Linux C/C++ has open or fopen API, but created file are belong to process uid.
If we want to change owner/group of this file, we can use chown or fchown API after file created.
But, is there one API for creating file as another user, not two API ?
There is no Unix api dedicated for that, but you can change the current user to
other user before create the file, such as:
Make sure you have permission. The current effective user must be "root" OR set user or group ID on executable file.
Call setgid and setuid to other user.
Create the file.
Call setuid and setgid to old user if required.
Because the user is process-wide, if your program is multi-threaded, you may
need to fork a child process doing the steps I listed before.
But if you want non-root user (such as nobody) to run your program, you can give
the permission to your executable file:
sudo chown root:root ./your_app && sudo chmod gu+s ./you_app
Now you can call setuid(0) and setgid(0) to acquire root permission.
It's not possible in Linux.
Allowing this could cause some subtle security bugs (remote code execution, destroying files of other users, etc.) and therefore is not allowed.
Instead, please just run the process under sudo.
Related
I have a hosted server on Google Cloud Platform (GCP), and I am trying to overwrite some files.
I was able to make a connection through WinSCP, and I'm able to find the directory of the files I need to overwrite, however, all files are read-only.
How can I manage the permissions to give myself add/change permissions?
I agree this seems to be related to permissions on the files. I am not able to comment and wanted to add that if you want to avoid changing the ownership of directory and files, you can always set up a group as an owner.
Details can be found on this discussion
Summarizing:
# groupadd mygroup
# useradd -G mygroup user1
# chown -R :mygroup /path/folder
# chmod -R g+rw /path/folder
Create new group ‘mygroup’
Adds user user1 to mygroup
Recursively grants group ownership to content of /path/folder/ to mygroup
Recursively grants group read & write permission to contents of /path/folder
This will effectively allow you to manage users in mygroup with the appropriate permissions and access.
You need to be the owner of the file in order to be able to make changes. For example, if root is the owner of the file, you won't be able to change it (since GCP doesn't allow root access through FTP).
What you should do is make you (the user logged through WinSCP) owner of the file using command line and then make changes to the file. Be careful to make the old owner of the file owner again.
For example, using Centos and WinSCP you should do this:
Login to your server with WinSCP
Login to your server through putty or any other command line client
in putty: sudo chown YOUR_USER /complete/URL/file/in/your/server.XYZ
make whatever changes you need to make to your file
in putty: sudo chown OLD_USER /complete/URL/file/in/your/server.XYZ
YOUR_USER is the user you are logged in on WinSCP.
OLD_USER can be apache, root or whatever
If you want to upload a new file you must take ownership of the folder. To do that do not specify the file on the chown command, for instance:
sudo chown YOUR_USER /complete/URL/folder/
Once you finish, give back ownership to OLD_USER.
This can be a pain but is the only way I found to edit my files in my GCP server...
Hope this helps.
I have a folder that I want to write to from a Django app using uwsgi (served by NGINX). I set ownership on that folder to root:writinggroup and set permissions on that folder to 775. I add the www-data user to the group writinggroup.
Then in my uwsgi ini file, I set:
uid = www-data
But when I run my server and hit the appropriate URL to trigger the write operation, I get a permissions error.
But if I switch the ownership of the folder to www-data:writinggroup, everything works perfectly.
So what's going on here? Why is it that having the user-owner of the folder set to www-data gets the job done, while setting the group-owner of the folder to writinggroup doesn't even though www-data (the user) is a member of that group?
Basically, what I'm asking is: if you set uid but not gid in the uwsgi config, why doesn't the uwsgi process behave like it inherits permissions associated with groups to which that uid belongs?
Following up on dgel's suggestion to learn about Unix permissioning: when you run processes in Unix, there are basically 3 ways you can wind up being "green lit" permissions-wise by the OS.
The user calling the command can be user-permissioned for the disk operation (green-lit because of effective user id)
The group id associated with the process can be group-permissioned for the disk operation (green-lit because of effective group id)
The user calling the command can be a member of a group that is group-permissioned for the disk operation (green-lit because of supplementary group id)
Number 3 there is important. It's how a lot of disk operations are ultimately green-lit. I.e. user joe is a member of group awesome. Folder important is owned by root:awesome with permissions 775. You execute a command at the terminal as joe where you try to write to important. This will be run with user joe and likely with effective group id joe (i.e. the group that contains only the user joe). Alone, this wouldn't get the job done. But because joe is in awesome and awesome the group has write permissions, your command is able to succeed.
When you run uWSGI in emperror mode, you can set a uid and gid for your vassal processes. I had assumed that this would result in vassals with the 3 types of permissions described above. But that's not quite right. While the vassals do indeed run with the effective user ID and effective group ID you specify, they do not wind up with any supplementary group ID's associated to their processes.
So say you have uWSGI running with uid=www-data and gid=www-data and you want to write to the important folder described above. So you make www-data a member of awesome. This will not be sufficient, because the vassal process will have only the permissions of www-data the user and www-data the group and not the permissions of the groups to which www-data (the user) belongs...i.e. it will not inherit the permissions of the awesome group. This leads to the annoying behavior that commands executed at the terminal after switching users to www-data may succeed while code run by the above-configured uWSGI process will fail (because at the terminal the command gets the permissions of the awesome group, but the vassals do not).
One solution would be to change the ownership of the important folder to be www-data:awesome. But I hate that answer since it doesn't generalize to a case where multiple users might need this kind of access. Instead, there's a better way: there is an add-gid option for uWSGI. So you would need to specify:
uid = www-data
gid = www-data
add-gid = awesome
in your uWSGI configuration. This parameter can be set many times so that you can associate as many supplementary groups with your vassal processes as your heart desires. You can read about it in the uWSGI release notes here.
A very important note is that this parameter was only added in uWSGI 1.9.15. This is much newer than the version that ships with Ubuntu. So if you (like me) are in that situation, you'll need to upgrade uWSGI. I did that with:
sudo mv /usr/bin/uwsgi /usr/bin/uwsgi.bak
sudo pip install -U uwsgi
sudo ln -fs /usr/local/bin/uwsgi /usr/bin/uwsgi
Quick server reboot (sudo service uwsgi restart) and I was all set!
I am working in Ubuntu 14.04 I have an C++ application which I have compiled. I get the executable which name is "program". Well the thing is that this program use opencv and sockets then if I try to execute it in the terminal like this:
./program
I got this error:
listener: socket: Operation not permitted
setsockopt: Bad file descriptor
This error appear because I using socket and I need to run my application as root, so I tyoe this:
sudo ./program
This request my password and the program works propertly.
The thing is that I want to run this "program" automatically when I start my Ubuntu, but it does not work. I have another application the name is "camera" which only use opencv, no socket, then I do not need to run as root. So I put this application in the startup application of ubuntu and the "camera" application start at the begining without problem.
So I guess that my problem is that I need to run as root my "program", but I can not get it.
Someone could help me?
Many Thanks
You need to change the ownership of the program to root:root and use the setuid permission so that it runs with the permissions of its owner, not the user who invoked it.
sudo chown root:root ./program
sudo chmod a+s ./program
Now the program will run with root privileges for all users.
Hope that helps.
Side note: As a programmer you should strive to ensure that programs that run with root privileges are free of security holes, so that they're not vulnerable to buffer overflow exploits, etc.
I need to create directory inside root directory using a qt widget application.
void Home::on_pushButton_clicked()
{
system("mkdir /bin/mydir");
}
But,how to get root privilege before making folder inside /bin folder
you can get root password using pkexec command inside programming like below:
void Home::on_pushButton_clicked()
{
system("pkexec mkdir /bin/myDir");
}
or you can try to using QProcess class, however for your purpose the pkexec is enough.But in this mode you have to enter password manually, but if you want to get root permission without entering password manually and you could enter your password inside of the code then you may consider the below code:
QProcess process;
process.start("echo your_password | sudo -S mkdir /bin/myDir");
A program cannot gain root privileges after it has been started; it is only permitted to (either temporarily or finally) drop privileges.
The best approach is usually to invoke a program such as gksudo or ksudo, which the system will invoke as root, at which point they temporarily drop root privileges, query the user for consent, close their connection to the GUI system, regain root privileges and execute the action.
If you want your application to access some resources which requires root privilege, you have to run that application as root.
e.g
sudo your_application_name
or login as root and then run that application.
I am trying to run Lynx under apache user via sudo, but it seems that lynx tries to access my home directory:
$ sudo -u apache lynx
/home/ssmirnov/: No such directory
I have such permissions on my home directory: drwx------
Can you advice me how to run Lynx under another user?
You might try using sudo's -H option. It sets $HOME to the home directory of the user you're trying to run as. Perhaps lynx is looking for a file there, i dunno. (It doesn't seem to have a problem on my machine...but eh.)
-i might work as well; it basically sets the environment up as if the user had logged in, including cd'ing to their home directory. Note, that means starting the shell specified for that user, running login scripts, and all that. If the user's not allowed to log in, this will likely fail.
If you want to run it from your home directory, for example to download something to that location, of course you'll have to grant access to apache somehow. This can be done on ext* filesystems on most modern Linux systems (without granting everyone access) by saying something like setfacl -m u:apache:rwx $HOME. In a pinch, you could temporarily put apache in your group and grant group rwx permissions on your homedir...but unless this is your home machine, i wouldn't do that.