Running a privileged command by user

There are different ways to deal with permissions problems and elevated privileges, each with its advantages and weaknesses. …

Add user to group
Add a user to a group that has needed privileges. You can do this from the terminal, or use a GUI tool like Webmin. Log out and back in after doing so so that /etc/passwd and /etc/group are read again. Once done, then the user will have the privileges of the group.

For example, consider the imaginary command /usr/sbin/foo which normally needs to be run as root. You, the system administrator, want to allow user bar to run it, but you don't want to give the user the root password or let all users run foo (as would happen if you set foo suid root). Instead, see what group the file /usr/sbin/foo belongs to, and add user bar to that group.

This is a fine-grained, per-user way of dealing with permissions. You can also create a group with particular permissions for your needs. Just don't add anyone to the group root.

suid root
suid is an access rights flag that allows users to run an executable with the permissions of the executable's owner, usually root. It allows all users to perform one specific task that requires root privileges without having to know the root password.

As root, it is easy to set up. For example, to make hddtemp suid root:

# chmod u+s /usr/sbin/hddtemp

All users can run such a command with full root privileges, so this is not a fine grained tool. Do not use it thoughtlessly.

Sudoers
By editing the /etc/sudoers file you can achieve something similar to a fine grained suid root. You can allow a particular user or group run a particular executable without having to provide a password. One example is here.

PAM
TODO: Find out more about this. PAM seems to be popular on Debian based distributions. One reference is found here. On Linux Mint Debian Edition, PAM's configuration files are found at /etc/pam.d. Webmin has a PAM module (System – PAM Authentication); like other Webmin modules, it presupposes the user is familiar with the material.

PolicyKit
TODO: Find out more about this. PoilicyKit seems to be popular on Red Hat based distributions.

Advertisements

About Warren Post

So far: Customer support guy, jungle guide, IT consultant, beach bum, entrepreneur, teacher, diplomat, over-enthusiastic cyclist. Tomorrow: who knows?
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s