允许非root应用程序修改/ etc中的只读文件
[英]Allow non-root application modify read-only file in /etc
问题描述
I am trying to have an almost idiotproof configurator for network and some other stuff for embedded device running on linux. 
我试图为网络提供一个几乎防傻瓜的配置器,并为Linux上运行的嵌入式设备提供一些其他配置。 Application is saving to /etc/network/interfaces without problem when run by root, but returns "segmentation fault" when run by standard user. 由root用户运行时,应用程序可以毫无问题地保存到/ etc / network / interfaces中,但由标准用户运行时,它会返回“分段错误”。 strace returned: strace返回:
open("/etc/network/interfaces", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied) --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
How can I allow it to be launched by anyone and write to /etc/network/interfaces ? 如何允许任何人启动它并写入/ etc / network / interfaces?
Code for saving to file: 保存到文件的代码:
FILE *saveFile;
saveFile = fopen("/etc/network/interfaces","w");
// loopback
fprintf(saveFile, "auto lo \niface lo inet loopback\n\n");
// eth0
fprintf(saveFile, "auto eth0\niface eth0 inet static\n\taddress %s\n\tnetmask %s\n\tgateway %s\n",
address,netmask,gateway);
fclose(saveFile);
3 个解决方案
解决方案1
1 2017-01-05 08:37:38
How can I allow it to be launched by anyone and write to /etc/network/interfaces ?
Mmmmm... By giving write permissions to anyone on /etc/network/interfaces ? 嗯...通过向/ etc / network / interfaces上的任何人授予写权限?
解决方案2
1 2017-01-05 10:14:48
After your comment, your requirement is to allow a non root user to do a particular administrative tasks that would require root priviledge. 发表评论后,您的要求是允许非root用户执行需要root特权的特定管理任务。 The traditional way would be to make the program owned by root and setuid. 传统方法是使程序归root和setuid拥有。 This is now a throwned upon way, because a setuid program (su or sudo are) should be thoroughly scrutinized for any potential security problem: a buffer overflow or other would allow execution of arbitrary code as root . 现在这是一个抛出的问题,因为应该彻底检查setuid程序(su或sudo)是否存在任何潜在的安全问题:缓冲区溢出或其他将允许以root用户身份执行任意代码。
For your example, if it is a simple program, it could make sense, but at least the return value of every operation ( fopen and fwrite here) should be tested! 以您的示例为例,如果它是一个简单的程序,则可能有意义,但至少应测试每个操作(此处为fopen和fwrite )的返回值!
The recommended way for that will now be to use sudo and set specific entries in the /etc/sudoers file to allow any user (or a specific list of groups and/or users) to execute that specific command as root. 现在推荐的方法是使用sudo并在/etc/sudoers文件中设置特定的条目,以允许任何用户(或特定的组和/或用户列表)以root身份执行该特定命令。 To achieve almost the same that a setuid command but prompt the user for his/her password to notice him/her of an administrative task: 要实现与setuid命令几乎相同的功能,但提示用户输入密码以通知他/她执行管理任务:
ALL local_host_name = (root) /full/path/to/command
But the sudoers syntax allow much finer grained authorizations. 但是sudoers语法允许更精细的授权。
(Beware: you still have to twice control your code) (请注意:您仍然必须两次控制代码)
解决方案3
0 已采纳 2017-01-05 09:50:35
you can try something like this : 您可以尝试这样的事情:
- install sudo 安装sudo
- create a new user 创建一个新用户
- Give sudo permission for the new user only on your program. 仅在您的程序上为新用户授予sudo权限。
This way, when people will try to execute any command other than your program,it will be refused. 这样,当人们尝试执行除您的程序以外的任何命令时,它将被拒绝。
Now, your program will run with sudo rigth, so make sure that your program cannot be modified or replaced by another program (like chmod 700 and chown root) and make sure your program will not mess /etc/network/interface 现在,您的程序将以sudo rigth运行,因此请确保您的程序不能被其他程序修改或替换(例如chmod 700和chown root),并确保您的程序不会弄乱/ etc / network / interface
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.