If there is a program written by a normal user that requires root privileges (eg. a program that interacts with root processes) what is the difference between running this program using sudo
vs. changing the program permissions with chown root
and chmod +s
from a security perspective?
- 11
- 1
1 Answers
It hardly makes a difference, but with some caveats
Firstly, lets get two things out of the way first:
using
chown root
andchmod +s
on a binary makes it a SUID (Set User ID) binary. I tell you this so it's easier to look up more information if you so please.sudo itself is a SUID binary.
Because both methods allow a normal user to run the application as root, if everything is set up correctly there is no difference whatsoever.
But it's easier to mess up sudo privileges configurations than to mess up SUID binaries.
Some possible outcomes of misconfigurations or errors would be:
- The ability to sudo an application of the same name (if the path set in sudo permissions isn't abolute)
- If you move the application (and are using an absolute path) and you forget to change the sudo path, the user can no longer sudo the application.
- Ever worse, if you the user can write to the old path it can now create a new binary with the old name and location and sudo it
- The above also applies if you delete the binary
A small note about SUID binaries, some applications (like bash run without -p) drop the SUID bit when ran, thus dropping privileges back to those of the normal user.
Also, from time to time a sudo exploit is discovered. These usually require the user to be able to sudo something and therefor aren't usually if the user can't sudo anything at all. But frankly I would consider that a minor issue, but worth mentioning here nevertheless.
I would just use a SUID
- 307
- 1
- 2
- 6
-
A benefit of `sudo` is that for multiuser environments, it can be easily configured to only allow execution to some users. Well, not much harder for `SUID` actually, one just needs to have a separate group for and correct file permissions. – domen Feb 18 '22 at 10:55