8

I'm running some scripts to check the UFW status and would like to run sudo ufw status without having to do sudo. I was hoping to find a firewall or ufw group to add myself to, but I didn't find any.

How can I allow any user X to do the ufw status without being root or asking for sudo password?

UPDATE:

I wanted to try to add my own file to /etc/sudoers.d/, but was lazy so decided to copy one already existing, like this:

sudo cp /etc/sudoers.d/mintupdate /etc/sudoers.d/firewall_status

Don't do That! You will not be able to do sudo or login again. I had to do a boot recovery. Instead use:

sudo visudo -f /etc/sudoers.d/ufwstatus

Now just follow the accepted answer below.

not2qubit
  • 616

1 Answers1

5

Here's an /etc/sudoers.d/ file that works for me:

$ sudo cat /etc/sudoers.d/ufwstatus
Cmnd_Alias      UFWSTATUS = /usr/sbin/ufw status

%ufwstatus      ALL=NOPASSWD: UFWSTATUS

Then add the new "ufwstatus" group (here added as a system group):

sudo groupadd -r ufwstatus

Your otherwise non-privileged user must be added to the ufwstatus group e.g.

sudo gpasswd --add testuser ufwstatus

In order for the change to take effect, the user needs to log in again:

su - testuser

Then

testuser@xenial-vm:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       192.168.1.0/24
3389/tcp                   ALLOW       192.168.1.0/24
111                        ALLOW       192.168.1.0/24
2049                       ALLOW       192.168.1.0/24

but other ufw commands are disallowed (even slight variants, such as status --verbose):

testuser@xenial-vm:~$ sudo ufw status --verbose
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw status --verbose' as root on xenial-vm.

testuser@xenial-vm:~$ sudo ufw disable
Sorry, user testuser is not allowed to execute '/usr/sbin/ufw disable' as root on xenial-vm.
not2qubit
  • 616
steeldriver
  • 142,475