How to make it so that a file can only be executed by root, but not as root?

root password permissions execute-command

There are certain applications that I don't want people to be able to open unless they have root privileges, however I do not want to give the programs root privileges. So how can I make it so that only root can run certain applications, but so that the applications are not actually run as root (I don't want them to be for security reasons)? I am running Ubuntu GNOME 15.04, with GNOME Shell, and GNOME 3.16.


This answer is complementary to Heather's one (which will work).

First of all, take into account that in Unix (and Linux) if one is able to take root privileges, they can do anything. In the case of Heather answer, nothing will stop your user to just sudo /usr/bin/applicationcommand (with a bit of search for the real path or whatever). But I suppose this is ok with you.

In that case, why do not simply(1): 

sudo chgrp sudo /usr/bin/applicationcommand
sudo chmod 750 /usr/bin/applicationcommand

? If the users are able to use sudo, it means(2) they are in the sudo group; the above commands make the applicationcommand readable/executable only to members of the sudo group. When they run it, however, they will run it as their real user, as any other command.

However, the "classic" Unix solution is:

  1. create a group, call it privileged.
  2. sudo chgrp privileged /usr/bin/myapp and then sudo chmod 750 /usr/bin/myapp.
  3. add the user(s) (unprivileged!) that you want to be able to run the app to the group privileged

and now the user will run myapp as its user, without any need to have sudo privileges.

Notice that if you want the application to run as a different user, you can use the set-uid mechanism combined with the above techniques.

Footnotes:

(1): Notice that you can't do this if the application has a set-gid flag (it happens with some mailer, for example). Check it before changing the group of the binary.

(2): in most configurations. sudo can be fine-trimmed (see man sudoers) in zillions of way, so the effectiveness of this simple hack will vary depending on how much you have customized it.


Try using setuid from package super. Do sudo apt-get install super, then create a shell script that can only be run as root. Have that shell script run only one command:

#!/bin/sh
setuid $ORIG_USER applicationcommand
exit 0

Then, set an alias for each of the users so that applicationcommand points to the shell script you created by adding into each of their .bashrc files:

alias applicationcommand="sh /path/to/shell/script"

Alternatively, or as well as creating an alias you can edit the .desktop file of the application you want to run, assuming that your applications has a .desktop file (if it's not an application that runs in the GUI, but rather the CLI it is likely not to have a .desktop file), so that the Exec= line has sh /path/to/shell/script after it, or the name of the alias if you decided to create that. You will find .desktop files in /usr/share/applications and ~/.local/share/applications.

Related

How to change tomcat 8 port
How to create a custom splash screen for a program?
How to get "Epson Printer Utility" to start from Launcher in Ubuntu?
How to stop .NET Core from collecting data to protect privacy?
How to manage udisk with the udisk utilities?
How to make windows transparent by default
Restore default audio drivers in Ubuntu 16
How can I disable all display managers?
How change the phpize to match the php version?
Connection Timeout on Windows Share (Network)
terminal command to open new chromium tab
Resize Ubuntu /dev/sda1 partition in VirtualBox VMDK when /dev/sda is already larger