Linux – Privileges for ifconfig

ifconfiglinuxunix

In order to do ifconfig in Linux and change the IP and VIP does it require root privileges?
Or it is also possible to do this via a non-root account?

Best Answer

You do not need root access to use ifconfig to change IP addresses, only CAP_NET_ADMIN. Let's create a copy of ifconfig with CAP_NET_ADMIN enabled to see this:

cp /sbin/ifconfig .
sudo setcap cap_net_admin=eip ./ifconfig
./ifconfig eth0 1.2.3.4    # succeeds

# Wouldn't want to leave this copy of ifconfig around,
# It's a security hole!
rm ifconfig

Related Solutions

Linux – Risks of Always Being Root

If you're logged in as root, you can easily wipe directories or do something that in retrospect is really dumb on the system with the flip of a finger, while as a user you normally have to put a few extra mental cycles into what you're typing before doing something that is dangerous.

Also any program you run as root as root privileges, meaning if someone or something gets you to run/compile/browse a website that is dangerous and wants to damage your system, such as a trojan or other malware, it has full access to your system and can do what it wants, including access to TCP ports below 1024 (so it can turn your system into a remailer without your knowledge, for example).

Basically you're kind of asking for trouble that logging in as yourself may prevent. I've known many people that ended up being glad they had that safety net in a moment of carelessness.

EDIT: There is also the issue of root being the most well known, thus an easy target, for scripts and hacks. Systems that disable the account and instead force users to use sudo means that any attempt to crack root from ssh or a local exploit to the account are banging their heads against a wall. They'd have to guess/crack a password and username. It's security through obscurity to a degree but it's hard to argue that it doesn't foil most script kiddie attacks.

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Best Answer

Related Solutions

Linux – Risks of Always Being Root

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic