How to make it so that a file can only be executed by root, but not as root?
There are certain applications that I don't want people to be able to open unless they have root privileges, however I do not want to give the programs root privileges. So how can I make it so that only root can run certain applications, but so that the applications are not actually run as root (I don't want them to be for security reasons)? I am running Ubuntu GNOME 15.04, with GNOME Shell, and GNOME 3.16.
This answer is complementary to Heather's one (which will work).
First of all, take into account that in Unix (and Linux) if one is able to take root privileges, they can do anything. In the case of Heather answer, nothing will stop your user to just sudo /usr/bin/applicationcommand
(with a bit of search for the real path or whatever). But I suppose this is ok with you.
In that case, why do not simply(1):
sudo chgrp sudo /usr/bin/applicationcommand
sudo chmod 750 /usr/bin/applicationcommand
? If the users are able to use sudo
, it means(2) they are in the sudo
group; the above commands make the applicationcommand
readable/executable only to members of the sudo
group. When they run it, however, they will run it as their real user, as any other command.
However, the "classic" Unix solution is:
- create a group, call it
privileged
. -
sudo chgrp privileged /usr/bin/myapp
and thensudo chmod 750 /usr/bin/myapp
. -
add the user(s) (unprivileged!) that you want to be able to run the app to the group
privileged
and now the user will run myapp
as its user, without any need to have sudo
privileges.
Notice that if you want the application to run as a different user, you can use the set-uid mechanism combined with the above techniques.
Footnotes:
(1): Notice that you can't do this if the application has a set-gid flag (it happens with some mailer, for example). Check it before changing the group of the binary.
(2): in most configurations. sudo
can be fine-trimmed (see man sudoers
) in zillions of way, so the effectiveness of this simple hack will vary depending on how much you have customized it.
Try using setuid
from package super
. Do sudo apt-get install super
, then create a shell script that can only be run as root. Have that shell script run only one command:
#!/bin/sh
setuid $ORIG_USER applicationcommand
exit 0
Then, set an alias for each of the users so that applicationcommand
points to the shell script you created by adding into each of their .bashrc
files:
alias applicationcommand="sh /path/to/shell/script"
Alternatively, or as well as creating an alias
you can edit the .desktop
file of the application you want to run, assuming that your applications has a .desktop
file (if it's not an application that runs in the GUI, but rather the CLI it is likely not to have a .desktop
file), so that the Exec=
line has sh /path/to/shell/script
after it, or the name of the alias if you decided to create that. You will find .desktop
files in /usr/share/applications
and ~/.local/share/applications
.