如何在没有sudo的情况下执行'iftop'
[英]How to execute 'iftop' without sudo
问题描述
I have a script that runs iftop in text mode, cuts down the output to what I'm concerned in, and saves it to a text file along with the output of the date command (I am monitoring network usage on various interfaces over time). 
我有一个在文本模式下运行iftop的脚本,将输出减少到我关注的内容,并将其与date命令的输出一起保存到文本文件中(我随着时间的推移监视各种接口上的网络使用情况) 。 Only problem I'm having is I'm trying to run my script every 15 minutes via the crontab, and in order to run the iftop command I need sudo permissions. 我遇到的唯一问题是我试图通过crontab每15分钟运行一次脚本,为了运行iftop命令,我需要sudo权限。 Does anyone know some way to change the permissions of iftop to make it so I don't need sudo permissions? 有没有人知道改变iftop权限的方法,以便我不需要sudo权限?
Alternatively if I can give the script the ability to run the command with sudo that would be fine by me as well. 或者,如果我可以让脚本能够使用sudo运行命令,我也可以。 I tried adding the script to the sudoers file via sudo visudo and adding the line: 我尝试通过sudo visudo将脚本添加到sudoers文件并添加以下行:
user ALL=(ALL) NOPASSWD: /home/user/network_usage.sh
but that didn't work...perhaps a result of executing from the crontab? 但那不起作用......也许是从crontab执行的结果?
Thanks, 谢谢,
-Eric -Eric
3 个解决方案
解决方案1
2 2016-03-17 00:28:29
If you have root access on the machine the quick and dirty way: 如果您在计算机上具有root访问权限,则快速而肮脏的方式:
chmod +s $(which iftop)
This will make it run w/ root privileges no matter who invokes it. 这将使它无论谁调用它都运行w / root权限。 But I still think your sudo like should work. 但我仍然认为你的sudo 应该有用。
解决方案2
2 2019-03-12 16:51:17
A more granular approach would be to use: 更细粒度的方法是使用:
# setcap cap_net_raw=eip $(which iftop)
This lets iftop capture packets but does not give the process full root privileges. 这允许iftop捕获数据包,但不会为进程提供完全root权限。 In case of a security problem or bug with "iftop" its side effects would be much more limited. 如果出现安全问题或“iftop”错误,其副作用将更加有限。
Related: https://unix.stackexchange.com/questions/189750/how-can-i-run-script-without-root-to-sniff-network-libpcap 相关: https : //unix.stackexchange.com/questions/189750/how-can-i-run-script-without-root-to-sniff-network-libpcap
解决方案3
1 已采纳 2016-03-17 00:38:57
You may use root's crontab to run the script. 您可以使用root的crontab来运行脚本。 If instead of crontab -e you use sudo crontab -e you will edit root's crontab. 如果不是crontab -e使用sudo crontab -e将编辑根的crontab。 Tasks specified in that file will run under root's account and privileges. 该文件中指定的任务将在root的帐户和权限下运行。
Alternatively, you can set the setuid access flag for your script file. 或者,您可以为脚本文件设置setuid访问标志。 To do so first change the owner of the file to root, then enable setuid like this: 为此,首先将文件的所有者更改为root,然后启用setuid,如下所示:
sudo chown root /home/user/network_usage.sh
sudo chmod +s-w /home/user/network_usage.sh
The setuid bit makes an executable file run with the effective UID of its owner. setuid位使用其所有者的有效UID运行可执行文件。
Regardless of what approach you take, be very careful . 无论你采取什么方法,都要非常小心 。
- Make your script owned by root and don't let any other user write to it, otherwise it could ease a privilege escalation. 使您的脚本由root拥有,不要让任何其他用户写入它,否则可以减轻权限提升。
- Be aware of the side effects of your setuid programs. 请注意您的setuid程序的副作用。 If the script has setuid and may create or modify files, it might be used by someone else to modify or create files they aren't supposed to. 如果脚本具有setuid并且可能创建或修改文件,则其他人可能会使用它来修改或创建它们不应该的文件。 Always check the manual before giving setuid to any program you haven't written. 在将setuid提供给您尚未编写的任何程序之前,请务必查看手册。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.