Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am wondering if there's a way by which we can grant limited root privileges to a process. Let me further explain, a customer of my department would like to run a process on users workstations that collect hardware-related information, this process requires root privileges to read files under /proc and the like. Is there a way by which we can limit this process access to the filesystem; for example, limit this process to only access /proc ONLY?.
I am wondering if there's a way by which we can grant limited root privileges to a process. Let me further explain, a customer of my department would like to run a process on users workstations that collect hardware-related information, this process requires root privileges to read files under /proc and the like. Is there a way by which we can limit this process access to the filesystem; for example, limit this process to only access /proc ONLY?.
Thinking of interfacing /proc specifically there's also SNMP. That way any (authorised) remote or local client could obtain data w/o some app requiring root rights. Might not apply to whatever you vaguely defined as "and the like".
Thank you very much guys for the enlightening comments, Thank you all specially win32sux and un Spawn.
jschiwal: I am sorry to not answer your question as I will follow the guidlines outlined by the gyus.
Here's what I will do:
1. First investigate the use of SNMP
2. If (1) is not possible to implement, I'd go for SELINUX
As far as I know, you don't need root privileges to read /proc.
No, you don't, but as unprivileged user not all information will be available. Running for example 'netstat -anp >/dev/null' as unprivileged user should show "(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)".
Quote:
Originally Posted by theYinYeti
Anyway, a quite simple method could possibly be to mirror /proc in a chroot jail.
Actually one of the "free out of jail" cards reads "mount /proc VFS in the chroot jail."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
