How do I grant root access to a user application?

Question

I have a user-level C++ test application running on a linux mobile device. One of the test involves enabling/disabling printer paper sensor which requires root privileges writing on a device file. Is there a way to grant my application that kind of privilege? If none, is there a workaround for that?

Answer 1

This will do,

as root execute:

chown -v root:root /path/to/yourapp
chmod -v 4755 /path/to/yourapp    

or alternatively

chmod -v u+s /path/to/yourapp

or alternatively

man chmod

This will not work with scripts . And yes, you should take seriously what jdizzle said about dropping unnecessary privileges.

Another way to solve this is to make the user who runs the application a member of the group that owns the device file. For example,

ls -la /dev/devicefile
crw-rw---- 1 root printer 4, 0 may  6 10:56 /dev/devicefile

members of the printer group can read and write to the device, so you just need to add joe to the printer group (and restart the session).

gpasswd -a joe printer

If you need to adjust the devicefile permissions, you probably will need to edit udev rules to make it permanent. But chmod should work too.

Other options worth investigating: setcap(8) (nice guide here ) and sudo(8) .

Answer 2

You can set the program setuid root, which means it will always run as root even when run by a user. This typically requires special care to drop privileges inside the program once the necessary actions requiring root access are completed.

Answer 3

You could also have a helper program, itself setuid root -or with appropriate capabilities, or started thru sudo - which communicate with the printer. Your main application would fork & exec that program and communicate with it thru pipes, so it should not be itself running as root.

The helper program would be a simple executable (with appropriate capabilities) which would only be started by your main application (not directly by the user) and communicate with it thru pipes or program arguments, etc.

A lot of graphical administrative programs are done likewise: the graphical part is a program separated from the administrative part, and they communicate appropriately. Only the administrative program (usually existing command line programs like adduser ) need special privilege.

Answer 4

you should definitey try to avoid running your program as "root", as this would not only allow your program to read/write /dev/sensordevice but it would grant access to virtually everything on your system (including the ability to completely brick it)

you should therefore try to add fine-grained access to just the ressource you need, using proper groups and making sure that your device-file grants your group write access. see (eg) udev on how to write a proper udev rule, that grants write access for a certain device to a given group.