Running a process with limited root privileges
 

Hi guys,

I am wondering if there's a way by which we can grant limited root privileges to a process. Let me further explain, a customer of my department would like to run a process on users workstations that collect hardware-related information, this process requires root privileges to read files under /proc and the like. Is there a way by which we can limit this process access to the filesystem; for example, limit this process to only access /proc ONLY?.

Your responses are highly appreciated.
Thanks.

You could use mandatory access control.

Some examples of GNU/Linux tools of this nature: SELinux, AppArmor, TOMOYO, and Smack.

Thinking of interfacing /proc specifically there's also SNMP. That way any (authorised) remote or local client could obtain data w/o some app requiring root rights. Might not apply to whatever you vaguely defined as "and the like".

Is the required information mirrored in the /sys/ pseudo filesystem?

Thank you very much guys for the enlightening comments, Thank you all specially win32sux and un Spawn.
jschiwal: I am sorry to not answer your question as I will follow the guidlines outlined by the gyus.

Here's what I will do:
1. First investigate the use of SNMP
2. If (1) is not possible to implement, I'd go for SELINUX

Thanks very much

As far as I know, you don't need root privileges to read /proc. Anyway, a quite simple method could possibly be to mirror /proc in a chroot jail.

Yves.

No, you don't, but as unprivileged user not all information will be available. Running for example 'netstat -anp >/dev/null' as unprivileged user should show "(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)".


Actually one of the "free out of jail" cards reads "mount /proc VFS in the chroot jail."