0

Background: I am trying to implement dynamic routing for a system.

Is it possible to create a super user that is restricted to changing the routing table? Something like a restricted sudo that can only run route or ip route?

I don't know exactly what would be the best way to do this, everything I think about is rather awkward. One idea I had was to run a service and simple write a file with the new table information and check whether that file changed.

The solutions I found were really strange, using virtual machines, which I would rather avoid.

Is there a good/safe or canonical way of doing this?

Thank you!

user27221
  • 111
  • 6
  • 1
    Why not restricted sudo? – RalfFriedl Mar 29 '21 at 14:17
  • I don't know, is this what I should use? I haven't done many things like this, how do I authenticate the new restricted superuser without having something like a password stored as plain text? – user27221 Mar 29 '21 at 14:25
  • Maybe restricted sudo with passwordless authentication ( https://unix.stackexchange.com/questions/113754/allow-user1-to-su-user2-without-password/) – user27221 Mar 29 '21 at 14:39
  • after reading the sudoers man page, the service file parser idea sounds like a much safer option. – user27221 Mar 29 '21 at 15:00

1 Answers1

0

Sure, you can use bird, which already implements all the kinds of dynamic routing protocols. It's the topnotch routing deamon at tis time (mid-spring 2021). It runs from root; however, I really doubt you need to restrict it.

The approach you describing sounds more like reinventing the wheel. The triangle wheel.

drookie
  • 8,051
  • 1
  • 17
  • 27