setuid for a file

[kavitakr]

Hi

To setuid for a file [ Executable files with this bit set will run with effective uid set to the uid of the file owner]

chmod 4555 <file>

Is it possible to setuid for specific user/users? Like this file is for privileged users?[ we want to avoid using sudo , looking for alternate solution]

 

[im]

You can install and use sudo.
Sudo allows to run specified program as root for specified users.

 

[kavitakr]

You can install and use sudo.
Sudo allows to run specified program as root for specified users.

we dont install sudo on our product/ looking for some other way

 

[SirDice]

Is it possible to setuid for specific user/users?

No, the SUID bit applies to anyone or anything that executes it, the bit is tied to the executable. That said, perhaps you can use an ACL to limit who can actually execute it.

 

[ralphbsz]

What SirDice said.

You could also write a small "script" (not necessarily a shell script, the language used is up to you) that encapsulates the program, checks whether the user is correct (or any other configuration), and then starts the program. That script would have to be written hacking-proof (which is not so easy for shell scripts). The advantage of a script is that you can do arbitrarily complex tests: On the full moon, Alice can run the program, on every second Tuesday Bob can run the program, Carol can only run the program if Eve gives her a cookie first, and so on.

If you have the source code for the actual program (on FreeBSD, given that it is an open source system, this is extremely likely), you could even put these checks into the program itself, instead of putting a script around it.

 

[zirias@]

The requirement is unclear. The effect of the SUID bit is to run the program with the EUID of its owner, so

Is it possible to setuid for specific user/users?

YES, it already does exactly that. Just set the owner to the user you want it to run as.

But the answers given so far suggest that you mean setting the EUID should only apply when specific users attemt to run the program. Then sure, the solution is sudo, doas, etc. Of course you can "wrap" it yourself, be it with a (shell) script (I'd be VERY careful with this, it is dangerous) or another binary. But then, you actually reinvent sudo et al, minus the configurability.

 

[George]

security/doas has a lot of hype around it these days.