Jump to content

SE-03: Using applications needing root privileges


Recommended Posts

Browse: [About the FAQ Forum] [Table of Contents] [FAQs] [Contribute] [SE: Security, firewalls...]

 

SE-03: How do I safely allow regular users to use utilities requiring root privileges?

 

If you happen to have the need to allow regular system users to use privileged utilities, you usually have the following routes laid for you:

  • [1] Make the user member of the group owning the utility.
     
    While this is the easiest way, this is also not recommended as it is the most unsafe practice. Say for example that you need to allow a the user 'juan' to have the rights to start/stop the web service in the box. This means that the user needs to be able to execute the scripts located in /etc/init.d/ and those scripts are owned by the group 'root'. If you made 'juan' a member of the group 'root' then you virtually gave the user access to all utilities owned by the group which is not wise.
     
    [2] Use the setuid/setgid bit of the utility.
     
    Setuid is a file permission bit that allows the binary to be run using the permission of its owner. Setgid is its counterpart for group ownership. This means that if the useradd utility has its setuid bit set and an ordinary user executes it then it will be executed under the privileges of root.
     
    How can this be dangerous? It is only dangerous if the utility with setuid has been found to have a bug that is exploitable to gain access to your machine.
     
    For more information about setuid/setgid, you can refer to this
webpage.
 
[3] Use the sudo package to grant specific users access to privileged utilities.
 
While this is not an end-all solution, the approach taken by sudo is by far the safest of the three options because it refers to a configuration file that dictates which user has access to which utilities. MandrakeSecure has an excellent tutorial on how to use sudo effectively.

Related Link(s):

Link to comment
Share on other sites

 Share

×
×
  • Create New...