Similarly, they're also attached at their stdin, stdout and stderr file descriptor. By default, if the parent is killed gracefully (SIGINT/Ctrl+C), the child will be signaled to die, too. Flexibility to completely detach the subprocess from its parent or not. One of the reasoning for this, I found, is both flexibility and debugging. In other words, it can do anything the rest can. Popen is worth learning and the recommended way to execute subprocesses, especially in the long run. You can prefix sudo and bash to your script's path as the executed command in order to achieve the same goal. others) have write permissions then they can simply edit the file, add themselves to root and change your PS1 to black on black.Īs advised by lior.i, I'm adding this option, too. Whoever can execute this file (group or others have execution permissions, especially) will run everything inside as root. chown root.yourgroupĪgain, the same security implications apply here. p_root script to root and whoever can execute it (group/others) will always run the script as root. This is a file permission that allows executing a script with its owner's permission. visudo /etc/sudoers.d/20-special-prootĮxample content (full path to executable used is mandatory) youruser ALL=(ALL) NOPASSWD: /usr/bin/bash /full/path/to/p_root The files within /etc/sudoers.d are read in order (convention is to name them 10-something, 20-else, etc). You can add your own files in that directory, to sanely manage your system. Otherwise, someone can exploit this and run arbitrary code as root by editing the file and adding their own content.Įach file in /etc/sudoers.d contains rules for sudo. At least remove others' permission to write chmod o-w. It is imperative you lock down the script write permissions. p_root to be invoked with passwordless sudo. p_root invocation to be a passwordless sudo configuration in the sudoers.d directory. Programs should not fail like that just because they don't have root.There are two (*) methods I can think of. If root is the only thing that fixes a segfault, then the program has a bug. You shouldn't need to use root to get rid of a segmentation fault. This is why it's good practice to do most of your activities as a normal user, and use root only when needed, like when you're installing a program. So even if you request something by accident, it will be carried out with little or no warning, even if it's bad for the health of your system. The root user can do anything on a system, with almost no exceptions. The latter can be used only if you know root's password and is a good option if your account doesn't have permission to use sudo. You can also use the commands gksudo or su. The sudo command exists to temporarily give you root-level privileges when you need them to administer the system. There are several commands you can use to elevate your privileges. It even makes sense for mostly single-user machines such as desktops: if other members of your family, for example, somehow manage to run rm -rf / ( do NOT run that), they won't have permission to delete every file on the system, like they would if there were no such thing as privilege separation. Commonly, a web server or other process that exposes a port to other (possibly malicious) computers will run as its own user (Apache runs as the user nobody), so that even if the web server program is hacked, the attacker can't trash the entire machine quite so easily. (Root is a lot like Administrator in Windows.) That privileged user is traditionally called root. Because most users don't need to be able to modify the core system only the system administrator should have that privilege. UNIX was designed as a multi-user system from the ground up - that is, it was designed so that many people could use one computer running UNIX at once. UNIX-like operating systems (including Linux) use a concept called privilege separation to ensure that the system stays safe.
0 Comments
Leave a Reply. |