<![CDATA[Dev1 Galaxy Forum / [SOLVED] sudoers.d file for ifup / ifdown]]> https://dev1galaxy.org/viewtopic.php?id=7078 Thu, 20 Feb 2025 16:56:25 +0000 FluxBB <![CDATA[Re: [SOLVED] sudoers.d file for ifup / ifdown]]> https://dev1galaxy.org/viewtopic.php?pid=54558#p54558 Hello:

fsmithred wrote:

... log out and log in ...

Of course ...  8^)

fsmithred wrote:

I use commas ...

You and everyone else knowing how to do this properly.

Solved.
It was the lack of a comma between the commands.

# cat /etc/sudoers.d/user_eth0
groucho ALL=(ALL) NOPASSWD: /sbin/ifup eth0, /sbin/ifdown eth0
# 
~$ sudo ifdown eth0
Killed old client process
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth0/00:14:4f:4a:a2:81
Sending on   LPF/eth0/00:14:4f:4a:a2:81
Sending on   Socket/fallback
DHCPRELEASE of 192.168.1.10 on eth0 to 192.168.1.1 port 67
~$ sudo ifup eth0
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth0/00:14:4f:4a:a2:81
Sending on   LPF/eth0/00:14:4f:4a:a2:81
Sending on   Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5
DHCPOFFER of 192.168.1.10 from 192.168.1.1
DHCPREQUEST for 192.168.1.10 on eth0 to 255.255.255.255 port 67
DHCPACK of 192.168.1.10 from 192.168.1.1
/sbin/dhclient-script: 88: cannot create /etc/resolv.conf: Operation not permitted
bound to 192.168.1.10 -- renewal in 13983 seconds.
~$

So much then for visudo -c ...  8^°
After all, it is a syntax error.

Thank you very much for your input.

Best,

A.

]]> Thu, 20 Feb 2025 16:56:25 +0000 https://dev1galaxy.org/viewtopic.php?pid=54558#p54558 <![CDATA[Re: [SOLVED] sudoers.d file for ifup / ifdown]]> https://dev1galaxy.org/viewtopic.php?pid=54557#p54557 Hello:

rolfie wrote:

Give that ...

Nope, no dice.

# cat /etc/sudoers.d/user_eth0
groucho ALL=(root) NOPASSWD: /sbin/ifup eth0  /sbin/ifdown eth0
# 
~$ sudo ifdown eth0
--- snip ---
Sorry, user groucho is not allowed to execute '/sbin/ifdown eth0' as root on localhost.
~$ 
~$ sudo ifup eth0
--- snip ---
Sorry, user groucho is not allowed to execute '/sbin/ifup eth0' as root on localhost.
~$

BTW: found this -> https://hackliza.gal/en/posts/cambiar_dns_linux/ to chew on
Never saw it before, probably because I was looking for /etc/resolv.conf in relation to connman or network-manager.

Thanks for your input.

Best,

A.

]]> Thu, 20 Feb 2025 16:41:28 +0000 https://dev1galaxy.org/viewtopic.php?pid=54557#p54557 <![CDATA[Re: [SOLVED] sudoers.d file for ifup / ifdown]]> https://dev1galaxy.org/viewtopic.php?pid=54556#p54556 couple guesses -

You need to log out and log in for the changes to take effect. (or restart sudo)

I use commas between things in the list, but I also use command aliases.

Cmnd_Alias      HALT = /sbin/shutdown, /sbin/halt, /sbin/poweroff, /usr/sbin/pm-suspend, /usr/sbin/pm-hibernate
Cmnd_Alias      REBOOT = /sbin/reboot, /usr/local/bin/update-machineid
Cmnd_Alias      NET = /sbin/ifconfig, /sbin/ifup, /sbin/ifdown

fsmithred  ALL=NOPASSWD: HALT, REBOOT, NET
]]> Thu, 20 Feb 2025 16:40:02 +0000 https://dev1galaxy.org/viewtopic.php?pid=54556#p54556 <![CDATA[Re: [SOLVED] sudoers.d file for ifup / ifdown]]> https://dev1galaxy.org/viewtopic.php?pid=54555#p54555 Give that a try: 

groucho ALL=(root) NOPASSWD: /sbin/ifup eth0  /sbin/ifdown eth0
]]> Thu, 20 Feb 2025 16:04:25 +0000 https://dev1galaxy.org/viewtopic.php?pid=54555#p54555 <![CDATA[[SOLVED] sudoers.d file for ifup / ifdown]]> https://dev1galaxy.org/viewtopic.php?pid=54552#p54552 Hello:

Finally got fed up and decided to ditch connman and as there is no WiCD for the foreseable future (if there is such a thing), went for the time proven ifup / ifdown solution.

One less layer of abstraction or so it is said, can't be a bad thing.

To test things out, I disabled connman, checked all settings and verified that ifup eth0 and ifdown eth0 (as root) worked properly.
My cable connection comes up at boot time as expected.

But at one point I realised that, in spite of what my /etc/resolv.conf file read, I was back at my ISPs cable provider's DNS, so I ran chattr +i /etc/resolv.conf and that was it. Evidently ditching connman was not the solution.

And (by chance) I was actually able to verify it:

1. take down the connection:

# /sbin/ifdown eth0
Killed old client process
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth0/00:14:4f:4a:a2:81
Sending on   LPF/eth0/00:14:4f:4a:a2:81
Sending on   Socket/fallback
DHCPRELEASE of 192.168.1.10 on eth0 to 192.168.1.1 port 67
# 
[code]

2. bring up the connection:

[/code]
# /sbin/ifup eth0
Internet Systems Consortium DHCP Client 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth0/00:14:4f:4a:a2:81
Sending on   LPF/eth0/00:14:4f:4a:a2:81
Sending on   Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 6
DHCPOFFER of 192.168.1.10 from 192.168.1.1
DHCPREQUEST for 192.168.1.10 on eth0 to 255.255.255.255 port 67
DHCPACK of 192.168.1.10 from 192.168.1.1

/sbin/dhclient-script: 88: cannot create /etc/resolv.conf: Operation not permitted  ### WTHF is *this*?

bound to 192.168.1.10 -- renewal in 12402 seconds.
#

Obviously, chattr +i /etc/resolv.conf was working properly.

I then opened up /sbin/dhclient-script to have a look.
Not in any way script savvy but this part of it immediately called my attention:

--- snip ---
# update /etc/resolv.conf based on received values     <---- #######?
  make_resolv_conf() {
      local new_resolv_conf
--- snip ---

According to jed, the whole snippet would be from line 39 to line 125 and it would seem (?) to be the routine that constantly overwrites /etc/resolv.conf.

Anyone have an idea on this?
I thought that disabling the connman service would be a solution but ...

But I digress ...
In order to avoid having to bring down the connection without being root, I made a file in /etc/sudoers.d:

# cat /etc/sudoers.d/user_eth0
groucho ALL=(ALL) NOPASSWD: /sbin/ifup eth0  /sbin/ifdown eth0
#

But it does not work and I don't understand why.

~$ sudo ifup
--- snip ---
Sorry, user groucho is not allowed to execute '/sbin/ifup' as root on localhost.
~$
~$ sudo ifdown
--- snip ---
Sorry, user groucho is not allowed to execute '/sbin/ifdown' as root on localhost.
~$

The file syntax is correct:

# visudo -c
--- snip ---
/etc/sudoers.d/user_eth0: parsed OK
--- snip ---
#

I then checked and saw that /sbin/ifup is a (dynamically linked) executable and that /sbin/ifdown is a symbolic link to /sbin/ifup but I have no idea how to get around that.

That said, I'd appreciate pointers on how to get the /etc/sudoers.d file working.

Best,

A.

]]> Thu, 20 Feb 2025 13:31:15 +0000 https://dev1galaxy.org/viewtopic.php?pid=54552#p54552