Is it possible to change the ownership of an executable to root using sudo?

I have an executable created by my userid that I need to have run as root. Therefore I need to change the ownership of my executable to be root:root and use setuid. When I attempt

sudo chown root:root [EXE_NAME]

I get the error:

chown: changing ownership of `[EXE_NAME]`: Operation not permitted

My constraints are:

I have sudo ALL ALL for my userid in the sudoers file, but cannot login as root
The executable that needs to run as root is attempting to bind to a network interface (hence the need to run as root) in promiscious mode using the pcap_open_live function.

Is there a better way to solve my ultimate problem, that is, needing to run an executable that binds to a network interface that is secure and does not require sudo or creating a root owned shell (sudo tcsh)

EmRhap

Posted 2012-09-19T21:55:19.997

Reputation: 43

Which OS are you using? BSD? OSX, GNU/Linux? – Hennes – 2012-09-19T22:10:32.027

GNU/Linux RHEL 6.2 – EmRhap – 2012-09-19T22:16:59.520

See @Dennis's answer: if the file is on a filesystem that doesn't support ownership (like vfat or smb), then you can't change it. – Stefan Seidel – 2012-09-20T12:47:23.557

Answers

If sudo actually gives you UID 0 (check with sudo id) I'd suspect that the file reside on a filesystem that doesn't support permissions (e.g. FAT32). On such a filesystem you cannot change ownership (or permissions) of a file.

Ansgar Wiechers

Posted 2012-09-19T21:55:19.997

Reputation: 4 860

1So I did eventually settle that the issue was that the exported file system did have root squashing enabled and I was unable to proceed as I wanted. I also ended up with another job and this became someone else's problem. Sorry this item took me nearly three years to get back to this. – EmRhap – 2015-08-06T04:35:40.417

sudo id gives UID 0. How would I check the filesystem that the exe resides on? (It is a net mount, I believe) – EmRhap – 2012-09-19T22:18:38.703

1mount will list all mounted filesystems including their type. If it's a network-mounted filesystem, it's possible that root doesn't have write access to that filesystem (e.g. an NFS mount with root_squash enabled). – Ansgar Wiechers – 2012-09-19T22:21:24.737

How do I tell if root_squash is enabled. Here is the output from mount /home/sw/ type nfs (rw,sloppy,addr=XXX.XXX.XXX.XXX) The IP is actually specified, I just figure its not relevant. – EmRhap – 2012-09-19T22:40:09.573

1You take a look at /etc/exports on the NFS server. If the exported filesystem does not have the option no_root_squash set, then root sqashing is enabled (i.e. root is mapped to another account, usually nobody). – Ansgar Wiechers – 2012-09-19T23:04:00.077

If your file system supports ownership, there are three more reasons I can think of:

The partition is mounted read-only.

Try renaming the file or creating another file in the same directory. If you can, that's not the problem.
The file is locked.

Check if the program is running. Try renaming the file.
The file is set as append only or immutable.

To change this, execute the following command:
```
sudo chattr -ai filename
```

Dennis

Posted 2012-09-19T21:55:19.997

Reputation: 42 934

Item 1 and 2. Check able to rename the file. Item 3: lsattr [EXE_NAME] gives error: lsattr: Inappropriate ioctl for device While reading flags on [EXE_NAME] – EmRhap – 2012-09-19T22:39:00.123

If the filesystem were mounted read-only, chown would report Read-only file system. – Ansgar Wiechers – 2012-09-19T23:23:34.600

If you just need to change ownership (and not ownership and the group) then you can use chown root filename. Prefixed by sudo if you are not root.

If you also want to change the group there is always chgrp.

(Granted, not as nice as all in a single command).

Hennes

Posted 2012-09-19T21:55:19.997

Reputation: 60 739

sudo chown root filename as you suggest produces the same error – EmRhap – 2012-09-19T22:03:35.063

2@Hennes: chown root:root filename changes both owner and group. – Dennis – 2012-09-19T22:12:12.770

Aye. But I just tried that as root and I got an error for chown root:root filename but not on chown root filename. (This was as root on a FFS filesystem on FreeBSD 7). – Hennes – 2012-09-19T22:55:37.070

Normal users can also bind to a network interface, just not to ports under 1024. Thus, you could have your program bind to a port >= 1024 and then redirect to that port either externally or via ssh -fN -L 0.0.0.0:<PRIV_PORT>:localhost:<UNPRIV_PORT>.

That being said, your problem could also relate to SElinux, which is enabled by default in RHEL. To disable it, set SELINUX=disabled in /etc/selinux/config.

Stefan Seidel

Posted 2012-09-19T21:55:19.997

Reputation: 8 812

I am binding to a port greater than 1024 and SELINUX is disabled. – EmRhap – 2012-09-20T16:46:53.480

So there's no need to run as root, or is there? If you can run nc -l <PORTNUM> without problems, then all should be fine and you don't need to run the program as root. – Stefan Seidel – 2012-09-20T18:38:47.073

the issue is using pcap to monitor the traffic on a device, using pcap_open_live in promiscious mode. When not ran as root: I receive the message: `eth0: You don't have permission to capture on that device (socket: Operation not permitted)' – EmRhap – 2012-09-20T19:10:10.530