LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-19-2009, 07:14 AM   #1
geek.ksa
Member
 
Registered: Jan 2009
Location: Dhahran, Saudi Arabia
Distribution: RHEL 5
Posts: 42

Rep: Reputation: 17
Running a process with limited root privileges


Hi guys,

I am wondering if there's a way by which we can grant limited root privileges to a process. Let me further explain, a customer of my department would like to run a process on users workstations that collect hardware-related information, this process requires root privileges to read files under /proc and the like. Is there a way by which we can limit this process access to the filesystem; for example, limit this process to only access /proc ONLY?.

Your responses are highly appreciated.
Thanks.
 
Old 02-19-2009, 08:01 AM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by geek.ksa View Post
Hi guys,

I am wondering if there's a way by which we can grant limited root privileges to a process. Let me further explain, a customer of my department would like to run a process on users workstations that collect hardware-related information, this process requires root privileges to read files under /proc and the like. Is there a way by which we can limit this process access to the filesystem; for example, limit this process to only access /proc ONLY?.

Your responses are highly appreciated.
Thanks.
You could use mandatory access control.

Some examples of GNU/Linux tools of this nature: SELinux, AppArmor, TOMOYO, and Smack.

Last edited by win32sux; 02-19-2009 at 08:04 AM.
 
Old 02-19-2009, 12:02 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,665
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Thinking of interfacing /proc specifically there's also SNMP. That way any (authorised) remote or local client could obtain data w/o some app requiring root rights. Might not apply to whatever you vaguely defined as "and the like".
 
Old 02-19-2009, 01:19 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Is the required information mirrored in the /sys/ pseudo filesystem?
 
Old 02-19-2009, 04:07 PM   #5
geek.ksa
Member
 
Registered: Jan 2009
Location: Dhahran, Saudi Arabia
Distribution: RHEL 5
Posts: 42

Original Poster
Rep: Reputation: 17
Thank you very much guys for the enlightening comments, Thank you all specially win32sux and un Spawn.
jschiwal: I am sorry to not answer your question as I will follow the guidlines outlined by the gyus.

Here's what I will do:
1. First investigate the use of SNMP
2. If (1) is not possible to implement, I'd go for SELINUX

Thanks very much
 
Old 02-19-2009, 04:49 PM   #6
theYinYeti
Senior Member
 
Registered: Jul 2004
Location: France
Distribution: Arch Linux
Posts: 1,897

Rep: Reputation: 61
As far as I know, you don't need root privileges to read /proc. Anyway, a quite simple method could possibly be to mirror /proc in a chroot jail.

Yves.
 
Old 02-19-2009, 05:35 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,665
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Quote:
Originally Posted by theYinYeti View Post
As far as I know, you don't need root privileges to read /proc.
No, you don't, but as unprivileged user not all information will be available. Running for example 'netstat -anp >/dev/null' as unprivileged user should show "(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)".


Quote:
Originally Posted by theYinYeti View Post
Anyway, a quite simple method could possibly be to mirror /proc in a chroot jail.
Actually one of the "free out of jail" cards reads "mount /proc VFS in the chroot jail."
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need to allocate a limited resources to a user/process pkhera_2001 Linux - Newbie 4 07-01-2008 03:34 AM
JFFS2 [VFS mount root /dev/mtdblock2 ok] - kernel panic on running init process sud_vijay Linux - Kernel 0 03-05-2008 11:05 AM
ps aux shows process -:0 running with root priveleges bjharker Linux - General 7 01-02-2008 03:30 PM
Script with root privileges running by an ordinary user MOCKBA Linux - Newbie 3 02-09-2007 04:33 PM
limited cpu use of a process (apache) JustinHoMi *BSD 0 01-10-2003 01:51 AM


All times are GMT -5. The time now is 03:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration