If I write a program on Linux, I have two ways of configuring what privilege the program runs with:
Are there any other options to configure what privilege a program runs with on Linux?
Individual Linux privileges are called "capabilities." A full description of capabilities is probably too much but as an alternative to the two options you mentioned, you can set file-based capabilities that give non-privileged users administrative rights:
[root@localhost]/home# setcap cap_chown+ep /bin/chown
[root@localhost]/home# sudo -iu testUser
[testUser@localhost ~]$ ll /etc/rc.local
-rwxr--r--. 1 root root 0 Jan 27 22:29 /etc/rc.local
[testUser@localhost ~]$ chown testUser /etc/rc.local
[testUser@localhost ~]$ ll /etc/rc.local
-rwxr--r--. 1 testUser root 0 Jan 27 22:29 /etc/rc.local
[testUser@localhost ~]$
As you can see above, anyone who executes chown on this system will have the privileges required ("CAP_CHOWN") to do so because of the setcap I ran. You can get a little bit more selective by changing it from an +ep to an +ei and giving the privileges only to particular users at login by using pam_cap.so
It should be noted that the above chown doesn't run as root, it runs as my otherwise unprivileged user. If the user runs anything other than this program they will not have this privilege and if the executable file is modified, all file-based capabilities are cleared.
Without any explicit rights assignment a program or script will run as the caller.
Setuid will run the program with the user rights of the file owner. Setgid will run the program with the group rights of the file group. Neither will work directly for a script.
You can use a utility such as sudo to run a program (or script) with rights that you determine in the sudo configuration file.
I believe that security subsystems such as SELinux restrict access rather than grant it.
I don't know whether ACLs can be used to grant runtime privileges. I've never needed to investigate.
