iwlist scanning without root privileges












2















I'm writing application where I need to scan one of wireless interfaces. In the past, my program was run with sudo and I used (in code):



iwlist wlanX scan


But now I want to allow to run program without root privileges. Will it be relatively safe if I change capabilities of /sbin/iwlist to cap_net_admin+eip? Iwlist is only for showing detailed wireless informations so broader access to this command probably is not very dangereous, right?










share|improve this question























  • Why not simply modify your script to run sudo iwlist wlanX scan and configure sudo to run the command without asking for a password?

    – garethTheRed
    Nov 21 '14 at 11:25











  • Is this better solution? Why? Do you mean modify sudoers file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?

    – trivelt
    Nov 21 '14 at 11:38
















2















I'm writing application where I need to scan one of wireless interfaces. In the past, my program was run with sudo and I used (in code):



iwlist wlanX scan


But now I want to allow to run program without root privileges. Will it be relatively safe if I change capabilities of /sbin/iwlist to cap_net_admin+eip? Iwlist is only for showing detailed wireless informations so broader access to this command probably is not very dangereous, right?










share|improve this question























  • Why not simply modify your script to run sudo iwlist wlanX scan and configure sudo to run the command without asking for a password?

    – garethTheRed
    Nov 21 '14 at 11:25











  • Is this better solution? Why? Do you mean modify sudoers file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?

    – trivelt
    Nov 21 '14 at 11:38














2












2








2


1






I'm writing application where I need to scan one of wireless interfaces. In the past, my program was run with sudo and I used (in code):



iwlist wlanX scan


But now I want to allow to run program without root privileges. Will it be relatively safe if I change capabilities of /sbin/iwlist to cap_net_admin+eip? Iwlist is only for showing detailed wireless informations so broader access to this command probably is not very dangereous, right?










share|improve this question














I'm writing application where I need to scan one of wireless interfaces. In the past, my program was run with sudo and I used (in code):



iwlist wlanX scan


But now I want to allow to run program without root privileges. Will it be relatively safe if I change capabilities of /sbin/iwlist to cap_net_admin+eip? Iwlist is only for showing detailed wireless informations so broader access to this command probably is not very dangereous, right?







linux wifi network-interface






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 21 '14 at 10:25









trivelttrivelt

147129




147129













  • Why not simply modify your script to run sudo iwlist wlanX scan and configure sudo to run the command without asking for a password?

    – garethTheRed
    Nov 21 '14 at 11:25











  • Is this better solution? Why? Do you mean modify sudoers file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?

    – trivelt
    Nov 21 '14 at 11:38



















  • Why not simply modify your script to run sudo iwlist wlanX scan and configure sudo to run the command without asking for a password?

    – garethTheRed
    Nov 21 '14 at 11:25











  • Is this better solution? Why? Do you mean modify sudoers file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?

    – trivelt
    Nov 21 '14 at 11:38

















Why not simply modify your script to run sudo iwlist wlanX scan and configure sudo to run the command without asking for a password?

– garethTheRed
Nov 21 '14 at 11:25





Why not simply modify your script to run sudo iwlist wlanX scan and configure sudo to run the command without asking for a password?

– garethTheRed
Nov 21 '14 at 11:25













Is this better solution? Why? Do you mean modify sudoers file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?

– trivelt
Nov 21 '14 at 11:38





Is this better solution? Why? Do you mean modify sudoers file, right? If my application will be installed from deb on other computer how should I do this change (I don't know the name of user)?

– trivelt
Nov 21 '14 at 11:38










4 Answers
4






active

oldest

votes


















2














You can configure sudo so that members of a group can run a command without a password. Use visudo to edit the sudoers file:



# visudo


Add something similar to:



%mygroup ALL = (root) NOPASSWD: iwlist wlanX scan


to the bottom of the file (where mygroup is the name of your group preceded with a percent symbol).



You could also allow a single user to run this by changing %mygroup to myuser, where myuser is the username (note the lack of a percent symbol).



Or, you could allow everyone to scan by replacing %mygroup with ALL.



Using capabilities allows cap_net_admin for all iwlist commands wheras using sudo configured as above limits it to just one command with specific options. That has to be more secure.



Another (general) reason is that configuring sudo would be more portable than using capabilites, although that isn't relevant in this instance if you're just using to Linux.






share|improve this answer
























  • >>> /etc/sudoers: syntax error near line 32 <<< Line 32 is mat ALL = (root) NOPASSWD: iwlist wlan0 scan

    – mjaggard
    Sep 5 '16 at 6:50






  • 1





    Check lines before 32? It does say near :-)

    – garethTheRed
    Sep 5 '16 at 7:01











  • The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.

    – mjaggard
    Sep 6 '16 at 12:02











  • I got rid of that error by using this mat ALL=(root) NOPASSWD: /sbin/iw but now I just get command failed: Operation not permitted (-1) when I run /sbin/iw wlan0 scan

    – mjaggard
    Sep 6 '16 at 12:04






  • 1





    I've tried again. Used mat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan this time and it worked. One thing I didn't realise before is that you still have to specify sudo it just doesn't ask for a password anymore.

    – mjaggard
    Sep 6 '16 at 12:09



















1














You can configure sudo to not ask for a password.



Type in visudo and add lines such as this:



myuser ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
myuser ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan


or



%mygroup ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
%mygroup ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan


Note that you need to specify the full path to iw and that you still need to run using sudo but now you won't be prompted for your password.



sudo iw wlan0 scan


Thanks @garethTheRed for part of this answer.






share|improve this answer

































    0














    The solution I found for this, a one-liner, was to set the setuid bit on the binary I wanted to execute (in my case, iwconfig):



    sudo chmod u+s /sbin/iwconfig





    share|improve this answer































      0














      If Network Manager is used on the system, then sudo privilege is not needed. Simply run:



      nmcli dev wifi rescan


      Immediately following this command (for maybe 30 seconds), the full list of available WiFi networks is visible, even to other tools.



      For example, in my test:



      iwlist scan             # lists 1 AP
      nmcli dev wifi rescan
      iwlist scan # lists 8 APs





      share|improve this answer























        Your Answer








        StackExchange.ready(function() {
        var channelOptions = {
        tags: "".split(" "),
        id: "106"
        };
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function() {
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled) {
        StackExchange.using("snippets", function() {
        createEditor();
        });
        }
        else {
        createEditor();
        }
        });

        function createEditor() {
        StackExchange.prepareEditor({
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader: {
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        },
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        });


        }
        });














        draft saved

        draft discarded


















        StackExchange.ready(
        function () {
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f169212%2fiwlist-scanning-without-root-privileges%23new-answer', 'question_page');
        }
        );

        Post as a guest















        Required, but never shown

























        4 Answers
        4






        active

        oldest

        votes








        4 Answers
        4






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        2














        You can configure sudo so that members of a group can run a command without a password. Use visudo to edit the sudoers file:



        # visudo


        Add something similar to:



        %mygroup ALL = (root) NOPASSWD: iwlist wlanX scan


        to the bottom of the file (where mygroup is the name of your group preceded with a percent symbol).



        You could also allow a single user to run this by changing %mygroup to myuser, where myuser is the username (note the lack of a percent symbol).



        Or, you could allow everyone to scan by replacing %mygroup with ALL.



        Using capabilities allows cap_net_admin for all iwlist commands wheras using sudo configured as above limits it to just one command with specific options. That has to be more secure.



        Another (general) reason is that configuring sudo would be more portable than using capabilites, although that isn't relevant in this instance if you're just using to Linux.






        share|improve this answer
























        • >>> /etc/sudoers: syntax error near line 32 <<< Line 32 is mat ALL = (root) NOPASSWD: iwlist wlan0 scan

          – mjaggard
          Sep 5 '16 at 6:50






        • 1





          Check lines before 32? It does say near :-)

          – garethTheRed
          Sep 5 '16 at 7:01











        • The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.

          – mjaggard
          Sep 6 '16 at 12:02











        • I got rid of that error by using this mat ALL=(root) NOPASSWD: /sbin/iw but now I just get command failed: Operation not permitted (-1) when I run /sbin/iw wlan0 scan

          – mjaggard
          Sep 6 '16 at 12:04






        • 1





          I've tried again. Used mat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan this time and it worked. One thing I didn't realise before is that you still have to specify sudo it just doesn't ask for a password anymore.

          – mjaggard
          Sep 6 '16 at 12:09
















        2














        You can configure sudo so that members of a group can run a command without a password. Use visudo to edit the sudoers file:



        # visudo


        Add something similar to:



        %mygroup ALL = (root) NOPASSWD: iwlist wlanX scan


        to the bottom of the file (where mygroup is the name of your group preceded with a percent symbol).



        You could also allow a single user to run this by changing %mygroup to myuser, where myuser is the username (note the lack of a percent symbol).



        Or, you could allow everyone to scan by replacing %mygroup with ALL.



        Using capabilities allows cap_net_admin for all iwlist commands wheras using sudo configured as above limits it to just one command with specific options. That has to be more secure.



        Another (general) reason is that configuring sudo would be more portable than using capabilites, although that isn't relevant in this instance if you're just using to Linux.






        share|improve this answer
























        • >>> /etc/sudoers: syntax error near line 32 <<< Line 32 is mat ALL = (root) NOPASSWD: iwlist wlan0 scan

          – mjaggard
          Sep 5 '16 at 6:50






        • 1





          Check lines before 32? It does say near :-)

          – garethTheRed
          Sep 5 '16 at 7:01











        • The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.

          – mjaggard
          Sep 6 '16 at 12:02











        • I got rid of that error by using this mat ALL=(root) NOPASSWD: /sbin/iw but now I just get command failed: Operation not permitted (-1) when I run /sbin/iw wlan0 scan

          – mjaggard
          Sep 6 '16 at 12:04






        • 1





          I've tried again. Used mat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan this time and it worked. One thing I didn't realise before is that you still have to specify sudo it just doesn't ask for a password anymore.

          – mjaggard
          Sep 6 '16 at 12:09














        2












        2








        2







        You can configure sudo so that members of a group can run a command without a password. Use visudo to edit the sudoers file:



        # visudo


        Add something similar to:



        %mygroup ALL = (root) NOPASSWD: iwlist wlanX scan


        to the bottom of the file (where mygroup is the name of your group preceded with a percent symbol).



        You could also allow a single user to run this by changing %mygroup to myuser, where myuser is the username (note the lack of a percent symbol).



        Or, you could allow everyone to scan by replacing %mygroup with ALL.



        Using capabilities allows cap_net_admin for all iwlist commands wheras using sudo configured as above limits it to just one command with specific options. That has to be more secure.



        Another (general) reason is that configuring sudo would be more portable than using capabilites, although that isn't relevant in this instance if you're just using to Linux.






        share|improve this answer













        You can configure sudo so that members of a group can run a command without a password. Use visudo to edit the sudoers file:



        # visudo


        Add something similar to:



        %mygroup ALL = (root) NOPASSWD: iwlist wlanX scan


        to the bottom of the file (where mygroup is the name of your group preceded with a percent symbol).



        You could also allow a single user to run this by changing %mygroup to myuser, where myuser is the username (note the lack of a percent symbol).



        Or, you could allow everyone to scan by replacing %mygroup with ALL.



        Using capabilities allows cap_net_admin for all iwlist commands wheras using sudo configured as above limits it to just one command with specific options. That has to be more secure.



        Another (general) reason is that configuring sudo would be more portable than using capabilites, although that isn't relevant in this instance if you're just using to Linux.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 21 '14 at 12:04









        garethTheRedgarethTheRed

        24.3k36280




        24.3k36280













        • >>> /etc/sudoers: syntax error near line 32 <<< Line 32 is mat ALL = (root) NOPASSWD: iwlist wlan0 scan

          – mjaggard
          Sep 5 '16 at 6:50






        • 1





          Check lines before 32? It does say near :-)

          – garethTheRed
          Sep 5 '16 at 7:01











        • The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.

          – mjaggard
          Sep 6 '16 at 12:02











        • I got rid of that error by using this mat ALL=(root) NOPASSWD: /sbin/iw but now I just get command failed: Operation not permitted (-1) when I run /sbin/iw wlan0 scan

          – mjaggard
          Sep 6 '16 at 12:04






        • 1





          I've tried again. Used mat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan this time and it worked. One thing I didn't realise before is that you still have to specify sudo it just doesn't ask for a password anymore.

          – mjaggard
          Sep 6 '16 at 12:09



















        • >>> /etc/sudoers: syntax error near line 32 <<< Line 32 is mat ALL = (root) NOPASSWD: iwlist wlan0 scan

          – mjaggard
          Sep 5 '16 at 6:50






        • 1





          Check lines before 32? It does say near :-)

          – garethTheRed
          Sep 5 '16 at 7:01











        • The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.

          – mjaggard
          Sep 6 '16 at 12:02











        • I got rid of that error by using this mat ALL=(root) NOPASSWD: /sbin/iw but now I just get command failed: Operation not permitted (-1) when I run /sbin/iw wlan0 scan

          – mjaggard
          Sep 6 '16 at 12:04






        • 1





          I've tried again. Used mat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan this time and it worked. One thing I didn't realise before is that you still have to specify sudo it just doesn't ask for a password anymore.

          – mjaggard
          Sep 6 '16 at 12:09

















        >>> /etc/sudoers: syntax error near line 32 <<< Line 32 is mat ALL = (root) NOPASSWD: iwlist wlan0 scan

        – mjaggard
        Sep 5 '16 at 6:50





        >>> /etc/sudoers: syntax error near line 32 <<< Line 32 is mat ALL = (root) NOPASSWD: iwlist wlan0 scan

        – mjaggard
        Sep 5 '16 at 6:50




        1




        1





        Check lines before 32? It does say near :-)

        – garethTheRed
        Sep 5 '16 at 7:01





        Check lines before 32? It does say near :-)

        – garethTheRed
        Sep 5 '16 at 7:01













        The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.

        – mjaggard
        Sep 6 '16 at 12:02





        The error is on line 32 - if I remove that line then it works. All of the rest of my sudoers file is the default.

        – mjaggard
        Sep 6 '16 at 12:02













        I got rid of that error by using this mat ALL=(root) NOPASSWD: /sbin/iw but now I just get command failed: Operation not permitted (-1) when I run /sbin/iw wlan0 scan

        – mjaggard
        Sep 6 '16 at 12:04





        I got rid of that error by using this mat ALL=(root) NOPASSWD: /sbin/iw but now I just get command failed: Operation not permitted (-1) when I run /sbin/iw wlan0 scan

        – mjaggard
        Sep 6 '16 at 12:04




        1




        1





        I've tried again. Used mat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan this time and it worked. One thing I didn't realise before is that you still have to specify sudo it just doesn't ask for a password anymore.

        – mjaggard
        Sep 6 '16 at 12:09





        I've tried again. Used mat ALL=(root) NOPASSWD: /sbin/iw wlan0 scan this time and it worked. One thing I didn't realise before is that you still have to specify sudo it just doesn't ask for a password anymore.

        – mjaggard
        Sep 6 '16 at 12:09













        1














        You can configure sudo to not ask for a password.



        Type in visudo and add lines such as this:



        myuser ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
        myuser ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan


        or



        %mygroup ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
        %mygroup ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan


        Note that you need to specify the full path to iw and that you still need to run using sudo but now you won't be prompted for your password.



        sudo iw wlan0 scan


        Thanks @garethTheRed for part of this answer.






        share|improve this answer






























          1














          You can configure sudo to not ask for a password.



          Type in visudo and add lines such as this:



          myuser ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
          myuser ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan


          or



          %mygroup ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
          %mygroup ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan


          Note that you need to specify the full path to iw and that you still need to run using sudo but now you won't be prompted for your password.



          sudo iw wlan0 scan


          Thanks @garethTheRed for part of this answer.






          share|improve this answer




























            1












            1








            1







            You can configure sudo to not ask for a password.



            Type in visudo and add lines such as this:



            myuser ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
            myuser ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan


            or



            %mygroup ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
            %mygroup ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan


            Note that you need to specify the full path to iw and that you still need to run using sudo but now you won't be prompted for your password.



            sudo iw wlan0 scan


            Thanks @garethTheRed for part of this answer.






            share|improve this answer















            You can configure sudo to not ask for a password.



            Type in visudo and add lines such as this:



            myuser ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
            myuser ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan


            or



            %mygroup ALL=(root) NOPASSWD: /sbin/iw wlan0 scan
            %mygroup ALL=(root) NOPASSWD: /sbin/iwlist wlan0 scan


            Note that you need to specify the full path to iw and that you still need to run using sudo but now you won't be prompted for your password.



            sudo iw wlan0 scan


            Thanks @garethTheRed for part of this answer.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Apr 13 '17 at 12:36









            Community

            1




            1










            answered Sep 6 '16 at 12:19









            mjaggardmjaggard

            1134




            1134























                0














                The solution I found for this, a one-liner, was to set the setuid bit on the binary I wanted to execute (in my case, iwconfig):



                sudo chmod u+s /sbin/iwconfig





                share|improve this answer




























                  0














                  The solution I found for this, a one-liner, was to set the setuid bit on the binary I wanted to execute (in my case, iwconfig):



                  sudo chmod u+s /sbin/iwconfig





                  share|improve this answer


























                    0












                    0








                    0







                    The solution I found for this, a one-liner, was to set the setuid bit on the binary I wanted to execute (in my case, iwconfig):



                    sudo chmod u+s /sbin/iwconfig





                    share|improve this answer













                    The solution I found for this, a one-liner, was to set the setuid bit on the binary I wanted to execute (in my case, iwconfig):



                    sudo chmod u+s /sbin/iwconfig






                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Jun 7 '17 at 15:11









                    Paul BissexPaul Bissex

                    1012




                    1012























                        0














                        If Network Manager is used on the system, then sudo privilege is not needed. Simply run:



                        nmcli dev wifi rescan


                        Immediately following this command (for maybe 30 seconds), the full list of available WiFi networks is visible, even to other tools.



                        For example, in my test:



                        iwlist scan             # lists 1 AP
                        nmcli dev wifi rescan
                        iwlist scan # lists 8 APs





                        share|improve this answer




























                          0














                          If Network Manager is used on the system, then sudo privilege is not needed. Simply run:



                          nmcli dev wifi rescan


                          Immediately following this command (for maybe 30 seconds), the full list of available WiFi networks is visible, even to other tools.



                          For example, in my test:



                          iwlist scan             # lists 1 AP
                          nmcli dev wifi rescan
                          iwlist scan # lists 8 APs





                          share|improve this answer


























                            0












                            0








                            0







                            If Network Manager is used on the system, then sudo privilege is not needed. Simply run:



                            nmcli dev wifi rescan


                            Immediately following this command (for maybe 30 seconds), the full list of available WiFi networks is visible, even to other tools.



                            For example, in my test:



                            iwlist scan             # lists 1 AP
                            nmcli dev wifi rescan
                            iwlist scan # lists 8 APs





                            share|improve this answer













                            If Network Manager is used on the system, then sudo privilege is not needed. Simply run:



                            nmcli dev wifi rescan


                            Immediately following this command (for maybe 30 seconds), the full list of available WiFi networks is visible, even to other tools.



                            For example, in my test:



                            iwlist scan             # lists 1 AP
                            nmcli dev wifi rescan
                            iwlist scan # lists 8 APs






                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Jan 23 at 7:51









                            bitinerantbitinerant

                            817




                            817






























                                draft saved

                                draft discarded




















































                                Thanks for contributing an answer to Unix & Linux Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid



                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.


                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function () {
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f169212%2fiwlist-scanning-without-root-privileges%23new-answer', 'question_page');
                                }
                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                How to make a Squid Proxy server?

                                Is this a new Fibonacci Identity?

                                19世紀