FedoraForum.org - Fedora Support Forums and Community
Results 1 to 11 of 11
  1. #1
    Join Date
    Nov 2017
    Location
    London
    Posts
    5

    Execute a program as another user

    Hello,

    I am working on a program and I want it to be executed as another user who will have neither a login or a home folder on the system.

    Briefly, I go to a national data collection facility where every user (example user A) logs in with their account and when executing a program X, X runs with its username and writes to a folder where it is assigned to. The actual logged user A cannot write or modify any of the data written by X. When checking for the ownership and group, the logged user A is in the group, but not a owner. The owner is X. When the program closes nothing happens. All this is done without any password requirement.

    My question is, how do I add X as a sudo and give permissions to create files and write to them, but X executed by the any user. X does not have a home or login.

    I have tried SELinux policies, sudoers file and no success.

    I would much appreciate if someone could point me in the right direction.

    I checked with the facility and they all run Redhat Enterprise linux.

    Thanks in advance
    Nethaji

  2. #2
    Join Date
    Feb 2005
    Location
    London, UK
    Posts
    565

    Re: Execute a program as another user

    Is this a binary or a shell script? If binary then setting the "setuid" bit with "chmod 4750 <filename>" sounds like it will do exactly what you want, i.e: run the program as the owner of the binary regardless of the actual user executing it:

    https://major.io/2007/02/13/chmod-an...s-first-octet/


    Note: this won't work with a shell script, you'd have to write a C wrapper to run the script, some security decision was made somewhere...

  3. #3
    Join Date
    Nov 2017
    Location
    London
    Posts
    5

    Re: Execute a program as another user

    Hi HaydnH,
    Thanks for your response. I tried that option, by modifying SELinux as SE by default prevented the 's' setting on the binaries.

    The problem I faced was that when the user creates a file using the software, it created the file with the user as the owner of the file instead of the owner of the program.

    I will check this option again and update on this by the weekend.

    Thanks
    Nethaji

  4. #4
    Join Date
    Feb 2005
    Location
    London, UK
    Posts
    565

    Re: Execute a program as another user

    Be aware that running chown/chmod after you've set the setuid bit might remove it, also your program might not *change* ownership of the file it already exists. I can confirm it works as per below:

    Code:
    [haydn@darkstar wtest]$ ls -l
    total 4
    -rw-rw-r-- 1 haydn haydn 171 Nov  3 13:04 wtest.c
    [haydn@darkstar wtest]$ cat wtest.c 
    #include <stdio.h>
    #include <unistd.h>
    #include <fcntl.h>
    
    
    int main(int argc, char *argv[]) {
      int fd = open("./someFile.txt", O_RDWR | O_CREAT, 0600);
      close(fd);
    
    }
    
    [haydn@darkstar wtest]$ gcc wtest.c -o wtest
    [haydn@darkstar wtest]$ su
    Password: 
    [root@darkstar wtest]# chown root:haydn wtest
    [root@darkstar wtest]# chmod 4750 wtest
    [root@darkstar wtest]# exit
    exit
    [haydn@darkstar wtest]$ ls -l
    total 16
    -rwsr-x--- 1 root  haydn 8264 Nov  3 13:09 wtest
    -rw-rw-r-- 1 haydn haydn  171 Nov  3 13:04 wtest.c
    [haydn@darkstar wtest]$ ./wtest 
    [haydn@darkstar wtest]$ ls -l
    total 16
    -rw------- 1 root  haydn    0 Nov  3 13:09 someFile.txt
    -rwsr-x--- 1 root  haydn 8264 Nov  3 13:09 wtest
    -rw-rw-r-- 1 haydn haydn  171 Nov  3 13:04 wtest.c
    [haydn@darkstar wtest]$

  5. #5
    Join Date
    Nov 2017
    Location
    London
    Posts
    5

    Re: Execute a program as another user

    Thanks for the example. I will check this weekend and update the thread.

    Best
    Nethaji

  6. #6
    Join Date
    Jun 2005
    Location
    Montreal, Que, Canada
    Posts
    4,600

    Re: Execute a program as another user

    How about using groups. Fot example create a group called zzzzzzzz or some important name.

    sudo chgrp zzzzzzzzz prgmxxx
    sudo chmod zzzzzzzzz 776 prgmxxx
    Then for those programs, add your logon to the /etc/group file against group zzzzzzzz.

    Only members of group zzzzzzzz or root will be able to execute that program
    Leslie in Montreal

    Interesting web sites list
    http://forums.fedoraforum.org/showth...40#post1697840

  7. #7
    Join Date
    Feb 2005
    Location
    London, UK
    Posts
    565

    Re: Execute a program as another user

    Quote Originally Posted by lsatenstein
    Only members of group zzzzzzzz or root will be able to execute that program
    Hi Leslie,

    I don't think it's an issue of who can execute the command, it's an issue of who owns the files created by that command, or more likely who can read those files. For example if I have 10 doctors in a "Docs" group all using programme X, depending how you configure the security they could all read the files created by the process (i.e: see each others confidential patient files).

  8. #8
    Join Date
    Jun 2005
    Location
    Montreal, Que, Canada
    Posts
    4,600

    Re: Execute a program as another user

    If the doctors are not cpu savvy, you could embed a code in the file name that corresponds to the doctor.

    I have not tried it, but I believe that if you execute a program via a group execution call, you calling the program own the file that is created or modified,

    You could use an environment variable that is included as part of the file name. The environment variable, for example $USER would be unique to each logon. If a doctor has a secretary and each uses a separate computer, then in lieu of $USER, it could be $PRACTICE, an environment variable that you establish.

    Often the simplest solutions are the best.
    Leslie in Montreal

    Interesting web sites list
    http://forums.fedoraforum.org/showth...40#post1697840

  9. #9
    Join Date
    Nov 2017
    Location
    London
    Posts
    5

    Re: Execute a program as another user

    Hi Haydnh & Isatenstein,

    Thank you both for sharing your knowledge on the topic. I tried the option over the weekend and to say the SE is preventing the 's' permission whilst installation of the program. Of course this needs root permission to set, which can be done.

    The solution by Haydnh has worked fine for the example given. I am trying to develop further with folders and file creation through the software for data storage.

    Thank you both
    Nethaji

  10. #10
    Join Date
    Feb 2005
    Location
    London, UK
    Posts
    565

    Re: Execute a program as another user

    No worries, if you require more flexibility then you'll probably want to look at Access Control Lists (ACLs):

    https://access.redhat.com/documentat..._guide/ch-acls

  11. #11
    Join Date
    Nov 2017
    Location
    London
    Posts
    5

    Re: Execute a program as another user

    Hi HaydnH
    Thank you for the link and it is quite useful.

Similar Threads

  1. Please execute this program on your Fedora and help me
    By Prasath in forum Programming & Packaging
    Replies: 4
    Last Post: 12th February 2016, 11:42 AM
  2. Execute my program by ordinary user
    By mlyczko in forum Security and Privacy
    Replies: 8
    Last Post: 6th March 2011, 02:26 PM
  3. Need to execute a tiny DOS com program at boot
    By Areal Person in forum Using Fedora
    Replies: 5
    Last Post: 20th December 2009, 09:54 PM
  4. Using Alt+F2 to execute program from terminal
    By kjartani in forum Using Fedora
    Replies: 9
    Last Post: 21st October 2009, 01:19 PM
  5. Execute commands at user login
    By gala_dragos in forum Using Fedora
    Replies: 3
    Last Post: 6th September 2007, 10:25 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •