5

I have some program called foo that needs root privileges when it executes. foo needs to be able to be run by any user and can be located at any path. The reason this program can be at any path is because our company is developing program foo and each user may have a personal version of the program in some personal directory while they work on it.

My question is this, what is the most secure way to handle this? I have been researching the sudoers file and have basically 2 ideas.

  1. List all paths the program can be at in the sudoers file. This is problematic because it requires frequent editing of the sudoers list and also still poses a security risk since non root users will own their individual copy of foo and could copy some system program over foo and then use it as root.

  2. Write a script called start_foo which performs some input validation on the passed program such as size and name and then starts the passed in foo. start_foo could live in /usr/bin and owned by root but runnable by anyone. This option still includes the security hole of being able to write over the users foo program with another root requiring program but hopefully the size check would catch some malicious cases.

Is there a "cannonical" way to solve this problem I haven't found or thought of? If not which of the above or possibly other solution is the best way to handle the problem?

Anthon
  • 79,293
  • 2
    Give each user a virtual environment where they can run as root without causing any damage? – grebneke Mar 03 '14 at 21:44
  • 1
    Unfortunately what you are trying to do is insecure by definition, allowing a program that is not own by root to execute with root privileges is always going to leave things wide open. For approach 2 you would need to use a wrapper program (a script won't work), that uses setuid, simply have the program owned by root is not enough. Also, would the size not change when the developers compile different versions of the program? I don't see this working as a security measure. – Graeme Mar 03 '14 at 21:45
  • A setuid wrapper script could, in theory, maintain a list of md5sums of valid builds and compare against that. But as Graeme wrote, the approach is insecure by definition. Go for sandboxed virtual environments. – grebneke Mar 03 '14 at 22:39
  • 7
    Your company needs to develop programs that don't require root privileges everywhere for everyone. Seriously. – mikeserv Mar 04 '14 at 04:58
  • 2
    Users have no business running stuff they own as root, period. Fix the permissions of whatever foo is frobbing (via ACLs, SELinux, ...). – vonbrand Mar 05 '14 at 17:13

1 Answers1

1

With a caveat, the "right way" to allow a program to have root privileges and be run by any user is to use setuid and setgid flags.  This tutorial discusses the process.  The program must be owned by root, and you must be root to apply the setuid or setgid flags.

The caveat is that it is extremely insecure to allow a user to run a program with root privileges. A security vulnerability in the program's code can allow an ordinary user to obtain root privileges. Many Linux exploits throughout the years have exploited a buggy setuid program to obtain privilege escalation.

For informational and educational purposes only, here's how you do it:

chown root /usr/bin/myprogram
chmod u+s /usr/bin/myprogram

But, as others have said above, don't do this!

Will
  • 2,754