running netclient as non-root

[tril0byte]

I want to run netclient as a normal user. If the netmaker server is compromised, the netclient should only be permitted to affect wireguard tunnels. This has several requirements:

• For a quick start the calls to the wg command should be run through sudo. Sudo can be configured to allow the netclient user to run wg with any parameters.
• Routes should not be allowed to be updated, since a compromised netmaker server could then redirect traffic from the clients to any network through a malicious intermediary. Assuming I'm not using Egress Gateways, netclient shouldn't need to update any routes, and "ip route" access should be disallowed. "ip addr" can be allowed (restricted to the specific subnet Netmaker controls).
• /etc/hosts can be made group-writable by the netclient user initially, but I'd prefer an option to have all hosts changes be reviewed manually myself. A compromise of netmaker server could hijack connections to any domain by say adding the IP of a malicious server to /etc/hosts. Presenting a list of hosts copy-pastable from the Netmaker Server Web UI would work. Netmaker should invoke a user-provided callback script (comand or HTTP URL) to notify of the need to change a hostname-IP mapping to allow methods other than "resolvectl" or /etc/hosts to be implemented by the user (for example integrating Netmaker management of WG networks into a configuration management system which may already manage /etc/hosts).

What else does netclient need root for?

[tril0byte]

updating the /etc/hosts should be filtered to only allow the specific domain netmaker is in control of

[mattkasun]

netclient will not be making exec calls to wg-quick but rather through direct library calls the library calls make changes to networks and routing (as a minimum netclient needs to add a route for the wireguard network) .. in the case of gateways, netclient also need to make change to netfilter in kernel the same way iptables(or nftables does)

All these require root.

That being said, running without root is being investigated but will not be available in the near future

[mattkasun]

unprivileged netclient GUI available in v0.19.0