iwlist scanning without root privileges
I'm writing application where I need to scan one of wireless interfaces. In the past, my program was run with sudo
and I used (in code):
iwlist wlanX scan
But now I want to allow to run program without root privileges. Will it be relatively safe if I change capabilities of /sbin/iwlist
to cap_net_admin+eip
? Iwlist
is only for showing detailed wireless informations so broader access to this command probably is not very dangereous, right?
linux wifi network-interface
add a comment |
I'm writing application where I need to scan one of wireless interfaces. In the past, my program was run with sudo
and I used (in code):
iwlist wlanX scan
But now I want to allow to run program without root privileges. Will it be relatively safe if I change capabilities of /sbin/iwlist
to cap_net_admin+eip
? Iwlist
is only for showing detailed wireless informations so broader access to this command probably is not very dangereous, right?
linux wifi network-interface
Why not simply modify your script to runsudo iwlist wlanX scan
and configuresudo
to run the command without asking for a password?
– garethTheRed
Nov 21 '14 at 11:25
Is this better solution? Why? Do you mean modifysudoers
file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?
– trivelt
Nov 21 '14 at 11:38
add a comment |
I'm writing application where I need to scan one of wireless interfaces. In the past, my program was run with sudo
and I used (in code):
iwlist wlanX scan
But now I want to allow to run program without root privileges. Will it be relatively safe if I change capabilities of /sbin/iwlist
to cap_net_admin+eip
? Iwlist
is only for showing detailed wireless informations so broader access to this command probably is not very dangereous, right?
linux wifi network-interface
I'm writing application where I need to scan one of wireless interfaces. In the past, my program was run with sudo
and I used (in code):
iwlist wlanX scan
But now I want to allow to run program without root privileges. Will it be relatively safe if I change capabilities of /sbin/iwlist
to cap_net_admin+eip
? Iwlist
is only for showing detailed wireless informations so broader access to this command probably is not very dangereous, right?
linux wifi network-interface
linux wifi network-interface
asked Nov 21 '14 at 10:25
trivelttrivelt
147129
147129
Why not simply modify your script to runsudo iwlist wlanX scan
and configuresudo
to run the command without asking for a password?
– garethTheRed
Nov 21 '14 at 11:25
Is this better solution? Why? Do you mean modifysudoers
file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?
– trivelt
Nov 21 '14 at 11:38
add a comment |
Why not simply modify your script to runsudo iwlist wlanX scan
and configuresudo
to run the command without asking for a password?
– garethTheRed
Nov 21 '14 at 11:25
Is this better solution? Why? Do you mean modifysudoers
file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?
– trivelt
Nov 21 '14 at 11:38
Why not simply modify your script to run
sudo iwlist wlanX scan
and configure sudo
to run the command without asking for a password?– garethTheRed
Nov 21 '14 at 11:25
Why not simply modify your script to run
sudo iwlist wlanX scan
and configure sudo
to run the command without asking for a password?– garethTheRed
Nov 21 '14 at 11:25
Is this better solution? Why? Do you mean modify
sudoers
file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?– trivelt
Nov 21 '14 at 11:38
Is this better solution? Why? Do you mean modify
sudoers
file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?– trivelt
Nov 21 '14 at 11:38
add a comment |
4 Answers
4
active
oldest
votes
You can configure sudo
so that members of a group can run a command without a password. Use visudo
to edit the sudoers
file:
# visudo
Add something similar to:
%mygroup ALL = (root) NOPASSWD: iwlist wlanX scan
to the bottom of the file (where mygroup
is the name of your group preceded with a percent symbol).
You could also allow a single user to run this by changing %mygroup
to myuser
, where myuser
is the username (note the lack of a percent symbol).
Or, you could allow everyone to scan by replacing %mygroup
with ALL
.
Using capabilities
allows cap_net_admin
for all iwlist
commands wheras using sudo
configured as above limits it to just one command with specific options. That has to be more secure.
Another (general) reason is that configuring sudo
would be more portable than using capabilites
, although that isn't relevant in this instance if you're just using to Linux.
>>> /etc/sudoers: syntax error near line 32 <<<
Line 32 ismat ALL = (root) NOPASSWD: iwlist wlan0 scan
– mjaggard
Sep 5 '16 at 6:50
1
Check lines before 32? It does say near :-)
– garethTheRed
Sep 5 '16 at 7:01
The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.
– mjaggard
Sep 6 '16 at 12:02
I got rid of that error by using thismat ALL=(root) NOPASSWD: /sbin/iw
but now I just getcommand failed: Operation not permitted (-1)
when I run/sbin/iw wlan0 scan
– mjaggard
Sep 6 '16 at 12:04
1
I've tried again. Usedmat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
this time and it worked. One thing I didn't realise before is that you still have to specifysudo
it just doesn't ask for a password anymore.
– mjaggard
Sep 6 '16 at 12:09
add a comment |
You can configure sudo
to not ask for a password.
Type in visudo
and add lines such as this:
myuser ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
myuser ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan
or
%mygroup ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
%mygroup ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan
Note that you need to specify the full path to iw
and that you still need to run using sudo
but now you won't be prompted for your password.
sudo iw wlan0 scan
Thanks @garethTheRed for part of this answer.
add a comment |
The solution I found for this, a one-liner, was to set the setuid
bit on the binary I wanted to execute (in my case, iwconfig
):
sudo chmod u+s /sbin/iwconfig
add a comment |
If Network Manager is used on the system, then sudo privilege is not needed. Simply run:
nmcli dev wifi rescan
Immediately following this command (for maybe 30 seconds), the full list of available WiFi networks is visible, even to other tools.
For example, in my test:
iwlist scan # lists 1 AP
nmcli dev wifi rescan
iwlist scan # lists 8 APs
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f169212%2fiwlist-scanning-without-root-privileges%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can configure sudo
so that members of a group can run a command without a password. Use visudo
to edit the sudoers
file:
# visudo
Add something similar to:
%mygroup ALL = (root) NOPASSWD: iwlist wlanX scan
to the bottom of the file (where mygroup
is the name of your group preceded with a percent symbol).
You could also allow a single user to run this by changing %mygroup
to myuser
, where myuser
is the username (note the lack of a percent symbol).
Or, you could allow everyone to scan by replacing %mygroup
with ALL
.
Using capabilities
allows cap_net_admin
for all iwlist
commands wheras using sudo
configured as above limits it to just one command with specific options. That has to be more secure.
Another (general) reason is that configuring sudo
would be more portable than using capabilites
, although that isn't relevant in this instance if you're just using to Linux.
>>> /etc/sudoers: syntax error near line 32 <<<
Line 32 ismat ALL = (root) NOPASSWD: iwlist wlan0 scan
– mjaggard
Sep 5 '16 at 6:50
1
Check lines before 32? It does say near :-)
– garethTheRed
Sep 5 '16 at 7:01
The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.
– mjaggard
Sep 6 '16 at 12:02
I got rid of that error by using thismat ALL=(root) NOPASSWD: /sbin/iw
but now I just getcommand failed: Operation not permitted (-1)
when I run/sbin/iw wlan0 scan
– mjaggard
Sep 6 '16 at 12:04
1
I've tried again. Usedmat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
this time and it worked. One thing I didn't realise before is that you still have to specifysudo
it just doesn't ask for a password anymore.
– mjaggard
Sep 6 '16 at 12:09
add a comment |
You can configure sudo
so that members of a group can run a command without a password. Use visudo
to edit the sudoers
file:
# visudo
Add something similar to:
%mygroup ALL = (root) NOPASSWD: iwlist wlanX scan
to the bottom of the file (where mygroup
is the name of your group preceded with a percent symbol).
You could also allow a single user to run this by changing %mygroup
to myuser
, where myuser
is the username (note the lack of a percent symbol).
Or, you could allow everyone to scan by replacing %mygroup
with ALL
.
Using capabilities
allows cap_net_admin
for all iwlist
commands wheras using sudo
configured as above limits it to just one command with specific options. That has to be more secure.
Another (general) reason is that configuring sudo
would be more portable than using capabilites
, although that isn't relevant in this instance if you're just using to Linux.
>>> /etc/sudoers: syntax error near line 32 <<<
Line 32 ismat ALL = (root) NOPASSWD: iwlist wlan0 scan
– mjaggard
Sep 5 '16 at 6:50
1
Check lines before 32? It does say near :-)
– garethTheRed
Sep 5 '16 at 7:01
The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.
– mjaggard
Sep 6 '16 at 12:02
I got rid of that error by using thismat ALL=(root) NOPASSWD: /sbin/iw
but now I just getcommand failed: Operation not permitted (-1)
when I run/sbin/iw wlan0 scan
– mjaggard
Sep 6 '16 at 12:04
1
I've tried again. Usedmat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
this time and it worked. One thing I didn't realise before is that you still have to specifysudo
it just doesn't ask for a password anymore.
– mjaggard
Sep 6 '16 at 12:09
add a comment |
You can configure sudo
so that members of a group can run a command without a password. Use visudo
to edit the sudoers
file:
# visudo
Add something similar to:
%mygroup ALL = (root) NOPASSWD: iwlist wlanX scan
to the bottom of the file (where mygroup
is the name of your group preceded with a percent symbol).
You could also allow a single user to run this by changing %mygroup
to myuser
, where myuser
is the username (note the lack of a percent symbol).
Or, you could allow everyone to scan by replacing %mygroup
with ALL
.
Using capabilities
allows cap_net_admin
for all iwlist
commands wheras using sudo
configured as above limits it to just one command with specific options. That has to be more secure.
Another (general) reason is that configuring sudo
would be more portable than using capabilites
, although that isn't relevant in this instance if you're just using to Linux.
You can configure sudo
so that members of a group can run a command without a password. Use visudo
to edit the sudoers
file:
# visudo
Add something similar to:
%mygroup ALL = (root) NOPASSWD: iwlist wlanX scan
to the bottom of the file (where mygroup
is the name of your group preceded with a percent symbol).
You could also allow a single user to run this by changing %mygroup
to myuser
, where myuser
is the username (note the lack of a percent symbol).
Or, you could allow everyone to scan by replacing %mygroup
with ALL
.
Using capabilities
allows cap_net_admin
for all iwlist
commands wheras using sudo
configured as above limits it to just one command with specific options. That has to be more secure.
Another (general) reason is that configuring sudo
would be more portable than using capabilites
, although that isn't relevant in this instance if you're just using to Linux.
answered Nov 21 '14 at 12:04
garethTheRedgarethTheRed
24.3k36280
24.3k36280
>>> /etc/sudoers: syntax error near line 32 <<<
Line 32 ismat ALL = (root) NOPASSWD: iwlist wlan0 scan
– mjaggard
Sep 5 '16 at 6:50
1
Check lines before 32? It does say near :-)
– garethTheRed
Sep 5 '16 at 7:01
The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.
– mjaggard
Sep 6 '16 at 12:02
I got rid of that error by using thismat ALL=(root) NOPASSWD: /sbin/iw
but now I just getcommand failed: Operation not permitted (-1)
when I run/sbin/iw wlan0 scan
– mjaggard
Sep 6 '16 at 12:04
1
I've tried again. Usedmat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
this time and it worked. One thing I didn't realise before is that you still have to specifysudo
it just doesn't ask for a password anymore.
– mjaggard
Sep 6 '16 at 12:09
add a comment |
>>> /etc/sudoers: syntax error near line 32 <<<
Line 32 ismat ALL = (root) NOPASSWD: iwlist wlan0 scan
– mjaggard
Sep 5 '16 at 6:50
1
Check lines before 32? It does say near :-)
– garethTheRed
Sep 5 '16 at 7:01
The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.
– mjaggard
Sep 6 '16 at 12:02
I got rid of that error by using thismat ALL=(root) NOPASSWD: /sbin/iw
but now I just getcommand failed: Operation not permitted (-1)
when I run/sbin/iw wlan0 scan
– mjaggard
Sep 6 '16 at 12:04
1
I've tried again. Usedmat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
this time and it worked. One thing I didn't realise before is that you still have to specifysudo
it just doesn't ask for a password anymore.
– mjaggard
Sep 6 '16 at 12:09
>>> /etc/sudoers: syntax error near line 32 <<<
Line 32 is mat ALL = (root) NOPASSWD: iwlist wlan0 scan
– mjaggard
Sep 5 '16 at 6:50
>>> /etc/sudoers: syntax error near line 32 <<<
Line 32 is mat ALL = (root) NOPASSWD: iwlist wlan0 scan
– mjaggard
Sep 5 '16 at 6:50
1
1
Check lines before 32? It does say near :-)
– garethTheRed
Sep 5 '16 at 7:01
Check lines before 32? It does say near :-)
– garethTheRed
Sep 5 '16 at 7:01
The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.
– mjaggard
Sep 6 '16 at 12:02
The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.
– mjaggard
Sep 6 '16 at 12:02
I got rid of that error by using this
mat ALL=(root) NOPASSWD: /sbin/iw
but now I just get command failed: Operation not permitted (-1)
when I run /sbin/iw wlan0 scan
– mjaggard
Sep 6 '16 at 12:04
I got rid of that error by using this
mat ALL=(root) NOPASSWD: /sbin/iw
but now I just get command failed: Operation not permitted (-1)
when I run /sbin/iw wlan0 scan
– mjaggard
Sep 6 '16 at 12:04
1
1
I've tried again. Used
mat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
this time and it worked. One thing I didn't realise before is that you still have to specify sudo
it just doesn't ask for a password anymore.– mjaggard
Sep 6 '16 at 12:09
I've tried again. Used
mat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
this time and it worked. One thing I didn't realise before is that you still have to specify sudo
it just doesn't ask for a password anymore.– mjaggard
Sep 6 '16 at 12:09
add a comment |
You can configure sudo
to not ask for a password.
Type in visudo
and add lines such as this:
myuser ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
myuser ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan
or
%mygroup ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
%mygroup ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan
Note that you need to specify the full path to iw
and that you still need to run using sudo
but now you won't be prompted for your password.
sudo iw wlan0 scan
Thanks @garethTheRed for part of this answer.
add a comment |
You can configure sudo
to not ask for a password.
Type in visudo
and add lines such as this:
myuser ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
myuser ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan
or
%mygroup ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
%mygroup ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan
Note that you need to specify the full path to iw
and that you still need to run using sudo
but now you won't be prompted for your password.
sudo iw wlan0 scan
Thanks @garethTheRed for part of this answer.
add a comment |
You can configure sudo
to not ask for a password.
Type in visudo
and add lines such as this:
myuser ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
myuser ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan
or
%mygroup ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
%mygroup ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan
Note that you need to specify the full path to iw
and that you still need to run using sudo
but now you won't be prompted for your password.
sudo iw wlan0 scan
Thanks @garethTheRed for part of this answer.
You can configure sudo
to not ask for a password.
Type in visudo
and add lines such as this:
myuser ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
myuser ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan
or
%mygroup ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
%mygroup ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan
Note that you need to specify the full path to iw
and that you still need to run using sudo
but now you won't be prompted for your password.
sudo iw wlan0 scan
Thanks @garethTheRed for part of this answer.
edited Apr 13 '17 at 12:36
Community♦
1
1
answered Sep 6 '16 at 12:19
mjaggardmjaggard
1134
1134
add a comment |
add a comment |
The solution I found for this, a one-liner, was to set the setuid
bit on the binary I wanted to execute (in my case, iwconfig
):
sudo chmod u+s /sbin/iwconfig
add a comment |
The solution I found for this, a one-liner, was to set the setuid
bit on the binary I wanted to execute (in my case, iwconfig
):
sudo chmod u+s /sbin/iwconfig
add a comment |
The solution I found for this, a one-liner, was to set the setuid
bit on the binary I wanted to execute (in my case, iwconfig
):
sudo chmod u+s /sbin/iwconfig
The solution I found for this, a one-liner, was to set the setuid
bit on the binary I wanted to execute (in my case, iwconfig
):
sudo chmod u+s /sbin/iwconfig
answered Jun 7 '17 at 15:11
Paul BissexPaul Bissex
1012
1012
add a comment |
add a comment |
If Network Manager is used on the system, then sudo privilege is not needed. Simply run:
nmcli dev wifi rescan
Immediately following this command (for maybe 30 seconds), the full list of available WiFi networks is visible, even to other tools.
For example, in my test:
iwlist scan # lists 1 AP
nmcli dev wifi rescan
iwlist scan # lists 8 APs
add a comment |
If Network Manager is used on the system, then sudo privilege is not needed. Simply run:
nmcli dev wifi rescan
Immediately following this command (for maybe 30 seconds), the full list of available WiFi networks is visible, even to other tools.
For example, in my test:
iwlist scan # lists 1 AP
nmcli dev wifi rescan
iwlist scan # lists 8 APs
add a comment |
If Network Manager is used on the system, then sudo privilege is not needed. Simply run:
nmcli dev wifi rescan
Immediately following this command (for maybe 30 seconds), the full list of available WiFi networks is visible, even to other tools.
For example, in my test:
iwlist scan # lists 1 AP
nmcli dev wifi rescan
iwlist scan # lists 8 APs
If Network Manager is used on the system, then sudo privilege is not needed. Simply run:
nmcli dev wifi rescan
Immediately following this command (for maybe 30 seconds), the full list of available WiFi networks is visible, even to other tools.
For example, in my test:
iwlist scan # lists 1 AP
nmcli dev wifi rescan
iwlist scan # lists 8 APs
answered Jan 23 at 7:51
bitinerantbitinerant
817
817
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f169212%2fiwlist-scanning-without-root-privileges%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Why not simply modify your script to run
sudo iwlist wlanX scan
and configuresudo
to run the command without asking for a password?– garethTheRed
Nov 21 '14 at 11:25
Is this better solution? Why? Do you mean modify
sudoers
file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?– trivelt
Nov 21 '14 at 11:38