Firewall-cmd question

This may be quite a large gap in my knowledge, but I have a fresh install of Fedora 39 Workstation. I noticed when setting up my firewall via firewall-cmd I do not need sudo for the command to succeed. I did read in a fedora document that “you can run firewall-cmd without issuing sudo with polkit in place.” There has been no authentication given to the terminal instance that I know of, so that shouldn’t be the case, right? I was under the assumption that firewall-cmd needs some type of authentication before running. I have checked other commands(dnf, systemctl, etc) and they do require sudo to run. I also made sure that the terminal was fresh from a reboot to not have any sudo commands before firewall-cmd. Is this just how it works or has something gone a bit off rails?

I would expect firewall-cmd to require elevated privileges to perform any modifications but I could be wrong. To check the polkit pieces that would allow elevated without password check to see if it is easy to follow polkit rules for firewalld

rpm -qf /usr/bin/firewall-cmd
rpm -ql firewalld
sudo view /usr/share/polkit-1/rules.d/org.fedoraproject.FirewallD1.desktop.rules.choice

So what groups is your username in? Run

getent group $USER

Then check /etc/sudoers and files in /etc/sudoers.d for rules that apply to the USER or any groups the USER belongs to.

By default the wheel group would require a password

%wheel	ALL=(ALL)	ALL

The line could be changed so nopassword is required

%wheel	ALL=(ALL)	NOPASSWD: ALL

There are other polkit rules for firewalld which I have not sorted out yet.

1 Like

Well I found the issue. And want to thank you for pointing me in the right direction. I found the solution in:

sudo view /usr/share/polkit-1/rules.d/org.fedoraproject.FirewallD1.desktop.rules.choice

There is a rule added to allow users in wheel that do not need to sudo. Not sure I agree with that being added but it is what it is. Again, thank you for the help!