# Securing network control with ifconfig



## obamatronic (Oct 2, 2012)

My initial understanding is that only root can use ifconfig(8) to, say, bring an interface up or down.

Is there a way to explicitly set what users can use ifconfig(8) to modify network settings?


----------



## SirDice (Oct 2, 2012)

obamatronic said:
			
		

> My initial understanding is that only root can use ifconfig(8) to, say, bring an interface up or down.


Correct.


> Is there a way to explicitly set what users can use ifconfig(8) to modify network settings?


Nope. You'll have to resort to things like security/sudo.


----------



## obamatronic (Oct 2, 2012)

SirDice said:
			
		

> Correct.
> 
> Nope. You'll have to resort to things like security/sudo.



Curious: where is it configured to only allow root to make network changes with ifconfig?  I experimented with changing permissions on /sbin/ifconfig but that had no effect.


----------



## SirDice (Oct 2, 2012)

obamatronic said:
			
		

> Curious: where is it configured to only allow root to make network changes with ifconfig?


There isn't anything to configure in this regard. Not unless you like hacking kernels.


----------



## mamalos (Oct 3, 2012)

Just out of curiosity: aren't there any MAC or RBAC options for enabling such commands?


----------



## SirDice (Oct 3, 2012)

Good point!

No idea but you may be able to add ACLs to the correct objects.


----------

