Allow user to execute one command as root (no sudo)
sudo chown root:root /usr/bin/command
sudo chmod 6754 /usr/bin/command
The 6 in 6754 sets set-user-ID-on-execution and set-group-ID-on-execution bits, that is if anyone runs that command, the system will see him as root with group root (and allow for root actions).
In other words it's always going to be executed as the owner did it.
Thanks to 754 all users can only read the file and group users can read and execute that file (but not write, and hack it).
You also can specify which user or group can execute command as root:
sudo chown root:user /usr/bin/command
sudo chmod 6754 /usr/bin/command
To manage permissions per command, create a group for each command.
Note 1: this won't work for shell scripts.
Note 2: you can read effective UID from C by geteuid()
Note 3: You have to chown file first, and chmod afterwards
Note 4: Before chmod ensure users are in correct groups. You have to chmod it again if not.
Reference: bashguru.com
Written by Adam Stankiewicz
Related protips
2 Responses
This doesn't seem to work, anyone can execute the file regardless of what group their in. Certainly on debian systems anyway.
@johnhunt Can't be. Ensure ls -l
returns -rwsr-sr--
Btw. I've updated protip so commands are shorter.