Non root user netfilter authorization (not sudo)

I want allow an non root user to add and delete elements from nftables (nft) set, any clues how to do it?
currently I get: Operation not permitted (as expected)

the nft commands in particular are:

$ nft add element inet abc myset { ... }
$ nft delete element inet abc myset { ... }

thanks in advance

You can use sudo to allow a user to use only one command, in this case nft, as root. For more info, see man sudoers.

2 Likes

thanks ersen, good idea !
I want only allow nft access, I believe sudo seems too broad, do you know any other way like using polkit ?

sudo can be used to allow a non-root user to use only a single command as root, in this case nft, and it will block all others.

1 Like

mate, I really thank you for your support and sure sudo will work and can be constrained to only use specific commands an so on, but still is too broad and outside the spec:

I’m looking at authorizations, like a polkit directive or so.

hope you have grate day, and take care.

user ALL = (root) COMMA_SEPARATED_LIST_OF_CMDS

This line in the /etc/sudoers file will allow user to run only commands in the COMMA_SEPARATED_LIST_OF_CMDS as root, and deny any other commands. How is too broad? You can even specify arguments, like run this command with these args, but not with those args. You can see EXAMPLES section of man sudoers for more examples.

1 Like

I’m sorry mate I think we’re not communicating well.

There’s some documentation here on using polkit. Give it a go:

https://wiki.archlinux.org/index.php/Polkit

2 Likes