» Welcome : About : Active Projects : Fun & Games : Unmaintained and Deprecated : Articles, Tutorials and Misc (Spanish & English)

suidexec (poor man's sudo)

This is kind of poor man's SUDO, and you should think about using SUDO instead.

suidexec allows a low privileged user to run commands being other user. It works very well with your web server already running as a www-data (for example) willing to execute a fastcgi service as a different user.

ACL

suidexec loads /etc/suidexec.conf and uses it to check if the invoking user is allowed to run the program and what commands are permitted.

# the configuration group with the same name of the suid instance
[conf_group]
# allowed commands (semicolon separated list)
commands = /path/command1;/path/command2
# set every allowed user to true
user = true

Example

Run fast-cgi from a www-data process as nobody user.

  1. $ cp suidexec suidexec_nobody
  2. # chown nobody:nobody suidexec_nobody
  3. # chmod +s suidexec_nobody
  4. Edit /etc/suidexec.conf to allow the command execution: 
    # the configuration group with the same name of the suid instance
[suidexec_nobody]
# allowed commands (semicolon separated list)
commands = /path/to/fast-cgi
# set every allowed user to true
www-data = true
  5. Configure your www-data process: 
    suidexec_nobody /path/to/fast-cgi -- fast_cgi_arguments

Note: # prompt implies root permissions.

Download

The tool requires glib2, and can be compiled with:

$ gcc -O2 -s `pkg-config --cflags --libs glib-2.0` suidexec.c -o suidexec

suidexec.c version 0.1

Author: Juan J. Martínez, last updated 14 Dec 2012.