Is it possible to fork a process and to run a program as normal user, e.g. with sudo rights? Or, if with sudo, with normal rights?
If your process runs as root, after a fork() you can execute setgid() and setuid(), and run as a normal user in the child process, without affecting the parent process, that continues to run as root.
Related
The problem i encountered is pretty simple. I tried spawning bash via runuser, after using root user for some configuration. But when I run runuser -l user -c 'bash', and then press CRTL+C, instead of interrupting whatever command I ran inside of the bash, it kills the rununser shell Session terminated, killing shell....
How can I create interactive shell without (ideally using runuser) without it being killed by CTRL+C?
I do not understand why sudo gets a separate PID (e.g. 1620) while starting dockerd (e.g. 1628) with sudo? To which PID should I send SIGTERM to stop the dockerd?
ps aux | grep dockerd
pstree -ps
I do not understand why sudo gets a separate PID (e.g. 1620) while starting dockerd (e.g. 1628) with sudo?
It is just the way that sudo works. It runs the command as a child process because it needs to do things after the child process exits.
You may be able to tweak the sudo configs to so that sudo doesn't fork a child process. On my system, man sudo says:
"If no I/O logging plugins are loaded and the policy plugin has not defined a close() function, set a command timeout or required that the command be run in a new pty, sudo may execute the command directly instead of running it as a child process."
But notice that :
it says may rather than will, and
you are necessarily sacrificing some functionality to achieve this "no fork" behavior.
To which PID should I send SIGTERM to stop the dockerd?
You can send signals to the sudo process and they will be relayed to the dockerd process. That's what man sudo says. Look in the man page's section on signal handling.
I've heard so much about individual processes should run as its own unprivileged user, yet the crond process is always run by root. My question is, should it? If so, is it considered "good practices" to have the crond process run by root, but individual cron jobs to always use unprivileged user then?
I'm fiddling with libfuse and I find useful the rules make mount which executes the userspace fuse daemon and make umount to unmount the directory. Unfortunately if I start the daemon in the make mount rule, this gets killed as soon as make exits (when the rule is completed).
Is it possible to spawn a daemon from a make rule such that the daemon persists the exit of make?
Make is the wrong tool for the job here. It shouldn't be used as a supervisor for other processes and anything it starts should end when it does.
That being said you can easily unhitch processes so that kill signals are not propagated when processes terminate. Running your fuse daemon prefixed by nohup … should stop the signals from reaching the child process and it will go on it's merry way.
Is my assumption true, that on Unix/Linux, the only way to GAIN root access is to execute a setuid-root file?
In other words, the system calls setuid(), setgid() are all about DROPPING privileges?
Please note that my question is not about exploits.
That's true. The only way for a non-root process (assuming it's running a non-setuid program) to become root is to exec a setuid program. If it's running a set-uid root program, then its effective uid is root and real uid is whoever ran it. It can then do setuid(0) to make its real uid 0.