Change network settings programmatically without root

I want to change network configurations like dhcp, ip address and so on programmatically.

But what I don't want, is to run my application as root. So my question is: What would be a common approach to solve that? Is this even possible?

Is there maybe any group that is allowed to do that without gaining any other rights? Or should I 'chown' the config files to a special group and add the user to that group?

Related to this (If that is off topic, tell me and I will open another question): The target is an embedded device and the application should be the only one that is accessible by the user. Is there any good (best) practice? Should I create a special user for that application. Any hints are appreciated.

exilit

Posted 2014-03-26T16:31:11.533

Reputation: 113

Answers

You might set capabilities on your program. This would allow it to do certain privileged tasks without the need to run completely as root. The capability in question here is CAP_NET_ADMIN:

CAP_NET_ADMIN
    Perform various network-related operations:
     * interface configuration;
     * administration of IP firewall, masquerading, and accounting;
     * modify routing tables;
     * bind to any address for transparent proxying;
     * set type-of-service (TOS)
     * clear driver statistics;
     * set promiscuous mode;
     * enabling multicasting;
     * use  setsockopt(2)  to set the following socket options: SO_DEBUG, SO_MARK,
       SO_PRIORITY (for a priority outside the range 0 to 6), SO_RCVBUFFORCE,  and
       SO_SNDBUFFORCE.

You'll find more information on capabilities in the capabilities(7) and setcap(8) manpages.

To secure this even more, in case you only need a specific subset of users to be able to run this program, you could put those users into a group, chgrp your program into this group and chmod it to 0750.

Andreas Wiese

Posted 2014-03-26T16:31:11.533

Reputation: 1 911

That could be interesting to me. Do not have enough reputation to upvote, sorry. – exilit – 2014-03-26T18:35:38.353

I am curious about the handling of shared objects. The manual is only talking about threads. So am I right that setting a SO's capability doesn't have any effect on the executed code? As far as I understand the code of the shared object is executed with the capabilities inherited from the thread in which the object is executed in, right? – exilit – 2014-03-27T09:41:34.020

I think capabilities only have effect on executables. Difficult wording, hrm… those things with main() functions. ;) – Andreas Wiese – 2014-03-27T10:19:01.727

So a shared object would inherit capabilitys from the "thing with the main() function" :) ? – exilit – 2014-03-27T10:37:58.023

As far as I can see… yes. – Andreas Wiese – 2014-03-27T10:43:05.647

If you're using NetworkManager on your computer, you could use NM-CLI.

nmcli is a command-line tool for controlling NetworkManager and getting its status. It is not meant as a replacement of nm-applet or other similar clients. Rather it's a complementary utility to these programs. The main nmcli's usage is on servers, headless machines or just for power users who prefer the command line.
   The use cases comprise:

   --  Initscripts: ifup/ifdown can utilize NetworkManager via nmcli
       instead of having to manage connections itself and possible
       interfere with NetworkManager.

   --  Servers, headless machines: No GUI is available; then nmcli is used
       to talk directly to NetworkManager and control only system-wide
       connections.

   --  User sessions: For this case, nmcli can talk to nm-applet to find
       user connections.  It can still talk directly to NetworkManager for
       manipulating these connections.  As nmcli doesn't have direct
       access to user configuration data in GConf, nm-applet handles that
       itself.  That may, for example, cause the applet to pop up keyring
       dialogs when secrets are needed.

Piskvor left the building

Posted 2014-03-26T16:31:11.533

Reputation: 2 277

If your target device supports it, the setuid-mechanism might be the way to go

http://en.wikipedia.org/wiki/Setuid

Some programs need root privileges, and what you do with setuid is that the executable file belongs to root and has the setuid-bit set, so when another user executes it, the executable is run with root privileges.

But also note that

Due to potential security issues, many operating systems ignore the setuid attribute when applied to executable shell scripts.

Jasper

Posted 2014-03-26T16:31:11.533

Reputation: 798

Thank you. But I have already thought about setuid and that is not an option for me because I don't want to exec another programm. In that case I could simply use ip or ifconfig with setuid bit set – exilit – 2014-03-26T16:51:40.267