How to set access permissions on a network interface?

10110111 · 08-24-2010, 07:50 AM

Suppose a command:

Code:

$ ethtool eth5
Settings for eth5:
Cannot get device settings: Operation not permitted
Cannot get wake-on-lan settings: Operation not permitted
        Current message level: 0x000000ff (255)
Cannot get link status: Operation not permitted

which means eth5 is not accessible by normal user. How can i give an ordinary user access to this interface? If eth5 were a file in /dev, i would just change devnode file permissions. But it's not. So, what's the way?
P.S. sudo is not a good solution since it would make the program executed as root while i may not want this.

dr_agon · 08-24-2010, 03:22 PM

Once I used the udev rules for setting permissions for /dev/sda*. It is described in my blog here.
See also

Code:

man 7 udev

I don't know if it will work for eth, it's just a hint.
Good luck.

10110111 · 08-24-2010, 04:41 PM

You misunderstood me. eth? is not a file in /dev - it's not a file at all, so usual file permissions trick will not help here, which is the very problem i'm trying to solve.

kinetic · 08-24-2010, 06:44 PM

Udev governs all devices including network devices and anything that is/isn't in /dev. Take dr_agon's advice and start looking at udev rules. I'm sure you'll find what you're looking for. (and no I don't know how to do what you're asking specifically)

Thymox · 08-24-2010, 07:10 PM

Is the user in question a member of the "netdev" group or equivalent for your system?

--thymox

10110111 · 08-24-2010, 07:31 PM

Quote:

Take dr_agon's advice and start looking at udev rules.

As far as i have currently researched, udev only seems to rename network devices, not manage permissions for them.

Quote:

Is the user in question a member of the "netdev" group or equivalent for your system?

Well... there's no such group on my system (LFS 6.3).
Tried to add the user to this group on Ubuntu, but it didn't give me ethtool eth0 permission.

kinetic · 08-24-2010, 07:45 PM

This might be something a kernel developer could answer. I wonder if SELinux or anything related to "security profiles" might hold the answer.

corp769 · 08-28-2010, 04:59 PM

Say if you are using ethtool, try chmod'ing u+x for ethtool. Just a thought?

corp769 · 08-28-2010, 05:06 PM

Or possibly /etc/sysconfig/network-scripts/ifcfg-eth0? I am at work, so I don't have access to any of my unix or linux boxes.

10110111 · 08-29-2010, 06:50 AM

Quote:

Say if you are using ethtool, try chmod'ing u+x for ethtool. Just a thought?

ethtool is already executable a+x. It just doesn't have the permissions for some ioctls.

Quote:

Or possibly /etc/sysconfig/network-scripts/ifcfg-eth0?

/etc/sysconfig/network-scripts doesn't exist on both Ubuntu & LFS which i use.

tredegar · 08-29-2010, 08:35 AM

ethtool needs to be run as root.
Why do you want to give an ordinary user access to ethtool ? Perhaps there is an easier way of achieving what you want.

10110111 · 08-30-2010, 03:33 AM

Quote:

ethtool needs to be run as root.
Why do you want to give an ordinary user access to ethtool ?

Suppose, a use wants to r/w his disk drive (e.g. using dd). But disk drives are only accessible by root. Then you can chmod disk's /dev entry, and the user wouldn't have to use sudo. Additionally, the user would be able to do anything with the disk given away to him, including writing his own program to operate the disk.

That's the same i want to do with the NIC - just give it away to some user(s), so not only ethtool here, but any ioctl which controls the given network interface.

tredegar · 08-30-2010, 10:15 AM

Thanks for the explanation.

If you don't want to use sudo, or give the user full root access, maybe let them run in a virtual machine (where they can have root access, without harming the host machine) and give eth5 to the virtual machine.

Otherwise, maybe socat can help you:

Quote:

Socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (terminal or modem, etc.), socket (Unix, IP4, IP6 - raw, UDP, TCP), SSL, a client for SOCKS4, or proxy CONNECT. It supports broadcasts and multicasts, abstract Unix sockets, Linux tun/tap, GNU readline, and PTYs. It provides forking, logging, and dumping and different modes for interprocess communication. Many options are available for tuning socat and its channels. Socat can be used, for example, as a TCP relay (one-shot or daemon), as a daemon-based socksifier, as a shell interface to Unix sockets, as an IP6 relay, or for redirecting TCP-oriented programs to a serial line.