Run ifup and ifdown with sudo using linux capability

739 views Asked by At

I want to run ifup eth0 and ifdown eth0 without sudo by using Linux capabilitiesFor the same issue I have written code for the same main.c

int main{
FILE ,*fp;
fp  = popen("ifdown eth0","r");
if(fp==NULL)
{
printf("popen falied\n")
}
pclose(fp);
}

If I have set capabilities to binary like following :

sudo   setcap -v cap_chown,cap_dac_override,cap_fowner,cap_dac_read_search,cap_net_admin+epi main

all the capabilities are set it is verified by using getcap command

getcap main
main = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_net_admin+eip

If run above code I get following reply :

./main ifdown: failed to open lockfile /run/network/ifstate.eth0: Permission denied

Can somebody help me on this?

1

There are 1 answers

0
Shachar Shemesh On

Capabilities don't work the way you think they do. They are attached to an executable file, and are reset when you execute a new file.

Your executable might have the permissions it need to change interface status, but not to run an external program that does so, which is what popen does.

I don't like it either, but that's the way it is.

If you've already written a program for doing what you want, you might as well go ahead and set uid on it. That will work as expected.