[SOLVED]Is it possible to pass on password to process requiring root privileges



  • Suppose i start a process p1 using QProcess. The process p1 requires root privileges, so can we pass on password to process p1 without human intervention, ofcourse password being read from some location



  • I can think of two ways, depending on what your process supports:

    1. Pass the password as a command line argument. This obviously requires the target program to have such an option. See the documentation of QProcess::start on how to pass arguments.

    2. If you start the target program from a terminal, does it ask for the root password? If yes, start the QProcess and wait until it's done with QProcess::waitForStarted (waitForReadyRead may work even better). Then you can pass it the password by using QProcess::write.

    I hope one of those works for you.


  • Moderators

    Note: If you pass the password via the command line, then it might show up in the process list.



  • Use OS specific methods. sudo or better setuid for linux etc... ShellExecute for windows.



  • -On Windows, I don't think it is possible, and for good reason: it is a security breach. You want the user to know that the process just elevated it's rights and now runs with root privileges.-
    I stand corrected.



  • Of cause it is possible on Windows. There is an list of WINAPI functions to do that:
    ShellExecute (maybe not the best use for this, but it works from win 2000 to win7)
    CreateProcessWithLogon (simple to use)
    and another two with more flexible options:
    CreateProcessAsUser
    CreateProcessWithToken



  • I use Ubuntu (Linux), actually my application does not need root privileges. But it has one module which requires root privileges. That module needs to be run everytime i start my application. i wish to ask for root password only the first time user starts the application and store the root password internally. Next time when user runs my application, i want to run the module using password stored on first usage, without troubling the user to type in password every time.



  • I still maintain that that is a security risk. How are you securely going to store that root password?



  • Is this module an executable file?
    If so, you can simply set sticky bit during installation and use setuid() to gain root privilege in your module.

    @

    su - root

    chmod +s <your executable binary>

    @

    @
    #include <sys/types.h>
    #include <unistd.h>

    int main(...)
    {
    ....
    qDebug() << "Current user ID: " << getuid() << " user group: " << getgid();
    if (setuid(0) != 0)
    {
    qCritical() << "Can't get root access";
    return;
    }

    // we have root access now
    qDebug() << "Current user ID: " << getuid() << " user group: " << getgid();
    }
    @



  • You then don't even need to know the root password.....



  • I was looking for a working setuid() method. Thanks a ton for making it look so easy.

    Edit 1:
    It didn't work!
    @Current user ID: 1000 user group: 1000
    Can't get root access@

    Edit 2:
    @Cannot connect creator comm socket /tmp/qt_temp.Vr2940/stub-socket: No such file or directory@
    I get this error.

    Moderator Edit: Instead of replying to yourself, please just edit your last post. I have merged your three posts into one; Andre



  • I have forgot to tell:
    You should install your module as root user. Or chown it to be root.

    1. su
    2. chown root:root <yourbin>
    3. chmod +s <yourbin>
    4. exit to normal user
    5. check if "s" bit is set: ls -ahl <yourbin>
      It should look like that:
      @
      -rwsr-sr-x 1 root root 7,2K Sep 27 11:19 <yourbin>
      @
    6. ./<yourbin>

    It works always!


  • Moderators

    Making your binary suid means that anybody that can start it will be able to run it as root. That may or may not be what you want.

    You could also consider moving the root-part out into a D-Bus service and then using "polkit":http://hal.freedesktop.org/docs/polkit/polkit.8.html for the authentication. I never used it, but it seems to be what the cool kids do nowadays:-)



  • I will be using policykit (pkexec) but only first time for setting setuid. Besides, i would be setting a password lock inside the binary to prevent its unauthorised execution



  • setuid() and getuid() don't work on all linux distros. policykit and pam can accomplish what your trying to do. I use pam because policykit brings in gtk deps and uses pam anyways.

    policykit deps:
    D-Bus GLib Bindings, Linux-PAM, intltool, DocBook XSL Stylesheets,
    glib, libffi and Python



  • Thanks! can you name some Linux Distros which don't support setuid.



  • [quote author="zester" date="1348839627"]setuid() and getuid() don't work on all linux distros. policykit and pam can accomplish what your trying to do. I use pam because policykit brings in gtk deps and uses pam anyways.

    policykit deps:
    D-Bus GLib Bindings, Linux-PAM, intltool, DocBook XSL Stylesheets,
    glib, libffi and Python

    [/quote]

    What? setuid & getuid is implemented in kernel since 2.4(2?).* it belongs to each linux with this kernel version or above...
    PAM is just package/ 3rd software.. it must be compiled/installed and configured. And for example is not by default on LFS, OpenELEC, etc...



  • I don't know and I agree with you but the last time I had this issue (2011?) both ubuntu and fedora had them disabled, meaning they wouldn't work. After doing alot of research I was informed that I should defiantly not be using those fucntions and that most linux distros had them disabled do to security concerns.

    Maybe things have changed "I have no idea" I was just pointing out my past experiences and what I was told to use, policykit or pam. Maybe it has something to do with SELinux?

    If setuid and getuid is working for you then use them.

    Trust me I would much rather use functions that are already provided verses installing a thirdparty package like policykit or pam.



  • Here you go maybe this was the issue I was having back then.

    SELinux is preventing dhcpd setgid/setuid access
    https://bugzilla.redhat.com/show_bug.cgi?id=737571

    Maybe ubuntu had the same bug?

    Or see here http://fedoraproject.org/wiki/Features/RemoveSETUID

    As far as being told not to use them..... What can I say, maybe it was an opinion made by someone with
    more experance than I. I will look into it, If I can get rid of one more package that duplicates functionality then good ;)



  • right i have forgot about SELinux and grsecurity... they can prevent execution of setuid...
    They also need more complex PAM configuration...
    But didn't know what ubuntu or fedora have ever used SELinux in Desktop versions. SLED(S) and RHEL uses SELinux by default...

    Anyway...
    The right way for desktop endusers will be: using PAM
    Standard way for linux will be: using kernels setuid


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.