0

I am trying to give permission to a user to perform the same operations as root on the network device can0, such as bringing it up or down. My first idea was to set the group and/or owner of the device to my user and a group I belong to.

Here's what udevadm info -ap $(udevadm info -q path -p /sys/class/net/can0) shows before setting a udev rule:

$ udevadm info -ap $(udevadm info -q path -p /sys/class/net/can0)
  looking at device '/devices/platform/soc/3f204000.spi/spi_master/spi0/spi0.0/net/can0':
    KERNEL=="can0"
    SUBSYSTEM=="net"
    DRIVER==""
    ATTR{netdev_group}=="0"
...
  looking at parent device '/devices/platform/soc/3f204000.spi/spi_master/spi0/spi0.0':
    KERNELS=="spi0.0"
    SUBSYSTEMS=="spi"
    DRIVERS=="mcp251x"

And here's the rule I tried (in /etc/udev/rules.d/50-can.rules):

KERNELS=="spi0.0", SUBSYSTEMS=="spi", DRIVERS=="mcp251x", GROUP="can", OWNER="<myuser>"

A udevadm test $(udevadm info -q path -p /sys/class/net/can0) reports the owner and group should be set correctly:

...
OWNER 1001 /etc/udev/rules.d/50-can.rules:7
GROUP 1003 /etc/udev/rules.d/50-can.rules:7
...

However after reloading the rules (udevadm control -R) and a reboot, I still cannot bring can0 up or down as a user:

$ ip link set can0 down
RTNETLINK answers: Operation not permitted

I know this rule is matched correctly because I can change the name of the interface by setting the NAME property.

I suspect the problem might have to do with the fact that I can't find a can0 interface under /dev, which might indicate that there is no character/block device for it and programs (such as ip) don't access the device through traditional unix ownership/permissions. If that's correct, how can I accomplish this with udev (namely, giving my user full permissions to can0)?

Note: I saw similar questions such as how can I give a normal user write access to a network interface?, but their solution is to use sudo. I'd rather do this with udev only, but I'll use this as a last resort.

Improve this question
4
  • Once the interface is created (maybe with the help of udev) it's behaving as any other interface, and udev doesn't have a word to say about it. You can't achieve your goal through udev. An interface configuration requires root access or CAP_NET_ADMIN or any tool (with those privileges) available to the user. sudo, NetworkManager, ... Commented Aug 24, 2020 at 17:07
  • I see, thanks for the info about CAP_NET_ADMIN, I'm looking into it now. I did a preliminary attempt by doing a sudo setcap cap_net_admin+ie /bin/ip (which seemed to work), but I still got Operation not permitted. More research needed I guess. Commented Aug 24, 2020 at 17:40
  • @A.B OK I got it by following stackoverflow.com/questions/1956732/… carefully. Your comment gave me exacly what I wanted to do (bring can0 up/down without going through sudo). Would you like to put it as an answer so I can accept it? Commented Aug 24, 2020 at 18:15
  • It's fine if your answer it yourself. I gave pointers but didn't know what would work for your case. Commented Aug 24, 2020 at 19:06

1 Answer 1

Reset to default
1

Following clue from @A.B I ended up using libpam (pam_cap.so) to add the capability CAP_NET_ADMIN to my user's inheritable set during login (and ssh), then added the same capability to /bin/ip's inheritable and permitted sets. I can now bring network interfaces up or down as the user, and without relying on sudo.

The way to do this is explained here: https://stackoverflow.com/questions/1956732/is-it-possible-to-configure-linux-capabilities-per-user

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.