General
cancel
Showing results for 
Search instead for 
Did you mean: 

ifconfig or "other" nic config command(s)

SOLVED
Go to solution
john guardian
Super Advisor

ifconfig or "other" nic config command(s)

"ifconfig lan0 up/down" works, as always for root yet does not for a non-root user. One of the admins asked me why it didn't since the cmd mode is set to 555. While I know this is a cmd that requires a priv user, exactly what prevents the non-root user from executing the above command? I believe they said they rx'd an error like "must be root" message when they tried it as non-root.

Thx.
6 REPLIES
Patrick Wallek
Honored Contributor
Solution

Re: ifconfig or "other" nic config command(s)

I believe there is a check built into the command to determine if one is root or, possibly more accurately, a user with a UID of 0.
Patrick Wallek
Honored Contributor

Re: ifconfig or "other" nic config command(s)

To elaborate after some tests -- There are some functions of the ifconfig command that do NOT require root access.

For example, I can do 'ifconfig lan1' as a normal user to see how the NIC is set up.

However, if I do 'ifconfig lan1 up' as a normal user I get the "permission denied" error.

So, depending on what exactly you are trying to do, it may or may not check to see if you are root. If it is a function that could change a configuration or take the NIC up or down, the root would likely be required.
Duncan Edmonstone
Honored Contributor

Re: ifconfig or "other" nic config command(s)

There are 2 forms to the ifconfig command - an "informational" form and a "configuration" form. For the "informational" form, that needs to work for any user, so you will find:

ifconfig lan0

works as any user, but

ifconfig lan0 up

only works as root.

So the command needs to be executable by any user, but you don't want any user being able to change IP addresses, so the code for ifconfig no doubt has a check for the effective user ID of the user in it, only allowing UID 0 to make changes...

HTH

Duncan

HTH

Duncan
Dennis Handly
Acclaimed Contributor

Re: ifconfig or "other" nic config command(s)

>so the code for ifconfig no doubt has a check for the effective user ID of the user in it,

In this case there is no need for that check since it isn't a setuid program. The standard permissions on the devices is what gives that error.
But ifconfig does call getuid(2) if only to give a nicer error message.
Matti_Kurkela
Honored Contributor

Re: ifconfig or "other" nic config command(s)

> While I know this is a cmd that requires a priv user, exactly what prevents the non-root user from executing the above command?

Some system calls are restricted for privileged users only. When such a system call is made, the kernel checks the identity of the caller process. If the process does not have the necessary privileges, the kernel will immediately return a "permission denied" error code to the calling program instead of doing the requested action.

Originally, this restriction was solely based on whether the user is root or not. However, with RBAC, it's possible to assign some users the privilege to use some sub-set of the restricted system calls.

Before RBAC and similar fine-grained privilege systems, the original Unix way to allow some unprivileged user to use some privileged system call was to make a program that checks the user's identity, makes some independent checks as to whether this particular user is authorized to do the requested action or not, and acts accordingly. This program would then be given "setuid root" permission, to allow it to run the requested system call as root - if and only if the user passes the security checks built into the program itself.

A setuid root program has root privileges when it starts, but it still "knows" the identity of the user that started the program. For example, "passwd" is a setuid root program, but when it's used by a non-root user, it only allows the user to change his/her own password, not anybody else's. (For technical details, please read this: http://www.lst.de/~okir/blackhats/node23.html )

MK
MK
Ismail Azad
Esteemed Contributor

Re: ifconfig or "other" nic config command(s)

Hi,

Adding to Matti's graceful explanation.. I'd like to add a part to the system calls... Sometimes, it is not enough to audit a command because as a malicious user someone would create a symobolic link between dir and ls and a dir * would be seen as a relatively safe command but is doing something very destructive. That is where the whole point arises of auditting the system call as in this way you get to know what dir actually does.

Regards
Ismail Azad
Read, read and read... Then read again until you read "between the lines".....