I want it to require root access to run the ip command
How to convert ip command to command root?
I want it to require root access to run the ip command
How to convert ip command to command root?
Could you be more specific what you want to do?
Normally sudo "command"
is enough to get temporary root privilege to run a “command” as root.
When I run the ip command in normal mode, it runs without root
I want the ip command to be executed with root do not run without root
Please have a look at the following two articles in ArchWiki:
I am not sure I follow what you are trying to accomplish.
Do you want the ip
command to not unless you are root?
Do you want the ip
command to always have root access no matter who runs it?
Something else?
Exactly
Like command nethogs
I think for security reasons, Newuser doesn’t want a user to be able to run the ip command, only an administrator could run ip and make changes. I think Newuser wants the users to be blind to ip.
Pudge
Err…isn’t that the opposite of what he requested in the post directly above yours? Now I am confused again.
I want to run command ip with sudo or root, normal running ip command not working, same command nethogs
I have no idea what ip
does not work without root, what ip
can with root.
If I understand correctly, you want to run ip
on root without entering a password.
Install doas
, then add a new alias alias ip="doas ip"
in your profile.
If you want to restrict the ip
command, that is difficult to achieve globally I think. nethog fails because it tries to access resources requiring escalation before launching.
You could likely restrict access to network devices without escalation but I am not sure what the impacts of that on the general use of your system would be.
Installing doas
seems extraneous here. That being said, it seems like he is looking for the opposite. Making the command fail without root.
A quick google:
sudo chgrp root /usr/bin/applicationcommand
sudo chmod 750 /usr/bin/applicationcommand
Not tested. tested.
sudo cp /usr/bin/ip /usr/bin/iptst
sudo chgrp root /usr/bin/iptst
sudo chmod 750 /usr/bin/iptst
Try to run:
iptst
zsh: permission denied: iptst
# So try with sudo::
➡ 18:56 in ~ ➜ sudo iptst
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
ip [ -force ] -batch filename
where OBJECT := { address | addrlabel | amt | fou | help | ila | ioam | l2tp |
link | macsec | maddress | monitor | mptcp | mroute | mrule |
neighbor | neighbour | netconf | netns | nexthop | ntable |
ntbl | route | rule | sr | tap | tcpmetrics |
token | tunnel | tuntap | vrf | xfrm }
OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
-h[uman-readable] | -iec | -j[son] | -p[retty] |
-f[amily] { inet | inet6 | mpls | bridge | link } |
-4 | -6 | -M | -B | -0 |
-l[oops] { maximum-addr-flush-attempts } | -br[ief] |
-o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] |
-rc[vbuf] [size] | -n[etns] name | -N[umeric] | -a[ll] |
-c[olor]}
I wonder if that will survive an update? Also, Arch doesn’t have a sudo
group.
Also, what is the point? You could just use a different command or pull the information in a different way.
ip
isn’t the only way to see/change network information.
ll /usr/bin/ip
-rwxr-xr-x 1 root root 759K 27.04.2023 20:45 /usr/bin/ip
You can change the rights to make the command only executable by the user (root).
sudo chmod go-x /usr/bin/ip
Yeh, changed it to root see above. You could also use chattr to stop updates affecting.
But as you said there are many ways to skin a cat
Simply
Thank you all
Alternatively, you can create your own custom ip
shell script /usr/local/bin/ip
to add:
An example is here:
#!/bin/bash
### It invokes real ip binary.
sudo /usr/bin/ip $@
Then run $ sudo chmod +x /usr/local/bin/ip
It has no problem with Arch Update overwriting the IP binary.
If another user simply runs ip
, an admin password is required, expect running /usr/bin/ip
.
And run chmod go-x /usr/bin/ip
Make systemctl service running after boot
While literally this answers OP question, I am absolutely sure this is not a solution to his real problem, which he hasn’t revealed. Once again, an xyproblem.
For example, another non-root user may copy the binary to another path ($HOME/bin/
) and will automatically gain ownership and executable access to the binary, AFAIK… .
OTOH, several programs that would run as non-root is very possible they may use ip
for their functionalities, and they wouldn’t be able to do it.
Can you explain the problem you are trying to solve?
Restricting the ip
command doesn’t really do much. The access to view and change ip settings doesn’t depend on a the ip
command.