Last Updated: September 09, 2019
· sheerun

Allow user to execute one command as root (no sudo)

sudo chown root:root /usr/bin/command
sudo chmod 6754 /usr/bin/command

The 6 in 6754 sets set-user-ID-on-execution and set-group-ID-on-execution bits, that is if anyone runs that command, the system will see him as root with group root (and allow for root actions).

In other words it's always going to be executed as the owner did it.

Thanks to 754 all users can only read the file and group users can read and execute that file (but not write, and hack it).

You also can specify which user or group can execute command as root:

sudo chown root:user /usr/bin/command
sudo chmod 6754 /usr/bin/command

To manage permissions per command, create a group for each command.

Note 1: this won't work for shell scripts.

Note 2: you can read effective UID from C by geteuid()

Note 3: You have to chown file first, and chmod afterwards

Note 4: Before chmod ensure users are in correct groups. You have to chmod it again if not.


2 Responses
Add your response

This doesn't seem to work, anyone can execute the file regardless of what group their in. Certainly on debian systems anyway.

over 1 year ago ·

@johnhunt Can't be. Ensure ls -l returns -rwsr-sr--

Btw. I've updated protip so commands are shorter.

over 1 year ago ·