How to enable a non-root user to empty the linux buffer cache

Question

I'm required to empty the linux buffer cache in a python script, that runs on a Debian wheezy VM.

As root I run sync; echo 3 | sudo tee /proc/sys/vm/drop_caches, but the script is run by a user, without root privileges.

I've thought of the following possibilities:

give the user write permissions on the file /proc/sys/vm/drop_caches (which doesn't seem to work, as I get Operation not permitted when I chmod 646 /proc/sys/vm/drop_caches)
Set the setuid on tee, which should work but then the user could go apesh*t with tee
I could setuid on the script and remove write permissions for the user to write to the script, so he couldn't alter it (but then again, that's bad, as the user may interact with the code)
or I could write a tiny bash script featuring only the empty the linux buffer cache process, then remove write/read permissions, setuid and add execution permission for the user

What is the sanest way to solve this?

score 2 · Accepted Answer · edited Apr 13 '17 at 12:36

2

From your list, only the fourth possibility (writing a small setuid script in a safe directory e.g. /usr/local/bin not changeable by the user) might work and could be safe, but is nowadays often disabled by the distribution.

The easier and better option is to add the following line to /etc/sudoers (use e.g. visudo for this)

YOURUSERNAME     ALL = NOPASSWD: /sbin/sysctl vm.drop_caches=3

and then include the line

sudo /sbin/sysctl vm.drop_caches=3

in your script.

edited Apr 13 '17 at 12:36

Community

1

answered Nov 18 '14 at 15:31

jofel

26,758

Purely for future readers - unfortunately, you cannot SUID a bash script in Linux as explained here. sudo will work fine though. – garethTheRed Nov 18 '14 at 16:24
@garethTheRed thanks, I added this to the answer. – jofel Nov 18 '14 at 17:41

How to enable a non-root user to empty the linux buffer cache

1 Answers1