Allow Guest Users to Edit Network, While Denying Access to Other Folders
up vote
0
down vote
favorite
I've deployed an in-house web service application onto an airgapped hypervisor hosting a RHEL server guest. The guest RHEL has undergone basic OS hardening. All interactions are web-based, so under normal scenarios, employees do not need to interact with the guest RHEL. The employees have full physical control of the host machine and are proficient in Linux.
However, I'd like to allow the employees to configure the RHEL's network settings. While stopping them from accessing any other location, nor curl-ing anything outside of port 80 as defined in firewalld.
Naively, I think that involves
- creating a new user
nwGuest
- creating a new group
nwGuestUser
- add user to group
usermod -a -G nwGuest nwGuestUser
chown :nwGuest /etc/sysconfig/network-scripts/eth0
chmod 664 /etc/sysconfig/network-scripts/eth0(-rw-rw-r--)
visudoinnwGuest ALL = NOPASSWD: /etc/init.d/networkto allow network restart
Are these permissions enough to allow network configuration while denying access to the Guest VM?
networking rhel virtual-machine
asked Dec 6 at 7:47
Cardin
1014
add a comment |
up vote
0
down vote
favorite
I've deployed an in-house web service application onto an airgapped hypervisor hosting a RHEL server guest. The guest RHEL has undergone basic OS hardening. All interactions are web-based, so under normal scenarios, employees do not need to interact with the guest RHEL. The employees have full physical control of the host machine and are proficient in Linux.
However, I'd like to allow the employees to configure the RHEL's network settings. While stopping them from accessing any other location, nor curl-ing anything outside of port 80 as defined in firewalld.
Naively, I think that involves
- creating a new user
nwGuest
- creating a new group
nwGuestUser
- add user to group
usermod -a -G nwGuest nwGuestUser
chown :nwGuest /etc/sysconfig/network-scripts/eth0
chmod 664 /etc/sysconfig/network-scripts/eth0(-rw-rw-r--)
visudoinnwGuest ALL = NOPASSWD: /etc/init.d/networkto allow network restart
Are these permissions enough to allow network configuration while denying access to the Guest VM?
networking rhel virtual-machine
asked Dec 6 at 7:47
Cardin
1014
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I've deployed an in-house web service application onto an airgapped hypervisor hosting a RHEL server guest. The guest RHEL has undergone basic OS hardening. All interactions are web-based, so under normal scenarios, employees do not need to interact with the guest RHEL. The employees have full physical control of the host machine and are proficient in Linux.
However, I'd like to allow the employees to configure the RHEL's network settings. While stopping them from accessing any other location, nor curl-ing anything outside of port 80 as defined in firewalld.
Naively, I think that involves
- creating a new user
nwGuest
- creating a new group
nwGuestUser
- add user to group
usermod -a -G nwGuest nwGuestUser
chown :nwGuest /etc/sysconfig/network-scripts/eth0
chmod 664 /etc/sysconfig/network-scripts/eth0(-rw-rw-r--)
visudoinnwGuest ALL = NOPASSWD: /etc/init.d/networkto allow network restart
Are these permissions enough to allow network configuration while denying access to the Guest VM?
networking rhel virtual-machine
asked Dec 6 at 7:47
Cardin
1014
I've deployed an in-house web service application onto an airgapped hypervisor hosting a RHEL server guest. The guest RHEL has undergone basic OS hardening. All interactions are web-based, so under normal scenarios, employees do not need to interact with the guest RHEL. The employees have full physical control of the host machine and are proficient in Linux.
However, I'd like to allow the employees to configure the RHEL's network settings. While stopping them from accessing any other location, nor curl-ing anything outside of port 80 as defined in firewalld.
Naively, I think that involves
- creating a new user
nwGuest
- creating a new group
nwGuestUser
- add user to group
usermod -a -G nwGuest nwGuestUser
chown :nwGuest /etc/sysconfig/network-scripts/eth0
chmod 664 /etc/sysconfig/network-scripts/eth0(-rw-rw-r--)
visudoinnwGuest ALL = NOPASSWD: /etc/init.d/networkto allow network restart
Are these permissions enough to allow network configuration while denying access to the Guest VM?
networking rhel virtual-machine
networking rhel virtual-machine
asked Dec 6 at 7:47
Cardin
1014
asked Dec 6 at 7:47
Cardin
1014
edited Dec 6 at 7:54
asked Dec 6 at 7:47
Cardin
1014
asked Dec 6 at 7:47
Cardin
1014
asked Dec 6 at 7:47
Cardin
1014
1014
add a comment |
add a comment |
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486311%2fallow-guest-users-to-edit-network-while-denying-access-to-other-folders%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486311%2fallow-guest-users-to-edit-network-while-denying-access-to-other-folders%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
