无需 root 权限即可通过编程更改网络设置

Question 1

您可以在程序上设置功能。这将允许它执行某些特权任务，而无需完全以的身份运行root。这里讨论的功能是CAP_NET_ADMIN：

CAP_NET_ADMIN
    Perform various network-related operations:
     * interface configuration;
     * administration of IP firewall, masquerading, and accounting;
     * modify routing tables;
     * bind to any address for transparent proxying;
     * set type-of-service (TOS)
     * clear driver statistics;
     * set promiscuous mode;
     * enabling multicasting;
     * use  setsockopt(2)  to set the following socket options: SO_DEBUG, SO_MARK,
       SO_PRIORITY (for a priority outside the range 0 to 6), SO_RCVBUFFORCE,  and
       SO_SNDBUFFORCE.

capabilities(7)您可以在和手册页中找到有关功能的更多信息setcap(8)。

为了更加安全，如果您只需要特定子集的用户能够运行该程序，您可以将这些用户放入一个组中，将chgrp您的程序放入该组中，chmod然后0750。

Answer

您可以在程序上设置功能。这将允许它执行某些特权任务，而无需完全以的身份运行root。这里讨论的功能是CAP_NET_ADMIN：

CAP_NET_ADMIN
    Perform various network-related operations:
     * interface configuration;
     * administration of IP firewall, masquerading, and accounting;
     * modify routing tables;
     * bind to any address for transparent proxying;
     * set type-of-service (TOS)
     * clear driver statistics;
     * set promiscuous mode;
     * enabling multicasting;
     * use  setsockopt(2)  to set the following socket options: SO_DEBUG, SO_MARK,
       SO_PRIORITY (for a priority outside the range 0 to 6), SO_RCVBUFFORCE,  and
       SO_SNDBUFFORCE.

capabilities(7)您可以在和手册页中找到有关功能的更多信息setcap(8)。

为了更加安全，如果您只需要特定子集的用户能够运行该程序，您可以将这些用户放入一个组中，将chgrp您的程序放入该组中，chmod然后0750。

Question 2

如果你在计算机上使用 NetworkManager，则可以使用网管命令行。

nmcli 是一个用于控制 NetworkManager 并获取其状态的命令行工具。它并非 nm-applet 或其他类似客户端的替代品。相反，它是这些程序的补充实用程序。nmcli 的主要用途是在服务器、无头机器上，或者仅供喜欢命令行的高级用户使用。

   The use cases comprise:

   --  Initscripts: ifup/ifdown can utilize NetworkManager via nmcli
       instead of having to manage connections itself and possible
       interfere with NetworkManager.

   --  Servers, headless machines: No GUI is available; then nmcli is used
       to talk directly to NetworkManager and control only system-wide
       connections.

   --  User sessions: For this case, nmcli can talk to nm-applet to find
       user connections.  It can still talk directly to NetworkManager for
       manipulating these connections.  As nmcli doesn't have direct
       access to user configuration data in GConf, nm-applet handles that
       itself.  That may, for example, cause the applet to pop up keyring
       dialogs when secrets are needed.

Answer

如果你在计算机上使用 NetworkManager，则可以使用网管命令行。

nmcli 是一个用于控制 NetworkManager 并获取其状态的命令行工具。它并非 nm-applet 或其他类似客户端的替代品。相反，它是这些程序的补充实用程序。nmcli 的主要用途是在服务器、无头机器上，或者仅供喜欢命令行的高级用户使用。

   The use cases comprise:

   --  Initscripts: ifup/ifdown can utilize NetworkManager via nmcli
       instead of having to manage connections itself and possible
       interfere with NetworkManager.

   --  Servers, headless machines: No GUI is available; then nmcli is used
       to talk directly to NetworkManager and control only system-wide
       connections.

   --  User sessions: For this case, nmcli can talk to nm-applet to find
       user connections.  It can still talk directly to NetworkManager for
       manipulating these connections.  As nmcli doesn't have direct
       access to user configuration data in GConf, nm-applet handles that
       itself.  That may, for example, cause the applet to pop up keyring
       dialogs when secrets are needed.

Question 3

如果你的目标设备支持，setuid 机制可能是最佳选择

http://en.wikipedia.org/wiki/Setuid

某些程序需要 root 权限，而使用 setuid 的作用是使可执行文件属于 root 并且设置了 setuid 位，因此当另一个用户执行它时，可执行文件将以 root 权限运行。

但也请注意

由于潜在的安全问题，许多操作系统在应用于可执行 shell 脚本时会忽略 setuid 属性。

Answer