I am writing a program, and want it to run with reduced privileges. I know as root I can do this, but what about as a normal user. Can I set the user to nobody, without first setting it to root?
Asked
Active
Viewed 592 times
0
-
Why do you ask? Explain much more what is your program, and what exactly it is doing... – Basile Starynkevitch Sep 16 '13 at 16:48
-
1This may help you http://stackoverflow.com/questions/3357737/dropping-root-privileges – Gearoid Murphy Sep 16 '13 at 17:23
2 Answers
1
No, you cannot change the user of a process to nobody without root permission.
The relevant syscalls are setuid(2), seteuid(2), setresuid(2) ...
(There might be perhaps a Linux-specific way of restricting new file operations on a process, but I can't recall the details)
See also SE-Linux, Setuid, credentials(7), capabilities(7) and read Advanced Linux Programming ...
Basile Starynkevitch
- 223,805
- 18
- 296
- 547
-
This is certainly true for linux, but solaris & Mac OS X have even more fine grained privileges such as file access, network access, exec, fork – Anya Shenanigans Sep 16 '13 at 17:07
-
@Petesh Linux has the concept of the file system user ID, normally equal to the effective user ID. The setuid() call also sets the file system user ID of the calling process. See setfsuid(2) http://man7.org/linux/man-pages/man2/setfsuid.2.html . – ctrl-alt-delor Sep 17 '13 at 08:27
-
@richard I'm well aware of it, but it's not particularly fine-grained. It's at the same level as `setuid` et al. As an ordinary user, you can remove permissions on your process using the mechanisms provided in Solaris/Mac OS X, which is IMHO significantly more powerful. The tags contained `unix` so I added this as a mention – Anya Shenanigans Sep 17 '13 at 08:56
-
@Petesh sound interesting, can you include a bit more info? Api calls etc. – ctrl-alt-delor Sep 18 '13 at 09:21
-
The [Solaris page](http://docs.oracle.com/cd/E23824_01/html/821-1456/privtask-1.html) gives a good overview of privileges, but you would need to dig through the man pages for API calls. The documentation of the [Mac OS X sandbox](http://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf) is best described by other people (apple has gone the simple route for this). – Anya Shenanigans Sep 18 '13 at 11:25
0
You do not need to set root permission, but you must start the program as either a root user or another admin user.
Michael0x2a
- 58,192
- 30
- 175
- 224
chunshengster
- 41
- 2
-
Did you just say, “The process does not have to be root, but it does have to be root.”? – ctrl-alt-delor Sep 17 '13 at 08:20