[SOLVED]Is it possible to pass on password to process requiring root privileges

tobias.hunger

Note: If you pass the password via the command line, then it might show up in the process list.

AcerExtensa

Use OS specific methods. sudo or better setuid for linux etc... ShellExecute for windows.

andre

-On Windows, I don't think it is possible, and for good reason: it is a security breach. You want the user to know that the process just elevated it's rights and now runs with root privileges.-
I stand corrected.

AcerExtensa

Of cause it is possible on Windows. There is an list of WINAPI functions to do that:
ShellExecute (maybe not the best use for this, but it works from win 2000 to win7)
CreateProcessWithLogon (simple to use)
and another two with more flexible options:
CreateProcessAsUser
CreateProcessWithToken

adnan

I use Ubuntu (Linux), actually my application does not need root privileges. But it has one module which requires root privileges. That module needs to be run everytime i start my application. i wish to ask for root password only the first time user starts the application and store the root password internally. Next time when user runs my application, i want to run the module using password stored on first usage, without troubling the user to type in password every time.

andre

I still maintain that that is a security risk. How are you securely going to store that root password?

AcerExtensa

Is this module an executable file?
If so, you can simply set sticky bit during installation and use setuid() to gain root privilege in your module.

@

su - root

chmod +s <your executable binary>

@

@
#include <sys/types.h>
#include <unistd.h>

int main(...)
{
....
qDebug() << "Current user ID: " << getuid() << " user group: " << getgid();
if (setuid(0) != 0)
{
qCritical() << "Can't get root access";
return;
}

// we have root access now
qDebug() << "Current user ID: " << getuid() << " user group: " << getgid();
}
@

AcerExtensa

You then don't even need to know the root password.....

adnan

I was looking for a working setuid() method. Thanks a ton for making it look so easy.

Edit 1:
It didn't work!
@Current user ID: 1000 user group: 1000
Can't get root access@

Edit 2:
@Cannot connect creator comm socket /tmp/qt_temp.Vr2940/stub-socket: No such file or directory@
I get this error.

Moderator Edit: Instead of replying to yourself, please just edit your last post. I have merged your three posts into one; Andre

AcerExtensa

I have forgot to tell:
You should install your module as root user. Or chown it to be root.

1. su
2. chown root:root <yourbin>
3. chmod +s <yourbin>
4. exit to normal user
5. check if "s" bit is set: ls -ahl <yourbin>
   It should look like that:
   @
   -rwsr-sr-x 1 root root 7,2K Sep 27 11:19 <yourbin>
   @
6. ./<yourbin>

It works always!

tobias.hunger

Making your binary suid means that anybody that can start it will be able to run it as root. That may or may not be what you want.

You could also consider moving the root-part out into a D-Bus service and then using "polkit":http://hal.freedesktop.org/docs/polkit/polkit.8.html for the authentication. I never used it, but it seems to be what the cool kids do nowadays:-)

adnan

I will be using policykit (pkexec) but only first time for setting setuid. Besides, i would be setting a password lock inside the binary to prevent its unauthorised execution

zester

setuid() and getuid() don't work on all linux distros. policykit and pam can accomplish what your trying to do. I use pam because policykit brings in gtk deps and uses pam anyways.

policykit deps:
D-Bus GLib Bindings, Linux-PAM, intltool, DocBook XSL Stylesheets,
glib, libffi and Python

adnan

Thanks! can you name some Linux Distros which don't support setuid.

AcerExtensa

[quote author="zester" date="1348839627"]setuid() and getuid() don't work on all linux distros. policykit and pam can accomplish what your trying to do. I use pam because policykit brings in gtk deps and uses pam anyways.

policykit deps:
D-Bus GLib Bindings, Linux-PAM, intltool, DocBook XSL Stylesheets,
glib, libffi and Python

[/quote]

What? setuid & getuid is implemented in kernel since 2.4(2?).* it belongs to each linux with this kernel version or above...
PAM is just package/ 3rd software.. it must be compiled/installed and configured. And for example is not by default on LFS, OpenELEC, etc...

zester

I don't know and I agree with you but the last time I had this issue (2011?) both ubuntu and fedora had them disabled, meaning they wouldn't work. After doing alot of research I was informed that I should defiantly not be using those fucntions and that most linux distros had them disabled do to security concerns.

Maybe things have changed "I have no idea" I was just pointing out my past experiences and what I was told to use, policykit or pam. Maybe it has something to do with SELinux?

If setuid and getuid is working for you then use them.

Trust me I would much rather use functions that are already provided verses installing a thirdparty package like policykit or pam.

zester

Here you go maybe this was the issue I was having back then.

SELinux is preventing dhcpd setgid/setuid access
https://bugzilla.redhat.com/show_bug.cgi?id=737571

Maybe ubuntu had the same bug?

Or see here http://fedoraproject.org/wiki/Features/RemoveSETUID

As far as being told not to use them..... What can I say, maybe it was an opinion made by someone with
more experance than I. I will look into it, If I can get rid of one more package that duplicates functionality then good ;)

AcerExtensa

right i have forgot about SELinux and grsecurity... they can prevent execution of setuid...
They also need more complex PAM configuration...
But didn't know what ubuntu or fedora have ever used SELinux in Desktop versions. SLED(S) and RHEL uses SELinux by default...

Anyway...
The right way for desktop endusers will be: using PAM
Standard way for linux will be: using kernels setuid

raghava

@adnan

I am facing the same problem. You have come cross the problem.
what you did to solve...
I want user to enter the password only once.