Avoiding su

[ccwaterback]

I have an application written in C++ on Radhat Linux V9.0. I want to be able to format disk drives, that we plug into the USB port, from my program, without being su. Can I maybe run a Perl script that has su privileges from my program to handle the task? Any other ideas?

[groman]

Having a perl script be suid root is a pain, much easier to get your C++ application to escalate its own priviliges. Take a look at articles about SUID/SGID root.

[Marcus]

Maybe the sudo program is what you are looking for - move the escalation to the user rather than the program.

[ccwaterback]

groman:

Having a perl script be suid root is a pain, much easier to get your C++ application to escalate its own priviliges. Take a look at articles about SUID/SGID root.

Looks like what I need.

But in the case of my C++ program being SUID, then it is ALWAYS SUID, right? This application does many things, one of them is to format disks found on the USB. We can’t SUID when we want to format disks, then de-SUID when we are done, that’s not feasible. And we really can’t “afford” to have the application be SUID all the time, because the user is allowed to navigate through the file system to choose files that are read or written, it would be too easy for a user to overwrite an “important” file owned by the system.

I might have misunderstood your reply, but I think what I will do is write a Perl script, set it SUID, and “execute” the Perl script from my C++ program. I think.

Thanks.

[ccwaterback]

Marcus:

Maybe the sudo program is what you are looking for - move the escalation to the user rather than the program.

"The sudo program can also change your effective id while it is running … "

http://aplawrence.com/Basics/sudo.html

I’m reading up on sudo now. Thanks.

[Perderabo]

Split your program into 2 programs: a main program which is not suid to root, and a helper program to format the disk which is suid to root. As needed, the main program will fork and exec the helper program.

Set the helper program’s group to some special group. Only turn on the group execute bit. The main program should be sgid to that group. Now the main program is the only non-root program that can exec the helper program.

[ccwaterback]

Perderabo:

Split your program into 2 programs: a main program which is not suid to root, and a helper program to format the disk which is suid to root. As needed, the main program will fork and exec the helper program.

Set the helper program’s group to some special group. Only turn on the group execute bit. The main program should be sgid to that group. Now the main program is the only non-root program that can exec the helper program.

Great!!!

I’m going to give this a try.

[Terminus_Est]

Could this just be done via a magic encantation in fstab? My fstab has a line that reads:

/dev/fd0        /floppy         auto    user,noauto             0       0

This allows an ordinary user to mount, write, and format a floppy disk. No fiddling with su, sudo, or SUID.