Permission for binaries

B

bcomputerguy

I come across a few programs sometimes that will run without sudo but it won't do anything.
Then if I run the program with sudo it'll run as expected.

How can I set the permissions of that binary that say users in X group can run it w/o needing to use sudo but it also work as expected?
 
"Won't do anything" ??? Without error messages ???
I don't think that's possible purely based on permissions. If a file exists, but is not readable and executable, and someone tries to execute it, they will get an error message. Usually, it will be "Permission denied". In a nutshell, the permission system (the nine bits the control the RWX settings for owner, group and user) only controls whether a file can be executed or not; it can not change the behavior of the executed program. (Note that I'm using the words "file" and "program" interchangeable here, assuming that ultimately any file can be executed, because it might be a script. That's glossing over some important details like executable format. Also, above I wrote "readable and executable", and that also glosses over important details).

I think what you described is a program that when run by a user who is not authorized will run, but not do its job. When run by an authorized user, it will do its job. Such a program can be written, and it's actually rather easy to do as a shell script. Assume 1234 is the user ID of the authorized party, and 5678 is the group ID of the authorized group:
Code: 
if [ `id -u` -eq 1234 -o `id -g` eq 5678 ]
then
  ... execute the program as usual
else
  echo Good morning you are not authorized to do this, nothing will happen, please have a nice day.
fi
(Note: In the above example I added a message which tells the non-authorized user what is going on, for didactic clarity.) Obviously, doing this in general, flexibly (perhaps configurable) and in any programming language (like C) becomes much harder than just comparing the UID or

But then your real question is: "How can I set the permissions so users in group X can run it"? That's rather easy. Say user "adam" has written a program that should be executable by everyone in the group "animals": First, change the ownership of the executable itself to be in the desired group (with chgrp animals /home/adam/bin/ourtool), and then change the permissions of that program so it is readable and executable by anyone in that group, for example with chmod u+rwx,g+rx-w,o-rwx /home/adam/bin/ourtool. Now adam (the owner) can read,write and execute the file. Others in the animal groups can read and execute, but not write. And others (who are neither adam nor in the animals group) can do nothing, not read, write or execute. Except obviously root can do whatever she likes. Oh, and to make life easier, you should also make sure that all directories in the chain /home/adam/bin are readable and executable to the animals group (that's not strictly necessary, but let's keep things simple).

So, to summarize: To implement this kind of thing, you have two options. You can use the existing user/group infrastructure and mark the executable by group. Or you can implement authorization checking inside the program, and do a reasonable thing.

Style remark (sorry, I have to add anecdotes or philosophical remarks): Having a program that *silently* changes its behavior depending on who is running it is a very bad idea. It makes debugging when things don't work very hard. I would definitely implement this to print very clear messages when the program is deliberately not doing its job.
 
ralphbsz said:
"Won't do anything" ??? Without error messages ???
I don't think that's possible purely based on permissions. If a file exists, but is not readable and executable, and someone tries to execute it, they will get an error message. Usually, it will be "Permission denied". In a nutshell, the permission system (the nine bits the control the RWX settings for owner, group and user) only controls whether a file can be executed or not; it can not change the behavior of the executed program. (Note that I'm using the words "file" and "program" interchangeable here, assuming that ultimately any file can be executed, because it might be a script. That's glossing over some important details like executable format. Also, above I wrote "readable and executable", and that also glosses over important details).

I think what you described is a program that when run by a user who is not authorized will run, but not do its job. When run by an authorized user, it will do its job. Such a program can be written, and it's actually rather easy to do as a shell script. Assume 1234 is the user ID of the authorized party, and 5678 is the group ID of the authorized group:
Code: 
if [ `id -u` -eq 1234 -o `id -g` eq 5678 ]
then
  ... execute the program as usual
else
  echo Good morning you are not authorized to do this, nothing will happen, please have a nice day.
fi
(Note: In the above example I added a message which tells the non-authorized user what is going on, for didactic clarity.) Obviously, doing this in general, flexibly (perhaps configurable) and in any programming language (like C) becomes much harder than just comparing the UID or

But then your real question is: "How can I set the permissions so users in group X can run it"? That's rather easy. Say user "adam" has written a program that should be executable by everyone in the group "animals": First, change the ownership of the executable itself to be in the desired group (with chgrp animals /home/adam/bin/ourtool), and then change the permissions of that program so it is readable and executable by anyone in that group, for example with chmod u+rwx,g+rx-w,o-rwx /home/adam/bin/ourtool. Now adam (the owner) can read,write and execute the file. Others in the animal groups can read and execute, but not write. And others (who are neither adam nor in the animals group) can do nothing, not read, write or execute. Except obviously root can do whatever she likes. Oh, and to make life easier, you should also make sure that all directories in the chain /home/adam/bin are readable and executable to the animals group (that's not strictly necessary, but let's keep things simple).

So, to summarize: To implement this kind of thing, you have two options. You can use the existing user/group infrastructure and mark the executable by group. Or you can implement authorization checking inside the program, and do a reasonable thing.

Style remark (sorry, I have to add anecdotes or philosophical remarks): Having a program that *silently* changes its behavior depending on who is running it is a very bad idea. It makes debugging when things don't work very hard. I would definitely implement this to print very clear messages when the program is deliberately not doing its job.
Click to expand...

Thanks for the info.

I'd just prefer to use the built in permissions since that's less headaches.

Typically these issue pop up around programs that needs to access devices;
I ran into this trying to access usb device; a printer for example.

running XSane it'll say no devices found but sudo XSane finds the printer.

Things like that can be a bit annoying but it's happened so many times I typically
try to use sudo before I go looking elsewhere.

Maybe the ports can make note of that or something, I'm not sure how to fix it
other than testing if sudo works, then creating groups and adding users to that group.
 
For the XSane issue, it's not the permissions on the binary that's the issue, but permissions on the device node under /dev: it's probably missing read access for the group(s) you are in, or doesn't have read access for "other". Fix that (via /etc/devfs.rules) and you shouldn't need to run XSane as root.
 
You must log in or register to reply here.
Back
Top