4

In order to do ifconfig in Linux and change the IP and VIP does it require root privileges?
Or it is also possible to do this via a non-root account?

user76678
  • 349
  • 3
  • 5
  • 16
  • 2
    All system-wide configuration is restricted to root, for obvious reasons. You can set up `sudo(1)` to allow selected users to run some programs as other users with the corresponding privileges (including root). – vonbrand Feb 20 '13 at 19:18
  • @vonbrand That's an old view of Unix systems. In modern Linux, UID 0's power is only traditional as far as function goes. Capabilities are the defining matter, so any user can be given all or portions of that power. Similarly, a system can have a root / UID 0 user with no special privileges. – Jeff Ferland Feb 20 '13 at 21:06
  • @JeffFerland, that is true (I remember some SELinux experiment with a machine with root _without password_ exposed to the Internet), but _most_ systems are still managed the traditional way. – vonbrand Feb 20 '13 at 22:25

3 Answers3

10

You do not need root access to use ifconfig to change IP addresses, only CAP_NET_ADMIN. Let's create a copy of ifconfig with CAP_NET_ADMIN enabled to see this:

cp /sbin/ifconfig .
sudo setcap cap_net_admin=eip ./ifconfig
./ifconfig eth0 1.2.3.4    # succeeds

# Wouldn't want to leave this copy of ifconfig around,
# It's a security hole!
rm ifconfig
Celada
  • 6,200
  • 1
  • 21
  • 17
  • `CAP_NET_ADMIN` is a special group? – user76678 Feb 20 '13 at 19:44
  • 2
    No, it's a capability. The idea is that you can grant just the `CAP_NET_ADMIN` capability to a process without having to grant the complete set or privileged capabilities that root (user ID 0) usually comes with. – Celada Feb 20 '13 at 19:48
  • And why is it a security hole?I mean if I need to do `ifconfig` via a process and do not run the process as a root.If I use your "trick" somehow would it be a security hole? – user76678 Feb 20 '13 at 19:50
  • If your kernel still allow changing dma/irq/base addresses, then a careful attacker may use your net_admin ifconfig to change these settings to overwrite memory and execute arbitrary code in kernel space. – BatchyX Feb 20 '13 at 20:02
  • I used `setcap` to grant the `CAP_NET_ADMIN` capability to anyone who could execute my test copy of `ifconfig`. Since the permissions of that copy allowed unprivileged users to execute it, that means any user could make network changes. It was just a short-lived test on my desktop, but clearly a bad idea in general. That's why it was important to get rid of it after the test was done. – Celada Feb 20 '13 at 20:02
  • But if you made the copy in a directory that is accessible for example only to users of a certain group that would be acceptable.Right?It is just that in this case you made the copy in a directory accessible to all (I mean execute access rights) – user76678 Feb 20 '13 at 20:08
  • @user76678 Correct. You can also just change the group of the `ifconfig` copy to a special group and allow only members of that group to execute it, for example with permissions rwxr-x--- (0750) – Celada Feb 20 '13 at 20:30
  • It no longer works on Ubuntu. Tried on 19.10 – Climax Jan 14 '20 at 08:58
3

Yes, you must be root for use ifconfig since it is usually located in /usr/sbin or /sbin directory. Being non-root, ifconfig binary is not even in your PATH environment variable. So, you should be root, or sudo must be set up. But the modern way is to use ip utility from iproute2 packet. You could use it under non-privileged user to see info about links, interfaces and routing. However, you must be root to change the settings.

gevial
  • 1,324
  • 9
  • 13
  • 1
    That a program is in your PATH or not is just a convenience issue. Even if, say, /sbin isn't in my PATH, I still can run /sbin/ifconfig like that. And PATH is completely under the user's control anyway. – vonbrand Feb 20 '13 at 22:28
  • Yes, you are right, but `ip` is still much more convenient (unless you're on BSD system). – gevial Feb 21 '13 at 04:33
  • 1
    That wasn't my point at all. And if you are accustomed to use `ifconfig` for 20 odd years, it is hard to learn to use `ip`... – vonbrand Feb 21 '13 at 12:10
1

This is trivial to test:

% ifconfig lo 1.2.3.4
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied

So yes, it requires root.

mgorven
  • 30,615
  • 7
  • 79
  • 122
  • ... but that doesn't answer if there's a way to run it without being root. The [Linux capabilities model](http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html) is the defining matter in that. While root is traditionally granted these rights, other processors or users can be blessed with capabilities such as through SELinux contexts or as demonstrated by Celada using setcap (being rather like making a executable setuid, but for capbilities) – Jeff Ferland Feb 20 '13 at 21:04