How to make it so that a file can only be executed by root, but not as root?

There are certain applications that I don't want people to be able to open unless they have root privileges, however I do not want to give the programs root privileges. So how can I make it so that only root can run certain applications, but so that the applications are not actually run as root (I don't want them to be for security reasons)? I am running Ubuntu GNOME 15.04, with GNOME Shell, and GNOME 3.16.


This answer is complementary to Heather's one (which will work).

First of all, take into account that in Unix (and Linux) if one is able to take root privileges, they can do anything. In the case of Heather answer, nothing will stop your user to just sudo /usr/bin/applicationcommand (with a bit of search for the real path or whatever). But I suppose this is ok with you.

In that case, why do not simply(1):

sudo chgrp sudo /usr/bin/applicationcommand
sudo chmod 750 /usr/bin/applicationcommand

? If the users are able to use sudo, it means(2) they are in the sudo group; the above commands make the applicationcommand readable/executable only to members of the sudo group. When they run it, however, they will run it as their real user, as any other command.

However, the "classic" Unix solution is:

  1. create a group, call it privileged.
  2. sudo chgrp privileged /usr/bin/myapp and then sudo chmod 750 /usr/bin/myapp.
  3. add the user(s) (unprivileged!) that you want to be able to run the app to the group privileged

and now the user will run myapp as its user, without any need to have sudo privileges.

Notice that if you want the application to run as a different user, you can use the set-uid mechanism combined with the above techniques.


Footnotes:

(1): Notice that you can't do this if the application has a set-gid flag (it happens with some mailer, for example). Check it before changing the group of the binary.

(2): in most configurations. sudo can be fine-trimmed (see man sudoers) in zillions of way, so the effectiveness of this simple hack will vary depending on how much you have customized it.


Try using setuid from package super. Do sudo apt-get install super, then create a shell script that can only be run as root. Have that shell script run only one command:

#!/bin/sh
setuid $ORIG_USER applicationcommand
exit 0

Then, set an alias for each of the users so that applicationcommand points to the shell script you created by adding into each of their .bashrc files:

alias applicationcommand="sh /path/to/shell/script"

Alternatively, or as well as creating an alias you can edit the .desktop file of the application you want to run, assuming that your applications has a .desktop file (if it's not an application that runs in the GUI, but rather the CLI it is likely not to have a .desktop file), so that the Exec= line has sh /path/to/shell/script after it, or the name of the alias if you decided to create that. You will find .desktop files in /usr/share/applications and ~/.local/share/applications.