1

if you don't want to give root to a process how do you write a test that requires root ? :P its a paradox.

Comments
  • 1
    If the process doesn't need root, what are you testing that does need it?
  • 0
    @localpost i have to create a test disk image and put file systems and the like on it and mount it after attaching it to a loop device and assigning UUIDs

    all these utilities require root.
  • 1
  • 0
    @netikras :P couldn't someone then modify the scrpit and put whatever they wanted in it ? :P
  • 0
    @AvatarOfKaine no idea whats the script.

    You can protect it from modification if you are in a ro filesystem

    copying its contents and recreating it elsewhere is another problem. I think selinux can deal with that.

    Auditd can monitor executions but I don't recall it being able to assert their authorization
  • 0
    @AvatarOfKaine I hate to bring it up, but.. Perhaps setfacl has anything to offer? Never liked it enough to learn ot more than RHCSA required
  • 0
    @AvatarOfKaine You can always do a workaround:

    - write a script

    - chown root.root

    - chmod 0500

    - write a dead simple native app that exec's that script and does nothing else

    - chown root.root

    - chmod 4500 (because SUID doesn't work for scripts, as far as I recall)

    - setfacl -m u:myapp_user:rx

    and then in your application call that simplified native app instead of calling your script. The proxy app will get bumped to root due to SUID and as a result, the script will get executed as root too.
  • 1
  • 0
    @netikras the issue is i don't want nodejs to have root perms :P lol
  • 0
    @AvatarOfKaine And it won't. It'll only get root privs for that proxy executable and whatever it runs - nothing more, nothing less. And that's in your control, as long as you chown-root and chmod-4500 it (I.e. protect it from being modified and ran by anyone else).
  • 0
  • 0
    @AvatarOfKaine I don't follow.
  • 1
    @netikras source is being distributed. just want to make it proper.
  • 1
    @netikras I found a way around anyway I just created a shell script that can be read, isn't very long and is run as root to generate a test case.
Add Comment