters.

– not2qubit
Feb 10 at 22:37

add a comment |

Here's an /etc/sudoers.d/ file that works for me:

$ sudo cat /etc/sudoers.d/ufwstatus

Cmnd_Alias      UFWSTATUS = /usr/sbin/ufw status



%ufwstatus      ALL=NOPASSWD: UFWSTATUS

Then add the new "ufwstatus" group (here added as a system group):

sudo groupadd -r ufwstatus

Your otherwise non-privileged user must be added to the ufwstatus group e.g.

sudo gpasswd --add testuser ufwstatus

In order for the change to take effect, the user needs to log in again:

su - testuser

Then

testuser@xenial-vm:~$ sudo ufw status

Status: active



To                         Action      From

--                         ------      ----

22/tcp                     ALLOW       192.168.1.0/24

3389/tcp                   ALLOW       192.168.1.0/24

111                        ALLOW       192.168.1.0/24

2049                       ALLOW       192.168.1.0/24

but other ufw commands are disallowed (even slight variants, such as status --verbose):

testuser@xenial-vm:~$ sudo ufw status --verbose

Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.



testuser@xenial-vm:~$ sudo ufw disable

Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.

edited Feb 10 at 21:54

not2qubit

292210

answered Feb 10 at 19:19

steeldriver

70.7k11115187

Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

– not2qubit
Feb 10 at 21:45

Nice answer - and avoids the "too much permission" problem!

– Charles Green
Feb 10 at 22:27

@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

– steeldriver
Feb 10 at 22:31

I hadn't noticed that - I would have to try this in my VM

– Charles Green
Feb 10 at 22:33

BTW. I am running this on Mint 19.1 (Xfce), if that matters.

– not2qubit
Feb 10 at 22:37

add a comment |

Here's an /etc/sudoers.d/ file that works for me:

$ sudo cat /etc/sudoers.d/ufwstatus

Cmnd_Alias      UFWSTATUS = /usr/sbin/ufw status



%ufwstatus      ALL=NOPASSWD: UFWSTATUS

Then add the new "ufwstatus" group (here added as a system group):

sudo groupadd -r ufwstatus

Your otherwise non-privileged user must be added to the ufwstatus group e.g.

sudo gpasswd --add testuser ufwstatus

In order for the change to take effect, the user needs to log in again:

su - testuser

Then

testuser@xenial-vm:~$ sudo ufw status

Status: active



To                         Action      From

--                         ------      ----

22/tcp                     ALLOW       192.168.1.0/24

3389/tcp                   ALLOW       192.168.1.0/24

111                        ALLOW       192.168.1.0/24

2049                       ALLOW       192.168.1.0/24

but other ufw commands are disallowed (even slight variants, such as status --verbose):

testuser@xenial-vm:~$ sudo ufw status --verbose

Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.



testuser@xenial-vm:~$ sudo ufw disable

Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.

edited Feb 10 at 21:54

not2qubit

292210

answered Feb 10 at 19:19

steeldriver

70.7k11115187

Here's an /etc/sudoers.d/ file that works for me:

$ sudo cat /etc/sudoers.d/ufwstatus

Cmnd_Alias      UFWSTATUS = /usr/sbin/ufw status



%ufwstatus      ALL=NOPASSWD: UFWSTATUS

Then add the new "ufwstatus" group (here added as a system group):

sudo groupadd -r ufwstatus

Your otherwise non-privileged user must be added to the ufwstatus group e.g.

sudo gpasswd --add testuser ufwstatus

In order for the change to take effect, the user needs to log in again:

su - testuser

Then

testuser@xenial-vm:~$ sudo ufw status

Status: active



To                         Action      From

--                         ------      ----

22/tcp                     ALLOW       192.168.1.0/24

3389/tcp                   ALLOW       192.168.1.0/24

111                        ALLOW       192.168.1.0/24

2049                       ALLOW       192.168.1.0/24

but other ufw commands are disallowed (even slight variants, such as status --verbose):

testuser@xenial-vm:~$ sudo ufw status --verbose

Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.



testuser@xenial-vm:~$ sudo ufw disable

Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.

edited Feb 10 at 21:54

not2qubit

292210

answered Feb 10 at 19:19

steeldriver

70.7k11115187

edited Feb 10 at 21:54

not2qubit

292210

edited Feb 10 at 21:54

not2qubit

292210

edited Feb 10 at 21:54

not2qubit

292210

answered Feb 10 at 19:19

steeldriver

70.7k11115187

answered Feb 10 at 19:19

steeldriver

70.7k11115187

answered Feb 10 at 19:19

steeldriver

70.7k11115187

Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

– not2qubit
Feb 10 at 21:45

Nice answer - and avoids the "too much permission" problem!

– Charles Green
Feb 10 at 22:27

@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

– steeldriver
Feb 10 at 22:31

I hadn't noticed that - I would have to try this in my VM

– Charles Green
Feb 10 at 22:33

BTW. I am running this on Mint 19.1 (Xfce), if that matters.

– not2qubit
Feb 10 at 22:37

add a comment |

Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

– not2qubit
Feb 10 at 21:45

Nice answer - and avoids the "too much permission" problem!

– Charles Green
Feb 10 at 22:27

@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

– steeldriver
Feb 10 at 22:31

I hadn't noticed that - I would have to try this in my VM

– Charles Green
Feb 10 at 22:33

BTW. I am running this on Mint 19.1 (Xfce), if that matters.

– not2qubit
Feb 10 at 22:37

Thank you! Exactly what I was looking for. This solved my problem with the small differences that: (1) su - testuser didn't work, so I needed to reboot in order for the new group and sudoers policy to take place. (2) Funny and contrary to logic, sudo ufw enable/disable and sudo ufw status verbose now also works without password.

– not2qubit
Feb 10 at 21:45

Nice answer - and avoids the "too much permission" problem!

– Charles Green
Feb 10 at 22:27

@CharlesGreen thanks - although I'm concerned by the OP's comment above asserting that it does allow passwordless ufw enable/disable: I don't believe it should

– steeldriver
Feb 10 at 22:31

I hadn't noticed that - I would have to try this in my VM

– Charles Green
Feb 10 at 22:33

BTW. I am running this on Mint 19.1 (Xfce), if that matters.

– not2qubit
Feb 10 at 22:37

add a comment |

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Dtyjlui