How to convert ip command to root?

I want it to require root access to run the ip command

How to convert ip command to command root?

Could you be more specific what you want to do?

Normally sudo "command" is enough to get temporary root privilege to run a “command” as root.

When I run the ip command in normal mode, it runs without root
I want the ip command to be executed with root do not run without root

Please have a look at the following two articles in ArchWiki:

1 Like

I am not sure I follow what you are trying to accomplish.

Do you want the ip command to not unless you are root?

Do you want the ip command to always have root access no matter who runs it?

Something else?


Like command nethogs

I think for security reasons, Newuser doesn’t want a user to be able to run the ip command, only an administrator could run ip and make changes. I think Newuser wants the users to be blind to ip.


1 Like

Err…isn’t that the opposite of what he requested in the post directly above yours? Now I am confused again.

I want to run command ip with sudo or root, normal running ip command not working, same command nethogs

I have no idea what ip does not work without root, what ip can with root.

If I understand correctly, you want to run ip on root without entering a password.

Install doas, then add a new alias alias ip="doas ip" in your profile.

If you want to restrict the ip command, that is difficult to achieve globally I think. nethog fails because it tries to access resources requiring escalation before launching.

You could likely restrict access to network devices without escalation but I am not sure what the impacts of that on the general use of your system would be.

Installing doas seems extraneous here. That being said, it seems like he is looking for the opposite. Making the command fail without root.

1 Like

A quick google:

sudo chgrp root /usr/bin/applicationcommand
sudo chmod 750 /usr/bin/applicationcommand

Not tested. tested.

sudo cp /usr/bin/ip /usr/bin/iptst
sudo chgrp root /usr/bin/iptst
sudo chmod 750 /usr/bin/iptst

Try to run:

zsh: permission denied: iptst

# So try with sudo::
➡ 18:56 in ~ ➜  sudo iptst
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
       ip [ -force ] -batch filename
where  OBJECT := { address | addrlabel | amt | fou | help | ila | ioam | l2tp |
                   link | macsec | maddress | monitor | mptcp | mroute | mrule |
                   neighbor | neighbour | netconf | netns | nexthop | ntable |
                   ntbl | route | rule | sr | tap | tcpmetrics |
                   token | tunnel | tuntap | vrf | xfrm }
       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
                    -h[uman-readable] | -iec | -j[son] | -p[retty] |
                    -f[amily] { inet | inet6 | mpls | bridge | link } |
                    -4 | -6 | -M | -B | -0 |
                    -l[oops] { maximum-addr-flush-attempts } | -br[ief] |
                    -o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] |
                    -rc[vbuf] [size] | -n[etns] name | -N[umeric] | -a[ll] |
1 Like

I wonder if that will survive an update? Also, Arch doesn’t have a sudo group.

Also, what is the point? You could just use a different command or pull the information in a different way.

ip isn’t the only way to see/change network information.

1 Like
ll /usr/bin/ip         
-rwxr-xr-x 1 root root 759K 27.04.2023 20:45 /usr/bin/ip

You can change the rights to make the command only executable by the user (root).

sudo chmod go-x /usr/bin/ip
1 Like

Yeh, changed it to root see above. You could also use chattr to stop updates affecting.

But as you said there are many ways to skin a cat :joy_cat:

1 Like

Thank you all

Alternatively, you can create your own custom ip shell script /usr/local/bin/ip to add:
An example is here:


### It invokes real ip binary. 
sudo /usr/bin/ip $@

Then run $ sudo chmod +x /usr/local/bin/ip

It has no problem with Arch Update overwriting the IP binary.

If another user simply runs ip, an admin password is required, expect running /usr/bin/ip.

1 Like

And run chmod go-x /usr/bin/ip
Make systemctl service running after boot

While literally this answers OP question, I am absolutely sure this is not a solution to his real problem, which he hasn’t revealed. Once again, an xyproblem.

For example, another non-root user may copy the binary to another path ($HOME/bin/) and will automatically gain ownership and executable access to the binary, AFAIK… :no_mouth: .

OTOH, several programs that would run as non-root is very possible they may use ip for their functionalities, and they wouldn’t be able to do it. :person_shrugging:


Can you explain the problem you are trying to solve?

Restricting the ip command doesn’t really do much. The access to view and change ip settings doesn’t depend on a the ip command.