LinuxSA Mailing list archives

  From: Ben Williams <benw@webmedia.com.au>
  To  : LinuxSA <linuxsa@linuxsa.org.au>
  Date: Thu, 17 Apr 2003 14:42:48 +0930

gateway modem connect/sudo

howdy all,

i've set up a redhat 8.0 box at home, and patched it all up (150mb of 
rpms via up2date!). as well as some other stuff, i want to use this box 
as a gateway to my internal machine(s)[1].

i've setup the modem, i can connect with 'ifup ppp0', and following the 
Masquerading-Simple-HOWTO[2], i used the simple firewalling stuff from 
there to turn on NAT & forwarding and secure the connection - this works 
perfectly. i then put all this stuff into a bash script 
(/usr/bin/connect) so i can manually log in to the box, type 'connect' 
and it connects to my ISP and turns on forwarding etc. lovely!

the next step was to make it so that normal users can do this. i added 
entries to /etc/sudoers to allow them to run the needed commands 
(iptables, ifup, echo, modprobe), without needing a password. lovely! i 
can log in as myself (benw) and type 'connect' and it almost all comes 
up as it should - the only problem lies in this line in the script:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

to turn on packet forwarding. when i run the script as myself (benw), i 
get the following error:

/usr/bin/connect: line 9: /proc/sys/net/ipv4/ip_forward: Permission denied

the file looks like this from the outside:

-rw-r--r--    1 root     root            0 Apr 17 14:14 
/proc/sys/net/ipv4/ip_forward

my line in the sudoers file looks like:

benw    ALL = NOPASSWD: /sbin/iptables,/sbin/ifup,/bin/echo,/sbin/modprobe

any ideas?

(the next step in the project is to make it very easy for people to 
connect from the other machine(s) - like double-click-on-the-desktop 
easy. i figure i can do this by using something like putty to ssh in 
with a preset key pair (no password required) and set the user's shell 
to /usr/bin/connect; thus it should (i hope) log them in, execute that 
script, and disconnect them when the script exits, leaving the 
connection up and running. maybe i should make a user called "dial" or 
"connect" or something for this.)

  - Ben

--
"Never attribute to malice that which can be adequately explained by 
stupidity."
(<http://www.tuxedo.org/~esr/jargon/html/entry/Hanlon's-Razor.html>)

[1] one at the moment, but hopefully more later!
[2] http://www.tldp.org/HOWTO/Masquerading-Simple-HOWTO/

-- 
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.freenode.net
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject